System Health status displays one of the following messages:

• Device is encountering low disk space on /var drive
• Device is encountering low disk space on /var/log drive
• Device is encountering low disk space on root drive

All versions of EDR and ATP

Most common causes are:

• VM Resources have not been RESERVED or have been UNRESERVED during operation
• Database has grown too large because more clients have been added
• Database is receiving abnormally large number of events
• System logs are not purging properly that fills the disk

1.  Review - Symantec EDR system messages and recommended actions 

2.  Ensure system resources are RESERVED and not just allocated

• Reserve VM resources for ATP/SEDR VE in ESXi 6.02 or later 
• System requirements for the virtual appliance

3.  Check sizing requirements of Hardware and VM especially when Endpoint Activity Recorder (EAR) has been enabled:

• About sizing guidelines - See all  "Sizing" subtopics

Operating EDR VMs with UNRESERVED resources may corrupt the database; and may cause the EDR to repeatedly crash or not to boot properly.   Hence, the EDR must be redeployed.

Also, EDR VM snapshots are not supported and may result in similar behaviors. 

• Virtual Appliances do not support restoring from a VMware snapshot taken from a running virtual machine