SEP Client Directory Analysis

The directory C:\ProgramData\Symantec\Symantec should average between 1GB-2GB in size depending on the SEP client version 11 or 12.1, where the older version of SEP client consumes larger disk space.

• There are some known issues in SEP11 where the client sometimes overuse the disk space of the machine, it is recommended to upgrade those machines to version 12.1 to solve those issues.
• Please note that C:\ProgramData\Symantec\ might hold directories for other Symantec software, and this analysis was done for SEP client directory only (Version 12.1.671.4971).

A typical C:\ProgramData\Symantec\Symantec Endpoint Protection should contain the following folders:

This directory usually holds the folders for the current and previous versions of SEP, it is safe to delete old directories of old versions after confirming the current running version through SEP Client by following these steps:

SEP Client Main Screen -> Click on Help -> Click on About -> Check the version from the screen.

Clicking on the “CurrentVersion” shortcut will directly take you to the current version files, where that directory will hold the following:

The two folders inbox and SRTSP should not consume much space and they should not be deleted, however, must of the disk space problems comes from the folder “Data”.

A typical “Data” folder should reflect the following:

“Data” Folder Detailed Directory Analysis

1. APTemp - This directory should be clean be default.
2. BadPatts - This directory should be clean be default.
3. BASH - average file size should be around ~6.10MB. It is advised to not delete the contents inside the folder.
4. Cached Installs - the size of this file varies from machine to machine, deleting the contents of this file will only replace them again with the same contents. it is not advised to delete anything from this file according to Symantec tech support.
   Reference: http://www.symantec.com/connect/forums/sep-cached-installs
5. CmnClnt - This folder is reported to seize high capacity as it is responsible to check the reputation of the files with Symantec servers. Folders inside this directory usually sends the files to Symantec for checking if the machine has no access to the internet then this folder will increase in size rapidly. A solution to this problem could be found here: http://www.symantec.com/connect/forums/folder-12xxxdatacmnclntccsubsdk-has-large-size
6. Config - a vital file that should not be deleted.
7. ContentCache - This directory should be clean if there are no active processes in SEP.
8. DB - There is no information available in Symantec knowledge base regarding this folder. However, database files by common technological sense should not be deleted as the client operationally relies on it.
9. DecTemp - This folder should be clean by default. incase this file holds large files, then the machine should be restarted into safe mode to delete all files under DecTemp/i2_ldvp.tmp/
   Reference: http://www.symantec.com/business/support/index?page=content&id=TECH97520
10. Definitions - This folder should be 2GB in size for SEP 11 or around 900MBs for SEP 12+.
    Reference: http://www.symantec.com/business/support/index?page=content&id=TECH141811
11. FeatureState - This directory should be clean be default.
12. I2_LDVP.VDB - This directory should be clean be default.
13. Install - this folder usually holds the install logs. In my machine this folder is ~5MB in size. It is not recommended to delete this folder contents for future troubleshooting purposes.
14. IPS - This folder should not be consuming lots of space. SEP will replace this folder if deleted. It is not recommended to delete this file.
15. IPSFFPlgn - It is not recommended to delete this folder’s contents. Average size ~400KB.
16. IRON - folder for the IRON definition DB, this folder should not be tampered with.
17. Logs - This folder will increase in time depending on its age this file varies in size, technically it is not recommended to delete this folder.
18. Lue - this folder should not consume much space. ~1MB max.
19. Quarantine - AV quarantine directory. this folder should be cleaned up automatically depending on the Antivirus and and AntiSpyware policy.
    Reference: http://www.symantec.com/business/support/index?page=content&id=TECH106443
20. SPManifests - This folder is important for remote client installation through SEPM.
21. SRTSP - It is not recommended to delete the contents of this folder as it might impact the operation of SEP client.
22. State - Important for the communication between SEP client and SEPM. Should not be deleted.
23. SymDS - Should be empty by default if there are no operations in process.
24. symnetdrv - This folder holds important files, should not be deleted. Avg size 16-80Kb.
25. xfer, xfer_tmp - should be empty by default. there are reports with problems in SEP11, where the folder will increase in size rapidly. in that case the only solution to the problem is to completely re-install SEP.
    Reference: http://www.symantec.com/connect/forums/tmp-files-issue-xfer-folder

Finally, I would like to extend my appreciation and gratitude to Mr. Shahzad Subhan and Bank Albilad ISMC Team for their guidance and aid while writing this brief analysis.