search cancel

The Advanced Threat Protection web interface becomes unreachable soon after updating to ATP version 2.2 when Endpoint correlation is enabled

book

Article ID: 164195

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

When using the ATP: Endpoint feature and updating to ATP version 2.2, the web interface becomes unavailable 1-2 weeks after the update. If you access the command-line interface and run the 'df' command, you also see that /var is 100% utilized.

Here is an example of the output of df -h when this condition is occuring:

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda7        20G  2.9G   16G  16% /
devtmpfs         16G     0   16G   0% /dev
tmpfs            16G  152K   16G   1% /dev/shm
tmpfs            16G   18M   16G   1% /run
tmpfs            16G     0   16G   0% /sys/fs/cgroup
/dev/sda1       477M   93M  355M  21% /boot
/dev/sda6        80G  572M   76G   1% /tmp
/dev/sda8        77G   73G     0 100% /var
none            2.0G     0  2.0G   0% /var/symantec/sgs-td/pie/tmp
/dev/sda3       110G  1.8G  103G   2% /var/lib/elasticsearch
/dev/sda5        96G  487M   91G   1% /var/log
/dev/sda2       110G   61M  105G   1% /var/backup
tmpfs           3.2G     0  3.2G   0% /run/user/994
tmpfs           3.2G     0  3.2G   0% /run/user/1002
tmpfs           3.2G     0  3.2G   0% /run/user/500
tmpfs           3.2G     0  3.2G   0% /run/user/1000
tmpfs           3.2G     0  3.2G   0% /run/user/1001

Cause

Some Endpoint customers were experiencing an excessive production of reputation request events which flooded the system. The web interface becomes inaccesible when these queries are queued into a file that fills the partition where the database that handles UI functions in stored in.

Resolution

This issue has been resolved in ATP version 2.3. We resolved the source of the excessive event generation as well as improved the system’s resilience in environments with unexpected load.