It is noticed that Symantec Endpoint Protection Manager [SEPM] installation folder keeps growing.
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\clientpkg has a lot of zipfstmpXXXXXXX.tmp files and is not being cleared the file size of each tmp file is 89MB and the number of files keeps growing.
When RemoteConsoleServlet receives a request to download a remote console, it opens the %Symantec Endpoint Protection Manager%\tomcat\webapps\ROOT\clientpkg\Symantec Endpoint Protection Manager Console.zip file, updates the configuration file (e.g. server name, port... etc), and sends the updated file back to the requester. During this process. tmp file is created at the same location and is deleted once the requester gets the remote console files.
The C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\clientpkg\Symantec Endpoint Protection Manager Console.zip is accessed by any other process other than the legitimate request.
It is perfectly safe to delete the zipfstmpXXXXXXX.tmp files as they were temporary files used during zip files manipulation.
Mostly the Vulnerability Assessment[VA} scanner tools can generate such kinds of issues. In such a scenario, Create an exception for the SEPM server over port 9090 or block the incoming traffic to the SEPM server over port 9090
If not the VA tool then follow the below steps
- Shut down SEPM and back up the file Symantec Endpoint Protection Manager Console.zip in a separate directory. Then try the following on the original file: renaming the file, and adding an empty file inside the zip, to see if those are successful. If not, then some other process may have a handle on it.
- Use a tool such as the Windows Built-in Resource Monitor or SysInternals Process Explorer to see which process also has a handle on the %Symantec Endpoint Protection Manager%\tomcat\webapps\ROOT\clientpkg\Symantec Endpoint Protection Manager Console.zip file. Identify the other process and action it accordingly.