Symantec Advanced Threat Protection (ATP) regularly monitors the amount of data that you have in your internal databases. ATP performs this task to ensure that the database does not grow uncontrollably and consume too much disk storage space. When your database reaches a certain threshold, ATP automatically purges it.
ATP automatically performs the following types of database purges based on the following:
ATP performs a daily purge of your databases on the data over 6 months old, regardless of whether your storage space threshold is exceeded.
Storage space usage
ATP performs a check every 15 minutes on the size of your databases. It performs this function to ensure that your data does not exceed 85% of your storage space. If your data exceeds this threshold, ATP purges roughly 10 percent of your data beginning with the oldest records.
If your data exceeds the threshold, ATP logs a system activity event when this type of purge occurs. This event lists the types of database records that were deleted.
ATP only performs one type of purge at a time. ATP also only purges one type of data at a time until the storage space threshold is met. Database records are purged in the following order:
RRS (Reputation Request Score) events
ATP only retains RRS events for 30 days, regardless of whether your storage space threshold is exceeded.
Endpoint Data Recorder dumps
ATP only retains your five most recently completed Endpoint Data Recorder dumps
Completed, terminated, and in-progress commands (for example, saved searches and their results, or searches that are currently running)
ATP only retains your most recent 1000 commands, regardless of their age or whether your storage space threshold is exceeded. These commands include your most recent 900 non-search commands (for example, when you delete a file or quarantine an endpoint). They also include your most recent 100 search commands (for example, when you search for a suspicious file).
Security events, incidents, and system activity events