How to use filter.exe to determine if a message was parsed correctly

book

Article ID: 160007

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You suspect a policy of false negatives (missing messages that should have been detected), and you wish to examine a piece of content to confirm that it is being detected correctly.

Resolution

False negatives occur when messages are sent that should have created an event, but do not create an event. As a first step in troubleshooting a false negative, find the cracked text of the input document.

To find the cracked text of the input document: 

From a command prompt, change directory to the Vontu product tree:

Find the program called “filter.”

  • For v15.0:
    • Windows: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\x64
    • Linux: /opt/SymantecDLP/Protect/plugins/contentextraction/Verity/x86_64
  • For v15.1.x:
    • Windows: C:\Program Files\Symantec\Data Loss Prevention\KeyView\11.4\Protect\plugins\contentextraction\Verity\x64
    • Linux:/opt/Symantec/Data Loss Prevention/KeyView/11.4/Protect/plugins/contentextraction/Verity/x86_64
  • For V15.5.x:
    • Widows: C:\Program Files\Symantec\DataLossPrevention\KeyView\11.6\Protect\plugins\contentextraction\Verity\x64
    • Linux: /opt/Symantec/DataLossPrevention/KeyView/11.6/Protect/plugins/contentextraction/Verity/x86_64
  • For V15.7.x:
    • Widows: C:\Program Files\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64
    • Linux: /opt/Symantec/DataLossPrevention/KeyView/12.2/Protect/plugins/contentextraction/Verity/x86_64
  1. Type:  filter <name of input file> <name of output file> .
  2. The output file contains the cracked text of the input document. There might be some differences between how the application is called and how the default options of the filter crack the text.

 

Additional Information

Note: If you get the following error, try adding the file extension for the file to the input file name.

Description: Could not filter file because the input file could not be found.
Error code: 24.

Example:

C:\Program Files\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64>filter C:\Users\Administrator\Desktop\testfile.pdf output.txt

 

Also, if the path to the output file is not specified the operation will default to the Filter directory. If so, you may receive the "error code returned is KVERR_CreateOutputFileFailed" (no write access to the directory is allowed). In some cases no error is thrown but the output file is not created, for the same reason.

You can either grant write access to the directory, or simply specify the full path to both the input and output files in the command.

Example:

C:\Program Files\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64>filter.exe c:\temp\Testdata.docx c:\temp\Testdata-output.txt
filter: c:\temp\Testdata.docx to c:\temp\Testdata-output.txt
filter: error code returned is KVERR_Success


Finally, you can also use Filter to view metadata in files. Use the "-i" parameter to output just the metadata content to the output file.