It make a snapshot of any file that we are evaluating for removable storage. That way, if the file is removed before we detect, we can still Monitor the file and create an incident, allowing us to be aware that the copy happened. Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.
The .snp (snapshot) files are the original copies of the files we scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process.
We keep the last 20 snp files so there should never be more than 20 files in this folder in v10. The .snp files should be removed if the edpa process is restarted. If there are more than 20 files or they are not removed after restarting the edpa process then contact technical support.
VEP File Elimination should be disabled when:
* Two-Tier policies are used on the endpoint, OR
* Data Retention is enabled on the endpoint, OR
* Symantec Endpoint Encryption is used on the endpoint.
Otherwise, VEP File Elimination can be enabled.