Your Symantec EDR appliance does not appear to be purging data correctly.
SEDR Release : 4.x
Add a single 2 TB disk to the virtual machine and run the extend_storage tool. There should now be two separate disks that have been partitioned for use with EDR.
To see more information on running the extend_storage tool click on the link or go to https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-10.html and search for Running the extend_storage tool by using the search this product field.
Please note that if you are enabling ECC 2.0 you should have at least 1 TB of disk space. That is is required. See Enabling the Endpoint Communications Channel (ECC) in the product documentation. Go to https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-10.html and search for Enabling the Endpoint Communications Channel (ECC) by using the search this product field.
If the Endpoint Activity Recorder (EAR) configuration is enabled and additional events are being recorded the Symantec EDR platform support matrix indicates that a second disk is required to meet minimum system requirements. A 2 TB disk is recommended according to the page on Sizing recommendations for the virtual appliance. This second page also implies that if you are not using the default configuration you should add additional disk capacity to meet recommendations made by Symantec.
The following events are enabled by default: