Jump to content
ak01

Kaspersky (KES 10 SP1 MR2/3) hard drive usage [Solved]

Recommended Posts

We have some virtualised computers with limited hard drive space. Sometimes we recognize that there is more space usage from Kaspersky than usual. Can you explain what files are used for what and which can be deleted?

 

Installation Folder: Sometimes, the Netagent folder contains about 100 MB dump Files within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\~dumps.

Can we delete them? Are they deleted automatically after time? Is it possible to restrict the file size, amount of written files, creation itself (e.g. do not write any dumps), …?

 

Data folder (see screenshot attached):

Does the file kavbase_0000001 contain the signature database?

What are the files log0/strgxxxxxxxx within C:\ProgramData\Kaspersky Lab\KES10SP1\Bases\Klava? Are these the reports? I configured a few days ago in the policy to not keep more than 100 MB but that does not change anything (when does KES do the cleanup)?

 

 

I also found the following files under C:\ProgramData\Kaspersky Lab (on one specific computer):

KES.10.2.4.674_05.04_12.06_11812.SRV.full.dmp

KES.10.2.4.674_05.04_12.06_11812.SRV.mini.dmp.enc1

 

 

Is it possible to do an automated clean-up (e.g. with KSC) of these dumps and not necessary files?

 

post-561540-1476180563_thumb.png

Share this post


Link to post
We have some virtualised computers with limited hard drive space. Sometimes we recognize that there is more space usage from Kaspersky than usual. Can you explain what files are used for what and which can be deleted?

 

Installation Folder: Sometimes, the Netagent folder contains about 100 MB dump Files within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\~dumps.

Can we delete them? Are they deleted automatically after time? Is it possible to restrict the file size, amount of written files, creation itself (e.g. do not write any dumps), …?

 

Data folder (see screenshot attached):

Does the file kavbase_0000001 contain the signature database?

What are the files log0/strgxxxxxxxx within C:\ProgramData\Kaspersky Lab\KES10SP1\Bases\Klava? Are these the reports? I configured a few days ago in the policy to not keep more than 100 MB but that does not change anything (when does KES do the cleanup)?

 

 

I also found the following files under C:\ProgramData\Kaspersky Lab (on one specific computer):

KES.10.2.4.674_05.04_12.06_11812.SRV.full.dmp

KES.10.2.4.674_05.04_12.06_11812.SRV.mini.dmp.enc1

 

 

Is it possible to do an automated clean-up (e.g. with KSC) of these dumps and not necessary files?

 

Hello.

 

klava is an update component and should not be modified manually.

KES and Network Agent dump files are created when their corresponding services crash. The files themselves may be removed safely (manually or via Remote Diagnostics), but to prevent them from generating again, you need to investigate what may lead to these crashes.

 

Thank you.

 

Share this post


Link to post

Hi

 

what's about the Cache subfolder and kavbase_0000001 file?

 

I think that these dump files are stored from previous crashes and just stay there.

 

Share this post


Link to post
Hi

 

what's about the Cache subfolder and kavbase_0000001 file?

 

I think that these dump files are stored from previous crashes and just stay there.

 

All contents from "Bases" folder are managed by KES updater automatically. These files are used by the product, and their integrity is critical, so they should not be removed.

 

Thank you.

Share this post


Link to post

ok, thanks.

Where are the reports stored? The amount of space can be limited within the KES policy, but I do not see any difference when I reduce the size (e.g. to 100 MB).

Where can I see how much space is used for reports (maybe that is just a few MBs or KBs)?

Share this post


Link to post
ok, thanks.

Where are the reports stored? The amount of space can be limited within the KES policy, but I do not see any difference when I reduce the size (e.g. to 100 MB).

Where can I see how much space is used for reports (maybe that is just a few MBs or KBs)?

 

Considering reports, there is a known issue that happens on some hosts with KES 10 SP1 MR3.

File g_objdt.dat in %ProgramData%\Kaspersky Lab\KES10SP1\Report may be growing despite the size limitations you set in the policy (certain entries ignore that limitation by design).

 

According to the known issue 1807440, you can remove this file if it causes concern (however it can only be deleted locally, after turning off Self-Defense).

If you see this issue reoccur often, please request a diagnostic patch pf1749 from CompanyAccount (state the issue number, pf, and provide a link to this topic). See if the issue reoccurs with the patch installed.

 

Thank you.

Share this post


Link to post

I do not have the issue about the growth of the reports folder. The intention was to find out what gets stored in what folder (and if some of the files can be deleted).

You told me to investigate the Netagent Dumps (if there is one). The problem is that I have about 1000 computers. I do not recognize if there are any dumps on one/some of them.

As an improvement of KSC (I will post a suggestion in the corresponding branch) it would be nice to have a new computer status “dump files exists” or “Data folder too big” which indicates that there is a problem.

 

Share this post


Link to post
I do not have the issue about the growth of the reports folder. The intention was to find out what gets stored in what folder (and if some of the files can be deleted).

You told me to investigate the Netagent Dumps (if there is one). The problem is that I have about 1000 computers. I do not recognize if there are any dumps on one/some of them.

As an improvement of KSC (I will post a suggestion in the corresponding branch) it would be nice to have a new computer status “dump files exists” or “Data folder too big” which indicates that there is a problem.

 

The data folder is not meant to exceed the disk space that is listed in system requirements for the product (except for rare cases when such behavior is a known issue to be solved).

Dump files are not accounted for in terms of occupied disc space, as dumps are only generated in case of service failures, which should generate events for KSC already, making this proposed additional status redundant.

Please let us know if you are currently having an issue that needs to be assisted with, or if we can mark this topic solved.

 

Thank you.

Share this post


Link to post

This topic can be marked as solved.

However, you wrote "which should generate events for KSC already" -> that is good news, but were do I find that?

Share this post


Link to post
This topic can be marked as solved.

However, you wrote "which should generate events for KSC already" -> that is good news, but were do I find that?

 

Hello,

its name is "Real-time protection is not active".

Thank you.

Share this post


Link to post

I did some investigation on about 30 PCs and found some Agent Dumps. Most of them where older (according to the change date of the file) but one was generated at 7th Oct. 2016 8:39. I did not find any event in KSC at the corresponding PC.

I also found some KES dumps but they were older.

It would be nice to have some sort of cleanup of old dump files (e.g. cleanup when dump is older than one month).

I agree that these application crashes should be investigated but it is hard to find out that the application crashed and when it only happens once or twice, it is not worth to open up a call. The main problem for me at the moment is that these dump files consume hard disk space.

 

Share this post


Link to post
I did some investigation on about 30 PCs and found some Agent Dumps. Most of them where older (according to the change date of the file) but one was generated at 7th Oct. 2016 8:39. I did not find any event in KSC at the corresponding PC.

I also found some KES dumps but they were older.

It would be nice to have some sort of cleanup of old dump files (e.g. cleanup when dump is older than one month).

I agree that these application crashes should be investigated but it is hard to find out that the application crashed and when it only happens once or twice, it is not worth to open up a call. The main problem for me at the moment is that these dump files consume hard disk space.

 

As mentioned earlier, dump files can be deleted remotely using Remote Diagnostics to connect to host via KSC.

 

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.