When an incident has the following attachments _kv0.tmp (or _kv1.tmp, _kv2.tmp etc) and the no attachments with that name exist inside the incident. What is this file? How can I find it?
The _kv0.tmp file is the extraction of a hidden file within another attachment, such as an Excel spreadsheet or PowerPoint document. We detect for hidden files to ensure that confidential information is not being included in the hidden file. This text can be extracted using tstextract.exe. The process is similar to using filter.exe to extract content, as described in the document listed in the "Related Article" section.
Symantec Data Loss Prevention 10.5 and below
Symantec Data Loss Prevention 11x and above