What is a _kv0.tmp file?

book

Article ID: 160729

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

When an incident has the following attachments _kv0.tmp (or _kv1.tmp, _kv2.tmp etc) and the no attachments with that name exist inside the incident. What is this file? How can I find it?

Resolution

The _kv0.tmp file is the extraction of a hidden file within another attachment, such as an Excel spreadsheet or PowerPoint document. We detect for hidden files to ensure that confidential information is not being included in the hidden file. This text can be extracted using tstextract.exe. The process is similar to using filter.exe to extract content, as described in the document listed in the "Related Article" section.

 

  1. From a command prompt, change directory to the Vontu product tree:
    • For v10.5 and previous:
      • Windows 32-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\Win32
      • Windows 64-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\x64
    • For v11 and above: 
      • Windows 32-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\Win32
      • Windows 64-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\x64
      • Linux 32-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/i686
      • Linux 64-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/x86_64
  2. Find the program called “tstxtract.”
  3. Type: tstxtract <name of input file> <name of output directory> and the input file will be the original message. The output file contains the hidden file. This file can be examined as is, or you can run filter.exe on the output to examine the extracted content. 

Applies To

Symantec Data Loss Prevention 10.5 and below

Symantec Data Loss Prevention 11x and above