How to use filter.exe to determine if a message was parsed correctly
search cancel

How to use filter.exe to determine if a message was parsed correctly

book

Article ID: 160007

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

You suspect a policy of false negatives (missing messages that should have been detected), and you wish to examine a piece of content to confirm that it is being detected correctly.

Resolution

False negatives occur when messages are sent that should have created an event, but do not create an event. As a first step in troubleshooting a false negative, find the cracked text of the input document.

To find the cracked text of the input document: 

From a command prompt, change directory path where the filter.exe is present

For example in version 15.8.x the default paths are: 

  • Windows: C:\Program Files\Symantec\DataLossPrevention\KeyView\12.5\Protect\plugins\contentextraction\Verity\x64
  • Linux: /opt/Symantec/DataLossPrevention/KeyView/12.5/Protect/plugins/contentextraction/Verity/x86_64

To run the filter.exe: 

  1. Type:  filter <name of input file> <name of output file>
  2. The output file contains the cracked text of the input document. There might be some differences between how the application is called and how the default options of the filter crack the text.

Additional Information

Note: If you get the following error, try adding the file extension for the file to the input file name.

Description: Could not filter file because the input file could not be found.
Error code: 24.

Example:

C:\Program Files\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64>filter C:\Users\Administrator\Desktop\testfile.pdf output.txt

Also, if the path to the output file is not specified, the operation will default to the Filter directory. If so, you may receive the "error code returned is KVERR_CreateOutputFileFailed" (no write access to the directory is allowed). In some cases no error is thrown but the output file is not created, for the same reason.

You can either grant write access to the directory, or simply specify the full path to both the input and output files in the command.

Example:

C:\Program Files\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64>filter.exe c:\temp\Testdata.docx c:\temp\Testdata-output.txt
filter: c:\temp\Testdata.docx to c:\temp\Testdata-output.txt
filter: error code returned is KVERR_Success

Finally, you can also use Filter to view metadata in files. Use the "-i" parameter to output just the metadata content to the output file. For PDF files, use the "-xmp" parameter to view the Extensible Metadata Platform (XMP) information of the file. 

Powered by Wolken Software