Large disk usage under ...\Data\ErrMgmt\Queue\Incoming by the Endpoint Protection client
search cancel

Large disk usage under ...\Data\ErrMgmt\Queue\Incoming by the Endpoint Protection client

book

Article ID: 164753

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection (SEP) client generates many folders in the C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ErrMgmt\Queue\Incoming.

These files and folders consume a large amount of disk space.

Cause

The application or process crashes may not be related to SEP.

When SEP is installed, SymQual and Windows Error Reporting debug settings are added to the Windows registry. When an application or process crashes, files and folders are generated, and data is sent to Symantec. If the SEP client is unable to transmit this data to Symantec, these files and folders remain on disk and consume disk space.

Resolution

Investigate other applications or processes that crash and implement a fix as necessary. This step stops any additional creation of files and folders.

Additionally, ensure that the SEP clients can access all required URLs. See External URLs required for Symantec Endpoint Protection (SEP) and Symantec Endpoint Security (SES).

Once the SEP clients submit the data to Symantec, they delete the data on disk.

Disable submissions 

To fully disable submissions and prevent data accumulation in SEP 14.2 RU 1 or later:

  1. In the Symantec Endpoint Protection Manager, go to Admin > Servers > Local Site > Edit Site Properties > Data Collection.
  2. Uncheck "Let clients send troubleshooting information to Symantec to resolve product issues faster."

Please note for SEP client versions earlier than 14.2 RU 1 that even when "Let clients send troubleshooting information to Symantec to resolve product issues faster" is unchecked, logs for app crashes in the "Incoming" directory aforementioned may still continue consuming disk space. In such a case, please ensure to follow the other two resolution options mentioned in this article, including troubleshooting the root cause of application crashes and resolving those crashes, and lastly, if the root cause for application crashes cannot be resolved, disable SymQual (below).

Disable SymQual monitor

To disable SymQual's monitor for specific applications or processes:

  1. Disable Tamper Protection.
  2. At the command line, disable SEP with smc -stop.
  3. Delete the files in the folder, C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ErrMgmt\Queue\Incoming.
  4. In the Windows Registry Editor, create a backup, and then navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
     
  5. Delete any unnecessary subkeys.

    Note: Any subkeys that have a "DumpFolder" value of "C:\ProgramData\Symantec\LocalDumps" are the processes that we monitor.
     
  6. At the command line, restart SEP with smc -start.
  7. Re-enable Tamper Protection.