*.snp Files in C:\Program Files\Manufacturer\Endpoint Agent\temp
What are these files?
edpa logs report: FINER | FileSystem.MessageListener | Path filter resolved from (C:\Program Files (x86)\Manufacturer\Endpoint Agent\temp\*.snp) to (C:\Program Files (x86)\Manufacturer\Endpoint Agent\temp\*.snp)
We make a snapshot of any file that we are evaluating for removable storage. That way, if the file is removed before we detect, we can still Monitor the file and create an incident, allowing us to be aware that the copy happened. Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.
The .snp (snapshot) files are the original copies of the files we scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process.
We keep the last 20 snp files so there should never be more than 20 files in this folder. The .snp files should be removed if the edpa process is restarted. If there are more than 20 files or they are not removed after restarting the edpa process then contact technical support.
The .snp file creation can be disabled by toggling the setting FileSystem.ENABLE_FILE_RESTORATION.int in the Agent Advanced Settings page (change it to 0).
Note: in certain cases there is a risk of losing the original document with this configuration. This would only happen if the user had the (Office) file open and was saving as.., then browsing to USB and this action triggered a block action on the endpoint. DLP would then delete the temp file that Office creates and makes the changes too, so essentially Office would then overwrite the original file with blank data since the temp file was erased during the block action.