Large disk usage under ...\Data\ErrMgmt\Queue\Incoming by the Endpoint Protection client

book

Article ID: 164753

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection (SEP) client generates many folders in the C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ErrMgmt\Queue\Incoming.

These files and folders consume a large amount of disk space.

Cause

The application or process crashes may not be related to SEP.

When SEP is installed, SymQual and Windows Error Reporting debug settings are added to the Windows registry. When an application or process crashes, files and folders are generated, and data is sent to Symantec. If the SEP client is unable to transmit this data to Symantec, these files and folders remain on disk and consume disk space.

Resolution

Investigate other applications or processes that crash and implement a fix as necessary. This step stops any additional creation of files and folders.

Additionally, ensure that the SEP clients can access all required URLs. See Required exclusions for proxy servers to allow Endpoint Protection to connect to reputation and licensing servers. Once the SEP clients submit the data to Symantec, they delete the data on disk.

Disable submissions

To fully disable submissions and prevent data accumulation:

  1. In the Symantec Endpoint Protection Manager, go to Admin > Servers > Local Site > Edit Site Properties > Data Collection.
  2. Uncheck "Let clients send troubleshooting information to Symantec to resolve product issues faster."

Please note that even when "Let clients send troubleshooting information to Symantec to resolve product issues faster" is unchecked, logs for app crashes in the "Incoming" directory aforementioned may still continue consuming disk space. In such a case, please ensure to follow the other two resolution options mentioned in this article, including troubleshooting the root cause of application crashes and resolving those crashes, and lastly, if the root cause for application crashes cannot be resolved, disable SymQual (below).

Disable SymQual monitor

To disable SymQual's monitor for specific applications or processes:

  1. Disable Tamper Protection.
  2. At the command line, disable SEP with smc -stop.
  3. Delete the files in the folder, C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ErrMgmt\Queue\Incoming.
  4. In the Windows Registry Editor, create a backup, and then navigate to the following key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps
     
  5. Delete any unnecessary subkeys.

    Note: Any subkeys that have a "DumpFolder'" value of "C:ProgramDataSymantecLocalDumps" are the processes that we monitor.
     
  6. At the command line, restart SEP with smc -start.
  7. Re-enable Tamper Protection.

Attachments