Endpoint Protection

 View Only

  • 1.  SEP Folder ProgramData\Sy\Data\CmnClnt\ccSubSDK large size

    Posted Jul 02, 2015 03:56 AM

    I perform follwing this forum 
    https://www-secure.symantec.com/connect/forums/folder-12xxxdatacmnclntccsubsdk-has-large-size


    Disable submission on SEPM policy (Why formerly using this policy is not issue)

    Untitled.png

    Re enable Temper Protection for delete file in  C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK
    But can't delete file (Reason below)

    Temper.JPG

    After changed policies and clients recived same policies number (Disable Submission and temporary disable Temper Protection), I trying to remove content in ccSubSDK folder , Can delete but content has Create increase.

    whereupon uninstall SEP by using ClenaWipe tools and disable all of symantec product (Altiris), But content in folder ccSubSDK can't delete normally , take a long time to delete (3Hr)

    P_20150626_195347.jpg

    between CleanWipe perform uninstall task "Remove file and directories" a long time.
    Am checked what process or service to create content in ccSubSDK found "System" process write to this folder

    System_Process_Write_SEPFolder.JPG

    I need to help how to remove file in ccSubSDK folder via SEPM or other management (Much more clients has effected)

    - Why content is glowing up, in the past using this policies to submission not issue



  • 2.  RE: SEP Folder ProgramData\Sy\Data\CmnClnt\ccSubSDK large size

    Posted Jul 06, 2015 02:46 PM

    What SEP version is this for? Have you tried 12.1.6?



  • 3.  RE: SEP Folder ProgramData\Sy\Data\CmnClnt\ccSubSDK large size

    Posted Jul 07, 2015 12:31 AM

    SEPM version 12.1.5

    Clients has effected has version 12.1 RU4 ,12.1 RU4 MP1b , 12.1 RU5

    I planned to upgrade SEPM to 12.1 RU6 in this week, But clients task a long time to upgrade cuase more effect many user



  • 4.  RE: SEP Folder ProgramData\Sy\Data\CmnClnt\ccSubSDK large size

    Posted Jul 09, 2015 12:03 AM

    Absolutely shocking! We've had a major blowout with SEP about this same issue. No decent resolution has been provided.

    Try dealing 8000+ clients that had filled disk drives. Can you image how many hours this would take to clean up....

    To help you:

    1) make sure Tamper Protection is disabled  on the CLIENT (i.e. even if you changed the policy on the SEPM this will take time to propagate) - you can scipt this as well with something like:

    ===================================================================

    start smc.exe -p YourSEPPass -stop

    ping 1.1.1.1 -n 1 -w 15000 > null

    start smc.exe -start

    ping 1.1.1.1 -n 1 -w 30000 > null

    if "%PROCESSOR_ARCHITECTURE%"=="AMD64" (
    REG ADD "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnNew /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnException /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnPurecall /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnSecurity /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnInvalidParameter /t REG_DWORD /d 0 /f

    ) else (

    REG ADD "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnNew /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnException /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnPurecall /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnSecurity /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler" /v DumpOnInvalidParameter /t REG_DWORD /d 0 /f
    )

    ===================================================================

     

    2) set up a script to delete the folders as SEP will recreate them anyway

    Im using the below script  delete.cmd

    ==========================

    fsutil behavior set DisableDeleteNotify 1
    rmdir /s/q "c:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\CmnClnt\ccSubSDK"
    rmdir /s/q "c:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Install\Logs"
    REG ADD "HKLM\SOFTWARE\Standard Client" /v SEPDumpsDeleted /t REG_SZ /d 2 /f
    fsutil behavior set DisableDeleteNotify 0
    sc start sepmasterservice

    ==========================

    I hope this helps. This is the best i've been able to come up with so far. And unfortunately I have to follow up with plenty of manual fixes.