Backup folder is very large

[scoutt]

I was just informed that we have a couple users that are almost out of C drive space because

 

C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup

 

That folder is very large, like 133gb large. We can't see to delete any of those files as it gives an error that we don't have permissions from System.

 

Idea and why are they not deleting on their own?

[exile360]

Greetings,

I'm not sure why the files are building up like that, however it is likely the self-protection component preventing their deletion, so disabling that temporarily should allow manual removal of the files.

That said, I frankly don't know enough about the internal functions of the software to know what impact deleting those files might have.  It's possible that it would do no harm at all, however it is also possible that removing one or more of the files may cause the software to malfunction.

I would advise contacting Malwarebytes Support directly to work with them on determining what's going on and why those folders are getting so large.  To do so, please reach out to them via the web form on this page to work with them directly via email.  They will likely request diagnostic logs from one or more of the affected endpoints.  Instructions on how to generate them can be found in this support article.

In the meantime, I will also report the issue to the Product team in case there is some kind of bug that they need to investigate and fix.

Thanks

[scoutt]

Thanks exile, I will do that.

[AndrewPP]

Further to comments above:

• The EDR backup folder is self-protected, so attackers cannot get to it
• A policy setting controls retention of backups, to a maximum of 72 hours
• A policy setting controls usage of free space as a quota percentage
• It self-cleans daily and hourly, to cull older files and manage the quota
• During an initial learning period of 14 days, additional files are backed up
• Exclusions can be applied to ignore backups of specified files/folders
• The diagnostic logs contain internal information for Support team to determine contents of backups

Entries will be logged in c:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt, each hour to show cleaning is occurring.

• INFO  FRCoreManager [FRSDK] Next backup cleanup scheduled for 2021-03-30 16:41:30+1100
• INFO  FRCoreManager [FRSDK] Next ALL cleanup scheduled for 2021-04-05 15:41:30+1000

View with File Manager, or run this Windows command to list the files in the backup directory, in name ascending order:

DIR /O:N c:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin

03/29/2021  04:41 PM            38,917 0000001616996491019_756C2F71.frb
The name of the first file contains the datetime of the earliest file e.g. lookup 0000001616996491019 at a site like this: https://www.unixtimestamp.com/index.php
If cleaning is working, files should be no older than your configured retention.

Save the listing to a file, for submission with Support case

DIR /O:N c:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin > %homepath%\desktop\Malwarebytes-BackupList.txt

Support can advise additional triage steps

 

[AndrewPP]

Files not deleting can occur because:

1. Some process is constantly creating many files, needing backup - resolution is exclusion, with assistance from Support to identify
2. An internal fault is blocking cleaning - resolution may be reinstallation

Best to take the diagnostic steps.

[scoutt]

Thanks AndrewPP, But if the cleanup process is only activated when the EDRPlugin initializes than it could be a problem. That's a bug I am waiting for, for the last month, to get fixed as EDR does not work until they patch it, I heard next month. But I will run that command and post it to the case if anybody ever contacts me. I also have not had any contact since I opened the case. 2 days ago. Case 3419543, I think lol, I have so many open.

[DPintaric]

Hi,

I have opened a support ticket in May about this, we were affected as well, and the issue with the backup folder and EDRPlugin was solved with EDRplugin version 1.2.306. Additionally I was told this:

Quote

First, the out-of-control growth is primarily due to a corrupted rollback database. So, we added a health check on the database to regenerate it in case it gets corrupted. Next, we added more frequent clean up. We used to clean up the backup folder 1x/24 hrs, we have since increased to 3x/24 hrs

But reinstalled Malwarebytes in advance, so I can't tell you if the new version cleans up the database file by itself.

Kind regards

Denis

[AndrewPP]

Fix was shipped last month and will update as usual.

Corrupt database will be automatically detected, deleted and fixed. 

Hourly, a task runs to check for indexed/orphaned, old files, which are then deleted.