Endpoint Protection LightningSand.CFD file
Article ID: 412489
Updated On:
Products
Issue/Introduction
Symantec Endpoint Protection [SEP] "LightningSand.CFD" is seen on Windows operating system System Volume Information folder occupying disk space.
Environment
Symantec Endpoint Protection 14.X
Cause
LightningSand.CFD is AutoProtect's FAM (File Attribute Manager) database. It is used to persist various flags about files that are observed by SRTSP64.SYS as part of its normal operation.
The file is based on the in-memory FAM, which is implemented as a LRU (Least Recently Used) hash-map with a maximum size of 180,000 entries.
Resolution
The LightningSand.CFD file is Tamper Protected and cannot be deleted without stopping SRTSP64.SYS. Uninstalling SEP will delete the file as part of AutoProtect's install custom action. This is safer and perhaps easier than disabling Tamper Protection and renaming the driver/rebooting or going into safe mode. SRTSP64.SYS will create the file again the next time it loads regardless.
Additional Information
Although FAM performs a similar function to SymEFA, it pre-dates it. SymEFA was created as a general solution for STAR components and provides more flexibility. It persists its data in \System Volume Information\EfaData\SYMEFA.DB for each volume that supports it.
LightningSand.CFD won't typically be found on a system while SRTSP64.SYS is loaded.
The way it works is as below:
1) When SRTSP64.SYS loads, it reads the file content into memory and deletes the file
2) When SRTSP64.SYS unloads, it persists the file attributes stored in memory into LightningSand.CFD
The Procmon low-altitude log shows the presence of the file and various properties that may be of interest.
1) The file is opened with the delete-on-close option. Check below image
and
2) The file size as shown in below image
Feedback
