Atlanta Security User Group

I have 5 total DLP Endpoint Prevent servers, each with DLP version 14.5.0.24034, with the DLP agent version deployed being 14.0.2000.1056.

Of the 5 servers, I am having an issue with 4 of them. The issue is as follows;

• Incidents are reporting with a "pipe" symbole preceding the incident number, i.e. |1492910212700.idc
• As incidents populate the "incidents" folder on the endpoint prevent server, incident files with a ".tmp" extension will populate in the folder. As this occurs, the "SymantecDLP\Protect\temp\aggregator_temp_ttd_data" folder then fills quickly with folders containing a "minus" symbol preceding the folder name, i.e. "-1287079144_408759445".

This causes the drive on which DLP is installed to fill quickly, given the endpoint prevent server will not complete processing of the incident files, and the "aggregator_temp_data" folder continues to fill.

DLP Endpoint policies are applied the same, to all 5 servers - including the 1 server which is not exhibiting the behavior of the other 4 servers.

Any help is appreciated. Thank you.

Reccomendation is to stop the services and then reinstall the application. You can backup the files in the incidents just in case.

Also is there any issue with the Enforce server on processing incidents? There may be an issue upstrem that is causing the other endpoints to fail with the transfer of data to the console.

Someone else with this problem

I am in version 15.5 and a detection to prevent this is filling up frequently, every incident generated creates the folder is directory