Storage is full from a Cyvera Log file with 706.1GB size

While a 706GB log file is unusually large, excessive disk space consumption within the Cyvera (Cortex XDR Agent) data directory is a known issue documented across several support cases and internal reports.

The recurrence every Monday strongly suggests a correlation with a scheduled full scan or a periodic maintenance task that triggers high activity.

Potential Root Causes:

Based on internal resources, the following scenarios often lead to massive storage consumption in the C:\ProgramData\Cyvera folder:

• Scheduled Scans: A known issue exists where Cortex XDR agent scheduled scans cause the Cyvera folder to grow excessively (over 40GB in documented cases), often due to the agent's data purging mechanism failing to keep up with event generation.
• Database Pruning Failure: Known bugs (such as CPATR-25516 and CPATR-27826) can cause internal databases in the Persistence folder to grow exponentially. Common offenders include wf_verdicts.db.lru and edr_fileid.db.
• Alert Artifacts (Prevention Folder): If an endpoint experiences a burst of alerts (for example during Windows updates or specific software activity), the agent may buffer a massive amount of forensic data and memory dumps in the Prevention folder. If connectivity to the management console is intermittent, these files bypass the standard disk quota and accumulate until the connection is restored.
• Temporary File Leaks: Files related to SandboxService (such as tlaplugin.dll, recognizer_plugin.dll) or "In-Flight" logs from failed Technical Support File (TSF) collections can fail to clean up, leading to multi-gigabyte growth in the LocalSystem\Temp directory.

Recommended Troubleshooting and Cleanup

To safely reclaim space, you typically must disable the agent's self-protection to release locks on the files.

1. Identify the Culprit:

Navigate to the following directory to determine which subfolder is consuming the space: C:\ProgramData\Cyvera\

Check:

• LocalSystem\Persistence (for .db and .lru files)
• Prevention (for forensic artifacts)
• LocalSystem\Temp (for temporary or Sandbox logs)

2. Manual Cleanup Procedure:

If the "Clear Agent Database" action from the console is ineffective, perform the following steps locally on the affected machine:

1. Open Command Prompt as Administrator.
2. Navigate to the Traps installation folder:cd "C:\Program Files\Palo Alto Networks\Traps"

3. Disable tamper protection (requires the endpoint supervisor password):cytool protect disable

4. Stop the agent services:cytool runtime stop

5. Delete the contents of the identified problematic folder (for example C:\ProgramData\Cyvera\LocalSystem\Persistence\* or C:\ProgramData\Cyvera\LocalSystem\Temp\*).

Note : (Do not delete the root folders themselves).

6. Restart the agent services:cytool runtime start

7. Re-enable tamper protection: cytool protect enable

Preventive Measures:

• Check Disk Quotas: Ensure the "Agent Disk Quota" in the Agent Settings profile is set to at least 5000 MB. While some artifacts bypass this limit, it still governs standard log rotation.
• Upgrade the Agent: Many database growth and cleanup bugs (including CPATR-27578 and CPATR-25516) are fixed in version 8.7 or 9.0.0 and later.
• Analyze Scheduled Scans: Since the issue recurs every Monday, review the scan configuration in the Malware profile and inspect trapsd.log for errors indicating the purging mechanism is failing during the scan.