search cancel

Endpoint Protection fails to purge the Data Recorder database to the configured size.

book

Article ID: 175843

calendar_today

Updated On:

Products

Endpoint Protection Advanced Threat Protection Platform Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

When using Symantec Endpoint Detection and Response's (SEDR) Data Recorder feature, the Endpoint Protection (SEP) client fails to honor the configured Data Recorder database size.  Files in the following directory will consume more drive space than has been configured in the policy:

C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\EDR\localdatastore

 

The following additional symptoms may also occur:

- Errors related to disk size, disk capacity, or disk full may eventually appear in the Application Log, System Log of Windows Event Viewer. 

Environment

Endpoint Protection 14.2

Advanced Threat Protection 3.x or Symantec Endpoint Detection and Response 4.x.  

Cause

This can happen when the scheduled purge job on the client is scheduled in the future due to a change in Windows time. 
 

Resolution

To workaround this issue, you can restart the Endpoint Protection client. 

{KNOWN_ISSUE.EN_US}

Additional Information

Within EDR appliance, the number of events to send in each batch can be adjusted on the SEPM Policy on Settings> Global. Expect that an average client sends about 2 events per minute. Less than that (fewer than 10 events per 5 minutes) can back up the clients. More than that (greater than 15 events per 5 minutes) increases the load on your server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.