Solved: Re: Full scans on file server creating GBs of temp files

itguy1024 · ‎03-30-2023

Hey all,

We have AMP SE doing a full scan on our file server. It takes about 18 hours to do a full scan. But the real issue is that it's filling up C:\Windows\Temp with 70+ GB of files and doesn't seem to clear them.

If we manually clear the temp files it starts to fill up again until we actually shut down the AMP SE service.

Version: 8.1.5.21322
also tried an older version with no change.

pmedinac · ‎03-30-2023

Hey @itguy1024

I have found that there´s a related behavior as you have mentioned here, it refers to this Bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe72888

In the information, it refers to a ClamAV taking some time to delete the temp files, and these are generated by macros files existing on endpoints, I´m curious if in this file server, you may store files with this purpose. If so, then you´re hitting this bug, and the immediate workaround is to install v8.1.3.

Now, moving forward, since this issue has been documented and investigated, it will be fixed on the v8.1.7 version which tentatively is scheduled to be released Mid-April.

Hope this information is helpful to you.

Greetings.

-

Pedro M.

View solution in original post

Sheraz.Salim · ‎03-30-2023

The issue you're experiencing may be related to a bug in the Cisco AMP for Endpoints software. To resolve this issue, you can try the following steps:

Stop the Cisco AMP for Endpoints Connector service on the affected endpoint.
Navigate to the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AMP folder.
Delete the entire contents of the folder.
Start the Cisco AMP for Endpoints Connector service.
This should resolve the issue with the temp files filling up the C:\Windows\Temp folder. If the issue persists, you may need to contact Cisco TAC

please do not forget to rate.

itguy1024 · ‎03-30-2023

Thanks. That folder path doesn't exist on our endpoint. I'll open a TAC case.

pmedinac · ‎03-30-2023

Hey @itguy1024

I have found that there´s a related behavior as you have mentioned here, it refers to this Bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe72888

In the information, it refers to a ClamAV taking some time to delete the temp files, and these are generated by macros files existing on endpoints, I´m curious if in this file server, you may store files with this purpose. If so, then you´re hitting this bug, and the immediate workaround is to install v8.1.3.

Now, moving forward, since this issue has been documented and investigated, it will be fixed on the v8.1.7 version which tentatively is scheduled to be released Mid-April.

Hope this information is helpful to you.

Greetings.

-

Pedro M.

itguy1024 · ‎03-30-2023

Thanks. I created a new policy with the 8.1.3 version and moved the endpoint to it. This was some time ago and it doesn't seem like the endpoint has rolled back. If the release next month has a fix we can wait it out.

pmedinac · ‎03-30-2023

Hey.

Actually, the process you may follow is to perform a fresh install of the v8.1.3. By moving the endpoint on your console, from v8.1.5-group to v8.1.3-group won´t perform a downgrade, since this feature is not available... yet...
So I suggest you perform the manual installation or as you have mentioned, wait for v8.1.7.

In case you may have some other questions, don´t hesitate to ask.

--

Pedro M.