Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 1779 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I'm looking for about information the next path C:\ProgramData\Sophos\Endpoint Defense\Data

Andres Nastar1

Hi Friends How are you?

I need your help. I need information about ,the path C:\ProgramData\Sophos\Endpoint Defense\Data, because my customer needs to know what is this directory? and what is the function?



This thread was automatically locked due to age.
Parents
  • 0

    It stores a lot of data, I assume the size is the reason for the interest?  Slight smile The main ones are:

    • \logs\ - the logs of the service, driver, processes
    • \Event journals\ - When you have EDR/RCA/FIM (servers) enabled, SophosED.sys is recording all the operations taking place.  This is the data for that. *.bin are the current file, the xz are compressed files.  These are compressed every 5 mins by SEDService.exe.
    • \Edr Saved Data\ - The 5 min processing of the journals by sspedr.exe for data of interest being sent is stored here.  "backup" folder for example has the last 10 uploads of the JSON data once extracted.
    • \Forensic Snapshots\ - Any initiated forensic snapshots from Central are stored here.
    • \data content records\  - Cache of data about files, persisted over reboots and loaded by SophosED.sys
    • \appfeed\ data to detect applications for autoexclusions, etc.
    • \decisionrulesv2\ - behavioural data files

    They are the main ones, the others seem to be IPC data.

Reply
  • 0

    It stores a lot of data, I assume the size is the reason for the interest?  Slight smile The main ones are:

    • \logs\ - the logs of the service, driver, processes
    • \Event journals\ - When you have EDR/RCA/FIM (servers) enabled, SophosED.sys is recording all the operations taking place.  This is the data for that. *.bin are the current file, the xz are compressed files.  These are compressed every 5 mins by SEDService.exe.
    • \Edr Saved Data\ - The 5 min processing of the journals by sspedr.exe for data of interest being sent is stored here.  "backup" folder for example has the last 10 uploads of the JSON data once extracted.
    • \Forensic Snapshots\ - Any initiated forensic snapshots from Central are stored here.
    • \data content records\  - Cache of data about files, persisted over reboots and loaded by SophosED.sys
    • \appfeed\ data to detect applications for autoexclusions, etc.
    • \decisionrulesv2\ - behavioural data files

    They are the main ones, the others seem to be IPC data.

Children
No Data
Unfiltered HTML