When using Symantec Endpoint Detection and Response's (SEDR) Data Recorder feature, the Endpoint Protection (SEP) client fails to honor the configured Data Recorder database size. Files in the following directory will consume more drive space than has been configured in the policy:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\EDR\localdatastore
The following additional symptoms may also occur:
- Errors related to disk size, disk capacity, or disk full may eventually appear in the Application Log, System Log of Windows Event Viewer.
Endpoint Protection 14.X
Advanced Threat Protection 3.x or Symantec Endpoint Detection and Response 4.x.
Integrated Cyber Defense Management (ICDm)
This issue can have multiple causes including:
Device Name: <MY_DEVICE_NAME> where <MY_DEVICE_NAME> is the name of the endpoint
Within EDR appliance, the number of events to send in each batch can be adjusted on the SEPM Policy on Settings> Global. Expect that an average client sends about 2 events per minute. Less than that (fewer than 10 events per 5 minutes) can back up the clients. More than that (greater than 15 events per 5 minutes) increases the load on your server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.