This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Content Records taking up disk space

We have some web servers that has three files called FilePropertyDbFull-xxxxxxxxxxxxxxxxxxxxxxxx.bin that are at getting quite large, currently each is 3.2GB in size.

These servers are just a simple web servers, so not sure why there should be such large files on this particular type of system. Other systems such as File servers with way more files are no where near this size.

They look like they are being cycled on a three day rotation.

What are they, what info do they store, why are they so big on these simple web servers and can they be manged in some way?
Also were these added as part of a recent change?

Can't find any info on FilePropertyDbFull when searching the Sophos Site



This thread was automatically locked due to age.
Parents
  • Hello,

    Would I be right in saying this in Sophos Central managed rather than Sophos Enterprise Console (on-premise) management?

    It looks like: Sophos Known Issues list

    WINEP-44248
    • Core Agent 2023.2
    • Core Agent
    High non-paged pool memory consumption from Sophos Endpoint Defense (pool tags Sg01 and Sg03)

    Windows Servers might show an increased non-paged pool memory consumption from a pool tag labeled Sg01 or Sg03. The memory is allocated by the Sophos Endpoint Defense Data Content Records (used to keep track of PE-file information and SHA-256 values) which get loaded on boot.

    None

    There must be a lot of changing files on the server to generate such large files.

    In Core Agent 2023.2, they are purged once you get to that version.

    They do impact non-paged pool (I suspect if you look in Task manager the non-paged pool is quite high) as mentioned.

    The files could be removed if you are running out of memory, you can for example:

    Stop the following services:

    - "Sophos File Scanner Service" (net stop "Sophos File Scanner Service")
    - SntpService (net stop SntpService)
    - sntp (net stop sntp)
    - "Sophos System Protection Service" (net stop "Sophos System Protection Service")

    - Unload Sophos Endpoint Defense driver: (fltmc.exe unload "sophos endpoint defense")

    - Delete the contents of "C:\ProgramData\Sophos\Endpoint Defense\Data\Data Content Records\"

    Reboot.

    They will be re-created, it will be interesting to know how quickly they grow from being cleared. It maybe that at the growth rate it will be fine until 2023.2 is on the server. At that point, the computer will need to restart once to get the new version of sophosed.sys loaded. Then the next time it boots with the new software it will start to purge the data.

    If you can think of any areas on disk where there are a lot of files changes happening that is likely the cause. You mention they are web servers? Do they receive a lot of file or generate a lot of files? Maybe temp ones as part of operation? File/path exclusions for such locations would prevent the growth in the dat files you mention.

    I hope this information helps.

    Kind Regards.

  • Thanks for this, still an issue for us but at least we have a work around for it.

    Just to give some indication of the impact, 3GB files means around 10GB of non-Paged memory used by Sophos which is bit pants really, on other server i am seeing similar 1:3 relationship of file size to RAM usage.

    if you want to see this yoru self, I would suggest seeking out a copy of poolman which is a command line tool to show actual RAM usage rather then the nonsense in taskmanager.

    Not managed to track down what activity causes this, suppose we could just exclude all the drives..... what would be helpful is to have some visibiity inside the agent or elsewhere of what is high activity there is on a server, Sophos does seem to be a dumbed down product in respect of information it reveals.

Reply
  • Thanks for this, still an issue for us but at least we have a work around for it.

    Just to give some indication of the impact, 3GB files means around 10GB of non-Paged memory used by Sophos which is bit pants really, on other server i am seeing similar 1:3 relationship of file size to RAM usage.

    if you want to see this yoru self, I would suggest seeking out a copy of poolman which is a command line tool to show actual RAM usage rather then the nonsense in taskmanager.

    Not managed to track down what activity causes this, suppose we could just exclude all the drives..... what would be helpful is to have some visibiity inside the agent or elsewhere of what is high activity there is on a server, Sophos does seem to be a dumbed down product in respect of information it reveals.

Children
No Data