Endpoint Protection

 View Only
  • 1.  CmnClnt\ErrorInstances folder

    Posted Nov 06, 2018 02:59 PM

    Recently deployed 14.2 across Windows Server platforms; 2008 non-R2, 2008 R2, 2012, 2016.

    Now seing the following folder accumulating large number of files on most systems, does not seem to be OS version specific.

    C:\ProgramData\Symantec\Symantec Endpoint Protection\14.2.770.0000.105\Data\CmnClnt\ErrorInstances

    In some cases several Gb in total.

    Is there some way to prevent this and/or restrict the number of files retained (by size, count or date)?

    I have executed SymDiag and nothing untoward is indicated.

    Any assistance greatly appreciated.



  • 2.  RE: CmnClnt\ErrorInstances folder

    Posted May 13, 2020 09:57 AM
    Have you received any further responses to this? 

    I've noticed that we are also seeing something similar on a few of our servers.

    -Karen


  • 3.  RE: CmnClnt\ErrorInstances folder

    Broadcom Employee
    Posted May 13, 2020 10:33 AM

    This is SymQual:

    SymQual is a client side component\feature that is responsible for collecting and reporting our software anomalies such as Crash and Logical Error.

    SymQual works on client side as following.

    1. SymQual gather data for SEP related processes and some other 3rd party process. The full list of process that Symqual monitor is listed under this registry HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps. 
      Note: when SymQual is disabled from SEPM, this registry key will be empty.
    2. When a monitored process\app crashed, Windows Error Reporting (WER) will create a dump file (.dmp) under %programdata%\Symantec\LocalDumps
             a. Under \LocalDumps folder, only latest 4 dump file will be retained - i.e.. if monitored process keeps crashing we only keep the latest 4 dump and delete the rest.
    3. Once crash dump is created by WER, SymQual will check that folder (instantly) and create a sub folder "SQ_xxx" under %programdata%\Symantec\...\Data\ErrMgmt\Queue\Incoming for each crash dump. These folders contains data\details related to the crash in preparation for uploading to SymQual server. 
    4. There's a Windows Task schedule created to process and upload all unsubmitted data to SymQual Server at 12am. The data that are processed are packed into a single .dat file and put into its respective "bucket" folder under %programdata%\Symantec\…\Data\CmnClnt\ErrorInstaces .


    You are running an older build of 14.2 and should get upgraded to the latest version if possible as we have had many fixes to this feature.  If you continue to have issues after upgrading I would suggest opening a case with Support.

    You may also want to take a look at what application is crashing so often and find a fix for that.

    Thanks,



    ------------------------------
    John Owens
    Principal Product Support
    Symantec
    United States
    ------------------------------



  • 4.  RE: CmnClnt\ErrorInstances folder

    Broadcom Employee
    Posted May 13, 2020 10:36 AM
    You can also disable this feature.


    uncheck Symantec Endpoint Protection Manager (SEPM) console > Admin > Servers > Local Site > Edit Site Properties > Data Collection > "Let clients send troubleshooting information to Symantec to resolve product issues faster.".

    ------------------------------
    John Owens
    Principal Product Support
    Symantec
    United States
    ------------------------------



  • 5.  RE: CmnClnt\ErrorInstances folder

    Posted May 13, 2020 10:42 AM
    thanks for the update John, we only recently upgraded to 14.2 last week and have yet to upgrade our servers or clients.

    Is this a feature new to 14.2?


  • 6.  RE: CmnClnt\ErrorInstances folder

    Posted May 13, 2020 10:44 AM
    Slt ! Qui pourrais m'aidez à trouver un partenaire Symantec endpoint protection. Merci d'avance 






  • 7.  RE: CmnClnt\ErrorInstances folder

    Broadcom Employee
    Posted May 13, 2020 10:55 AM

    This is not a new feature. It has been around for some time in and in 14.0 as well.  

    Please keep in mind there is a vulnerability in all versions of SEP prior to 14.3.  So you will want to plan to upgraded to 14.3 soon.

    https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1762



    ------------------------------
    John Owens
    Principal Product Support
    Symantec
    United States
    ------------------------------