https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/128125/i-m-looking-for-about-information-the-next-path-c-programdata-sophos-endpoint-defense-dataHi Friends How are you? I need your help. I need information about ,the path C:\ProgramData\Sophos\Endpoint Defense\Data, because my customer needs to know what is this directory? and what is the function?en-USTelligent Community 12https://community.sophos.com/thread/469822?ContentTypeID=1Tue, 01 Jun 2021 21:27:46 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:a1d7eeb9-67ae-472d-a7fa-3e916eb2333aSophos User930<p>It stores a lot of data, I assume the size is the reason for the interest?&nbsp;&nbsp;<span class="emoticon" data-url="https://community.sophos.com/cfs-file/__key/system/emoji/1f642.svg" title="Slight smile">&#x1f642;</span> The main ones are:</p> <ul> <li>\logs\ - the logs of the service, driver, processes</li> <li>\Event journals\ - When you have EDR/RCA/FIM (servers) enabled, SophosED.sys is recording all the operations taking place.&nbsp; This is the data for that. *.bin are the current file, the xz are compressed files.&nbsp; These are compressed every 5 mins by SEDService.exe.</li> <li>\Edr Saved Data\ - The 5 min processing of the journals by sspedr.exe for data of interest being sent is stored here.&nbsp; &quot;backup&quot; folder for example has the last 10 uploads of the JSON data once extracted.</li> <li>\Forensic Snapshots\ - Any initiated forensic snapshots from Central are stored here.</li> <li>\data content records\&nbsp; - Cache of data about files, persisted over reboots and loaded by SophosED.sys</li> <li>\appfeed\ data to detect applications for autoexclusions, etc.</li> <li>\decisionrulesv2\ - behavioural data files</li> </ul> <p>They are the main ones, the others seem to be IPC data.</p><div style="clear:both;"></div>