Endpoint Protection

 View Only

  • 1.  AV Definitions Filling Hard Drive

    Posted Jun 14, 2010 10:15 AM

    I'm running SEP 11.0.5002.333 on a 32-bit server.  The device in question is a test server.  I check on it periodically as scenarios arise in the production environment. 
    ---

    On 6/11/2010, I attempted to connect to it and got an "Unexpected Server Error."  I rebooted the server and attempted to log in.  Had to reset the admin password.

    On 6/14/2010, I had to reboot again with the same "Unexpected Server Error."  The server sent a disk space warning.

    A search for large files showed a lot of files named VIRSCAN7.DAT, VIRSCAN8.DAT, VIRSCAN9.DAT, TCSCAN7.DAT.  File sizes range from 15 Megs to over 64 Megs.

    and some zip files named FULL.ZIP, VDEFHUB.ZIP, JTDS-1.1-SRC.ZIP, IPSDEF.ZIP. File sizes range from just over 1 Meg to over 100 Megs.

    There is a gap in consistent write dates from 02/28/2010 until 06/10/2010.  There are periodic write dates in March, April, and May, but no daily writes until 06/10/2010.

    Paths where the identified files are being written are:
    c:\program files\common files\symantec shared\virusdefs\*
    c:\program files\common files\symantec shared\virusdefs\binhub

    c:\program files\symantec\symantec endpoint protection manager\inetpub\content\{**}\### (zip files)

    tcscan7.dat

    c:\program files\symantec\symantec endpoint protection manager\inetpub\content\{**}\### (dat files)
    c:\program files\common files\symantec shared\virusdefs\*
    c:\program files\common files\symantec shared\symcdata\sesmvirdef32\*
    c:\program files\common files\symantec shared\virusdefs\*

    At present, there are 97.8 Megs available on a 15 Gig drive.
    ----


    Question 1: What files are safe to purge (how far back do I need to keep definition files on the server)?

    Question 2: What should be done to keep this from recurring (Shouldn't the files be cycled/purged automatically)?

    All assistance is appreciated.


  • 2.  RE: AV Definitions Filling Hard Drive

    Posted Jun 14, 2010 10:40 AM

    Question 1: What files are safe to purge (how far back do I need to keep definition files on the server)?


    you need to set the purge option on yoru sepm so that it does not store too much of defs revision
    admin - servers - localsite- under liveudpate set the content revision to 3

    check this document

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111509244948

    https://www-secure.symantec.com/connect/forums/virus-definitions-filling-hard-drive


  • 3.  RE: AV Definitions Filling Hard Drive
    Best Answer

    Posted Jun 14, 2010 10:55 AM
    So is this a SEP client only, or a SEPM as well?

    If there is a SEPM (and given the paths above, I suspect there is), how many content revisions are you storing? (Admin > Servers > Local Site > Edit Site Properties > LiveUpdate tab > look to bottom).

    The items in inetpub will repopulate if you remove them based on the content revision number stored in the database.

    If both, the client side should be only keeping 3 revisions.  Each revision would be in the form of a folder with a date YYYYMMDD.RRR (year-month-day.revision #).  Client definitions are here: C:\Program Files\Common Files\Symantec Shared\VirusDefs

    "no daily writes until 06/10/2010"

    Curious: did something change on this day?

    15 GB for a system partition is a bit small, particularly since the system requirements for the SEPM are looking for 8 GB hard drive space free between server and database if embedded.  Is there some way you can increase the drive size?

    sandra


  • 4.  RE: AV Definitions Filling Hard Drive

    Posted Jun 14, 2010 09:02 PM

    Question 1: What files are safe to purge (how far back do I need to keep definition files on the server)?

    It is up to you. To set this up login to SEPM -> Admin -> Local Site (My Site) -> LiveUpdate (Tab)
    Check setting for "DIsk Space Management for Downloads"

    Question 2: What should be done to keep this from recurring (Shouldn't the files be cycled/purged automatically)?

    Your definitions are being corrupted. Symantec does not make any corrupted definitions but most of the time definitions being corrupted during the file tranfer from Symantec server to the destination machine. Check if there are any issues with the protocol LiveUpdate uses to download definitions (example: FTP/HTTP).

    Some suggestion:
    If the disk space issue is keep on coming after removing the def files then you may need to uninstall and then reinstall LiveUpdate
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100907303548

    Also another good one:
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008041516215948

    Hope you find this useful.

    Moin



  • 5.  RE: AV Definitions Filling Hard Drive



  • 6.  RE: AV Definitions Filling Hard Drive

    Posted Jun 16, 2010 11:11 PM

    http://service1.symantec.com/support/ent-security.nsf/docid/2008092516184748


  • 7.  RE: AV Definitions Filling Hard Drive

    Posted Jun 18, 2010 09:36 AM
    Sorry for the late response.

    It was storing 30 revisions.  I say "was" because I ended up doing an uninstall/reinstall after having the vm reset at the host.

    This is a test environment that went idle for a couple of months.  On June 11, we started looking at it to duplicate a live issue.  The depleted space showed up on June 14.  That's as much as would have changed.

    On the reinstall, we moved the console to a non-system volume (I think).  At present, both drives show about 8 Gigs in use.  I'll probably reinstall again over this.  I switched the kept revision setting from 30 to 3. 

    Thanks a million.


  • 8.  RE: AV Definitions Filling Hard Drive

    Posted Jun 18, 2010 09:39 AM
    I'm ready to consider this resolved.  There is still some work to do, but I think reducing the volume of kept revisions will keep us out of the red on this.

    Thanks again.