Massive amounts of disk space used by endpoint (I think) SDR cache / logs

Digging in to why I was out of disk space I discovered that files in /Library/Caches/com.sophos.sdr are eating up 200G of my 512G disk.  This got my disk to 100% full (though I've been micro managing my disk space for months now without realizing where it was going - the folder is root only so it was only showing up as 'hidden space').

The contents of the directory is almost 2000 folders named rca_<18 numbers>, each almost 500mb space containing two files:

rca_132277714735302080:
total 949960
-rw-r--r--@ 1 _sophos  admin  486365198 Mar  3 20:58 12e349b1-88b1-24b3-f9c6-6bc60ddc831c_132277714735302080_snapshot.txt
-rwx------  1 _sophos  admin      10240 Mar  3 21:02 12e349b1-88b1-24b3-f9c6-6bc60ddc831c_20200304T045754Z.tgz

The files seem recent, the earliest ones are 6 days old (march 3) and the most recent ones are at the current time of the current day (march 9) - so I don't know if this is a process that's not purging old files.

Anyway, can anyone help me figure out how to clean up the 40% of disk space this is taken up?  Is it a setting somewhere I can modify for this, if it's something to do with my computer, or what.

As an aside, my computer never seems to complete a scan, even when triggered manually.  The last completed scan was Jan 16 (almost 2 months ago).  I don't know if the scan simply fails and never completes, or what.  Not sure if this is related.

  • These files should be safe to clear up.  These are the snapshots that get uploaded to Sophos Central and are visible under "Threat Analysis Center."  Was there malicious activity that was detected on this machine around that time?  It could have been multiple detections at the same time which each created a snapshot.  You can turn the setting "Enable Threat Case creation" off in the Threat Protection policy to prevent these files from getting created.

    As for scans never completing, is the mac shutting down within 24 hours of the scan starting?  It may be getting hung up on a file which may need to be submitted to SophosLabs as a problem file.

  • In reply to MEric:

    Thanks, I suppose a simple rm -rf com.sophos.sdr/* is all that's needed?

    There's been no malicious activity detected at least according to the end point. one today, feb 11, feb 10, 2 on feb 2, one dec 17 (medium and high priority events in the endpoint event log)

    It might be the fact that I have my personal email on my computer as well, which (due to being a very old email) gets a *ton* of spam, so a lot of the events are from malicious pdfs and exes that are being shuttled into my junk folder in apple mail.  Though looking at the event log these are maybe 1-3 a day.  And of course because of this they also show up in time machine backups, which are also flagged by the endpoint software.  None of the cases in the threat analysis center are within the time period that the files are (last one is feb 8 from my computer).

    I see that in my event log in the end point that most of the events are green, but have a 'root cause analysis generation threshold exceeded'.  Any idea what this means?  Is this a case of "can't create any more" or "we should create one"?

    Is there a downside to having the threat creation setting turned off?

    For the scan, it doesn't seem to be shutting down, I leave it on 24/7, and I've turned off the sleep settings because of this.  Maybe with the disk space freed up it will complete.

  • In reply to Sophos User282:

    There's some files within the com.sophos.sdr folder I would not remove.  All the other files should be fine.  The files to keep there are:

    • current_running_processes
    • old_processes.#.txt
    • old_processes.txt

    The root cause analysis generation threshold exceeded could be a number of things but the most likely reason is each analysis branched out too deep and the snapshot was too large to generate and upload.

    The downside of turning off Threat Case creation is that Sophos Endpoint will not collect information about where a threat originated from.  You won't see the Threat case in Sophos Central that shows a malicious file originated from Outlook/Browser/another computer, what files/registries were touched, network connections, etc.  You will still get information on what was detected such as ransomware detected on Outlook.

  • In reply to MEric:

    Ooops, too late :)

    I nuked it all, but have restarted, first aid'd the disk, and restarted a scan.  I'm going to turn back on the case creation as the other computer I have access to right now doesn't have this issue, so I'm going to guess it was maybe something funky going on here.

     

    Thanks again for the reassurance on what to do :)

  • In reply to Sophos User282:

    There shouldn't be any issues removing everything.  I was mostly concerned about current_running_processes being used when deleted but since you rebooted it should not matter.  Good idea on keeping case creation on; if the disk starts filling up again we know what we can do to work around it.