While checking Symantec folder, there are 1000's of 0 byte log files under below paths.
These databases are commonly known as RocksDB or Write Ahead Logs.
Release : 14.3 RU5
This is what usually happens with a rocksdb database:
1. A rocksdb database is opened. Upon opening, a new 0-byte WAL (e.g. 000005.log) is created
2. Data is written to the databases and also to the WAL from process' memory.
3. The database performs a flush (often due to the request of the database's client or when the database is closed). The data in the WAL is persisted to a SST file (e.g. 000006.sst). The WAL file(s) is now obsolete and deleted.
However, if there is no data written to the database, the WAL (.log) will remain at 0-byte and flushing in this case wouldn't create a SST file and the WAL (.log) file will not get deleted. When the database is re-open, a new WAL (.log) with a higher sequence no. will be created.
In summary, every open-close of a rocksdb database without any data written will add a 0-byte .log file to the directory.
Symantec is aware of this issue and a fix is underway. It will be included in a future build.
In the meantime it is safe to delete these files using these steps:
Stop the agent by running ./stop.sh from /usr/lib/symantec
Delete /opt/Symantec/sdcssagent/AMD/sef/appdata/databases/EDR/* (Note: DO NOT delete this directory if the endpoint has EDR enabled)
Restart the agent by running ./start.sh from /usr/lib/symantec