When an incident has the following attachments _kv0.tmp (or _kv1.tmp, _kv2.tmp etc) and the no attachments with that name exist inside the incident. What is this file? How can I find it?

The _kv0.tmp file is the extraction of a hidden file within another attachment, such as an Excel spreadsheet or PowerPoint document. We detect for hidden files to ensure that confidential information is not being included in the hidden file. This text can be extracted using tstextract.exe. The process is similar to using filter.exe to extract content, as described in the document listed in the "Related Article" section.

1. From a command prompt, change directory to the Vontu product tree:
   • For v10.5 and previous:
     • Windows 32-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\Win32
     • Windows 64-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\x64
   • For v11 and above: 
     • Windows 32-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\Win32
     • Windows 64-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\x64
     • Linux 32-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/i686
     • Linux 64-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/x86_64
2. Find the program called “tstxtract.”
3. Type: tstxtract <name of input file> <name of output directory> and the input file will be the original message. The output file contains the hidden file. This file can be examined as is, or you can run filter.exe on the output to examine the extracted content. 

Applies To

Symantec Data Loss Prevention 10.5 and below

Symantec Data Loss Prevention 11x and above