search cancel

Endpoint Protection fails to purge the Data Recorder database to the configured size.


Article ID: 175843


Updated On:


Endpoint Protection Advanced Threat Protection Platform Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response


When using Symantec Endpoint Detection and Response's (SEDR) Data Recorder feature, the Endpoint Protection (SEP) client fails to honor the configured Data Recorder database size.  Files in the following directory will consume more drive space than has been configured in the policy:

C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\EDR\localdatastore


The following additional symptoms may also occur:

- Errors related to disk size, disk capacity, or disk full may eventually appear in the Application Log, System Log of Windows Event Viewer. 


Endpoint Protection 14.2

Advanced Threat Protection 3.x or Symantec Endpoint Detection and Response 4.x.  


This can happen when the scheduled purge job on the client is scheduled in the future due to a change in Windows time. 


To workaround this issue, you can restart the Endpoint Protection client. 


Additional Information

Within EDR appliance, the number of events to send in each batch can be adjusted on the SEPM Policy on Settings> Global. Expect that an average client sends about 2 events per minute. Less than that (fewer than 10 events per 5 minutes) can back up the clients. More than that (greater than 15 events per 5 minutes) increases the load on your server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.