search cancel

File Reader fails to start until server is rebooted

book

Article ID: 161702

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention

Issue/Introduction

FileReader fails to start until Server is rebooted.
Restarting the services on Enforce or the server itself does not allow FileReader to start and FileReader will only start when the machine is rebooted.

Reviewing the Filereader0.log shows the following error:

SEVERE: [8676] Interprocess exception caught while opening server shared memory with error message - The system cannot find the file specified., Exception thrown from : ClientShmChannelImpl.cpp(80) HostManager.cpp 129
Feb 4, 2015 1:24:06 PM com.vontu.cracker.jni.NativeContentExtractionEngine create
SEVERE: [8676] Exception caught during starting up host manager. ContentExtractionEngineImpl.cpp 53
Feb 4, 2015 1:24:06 PM com.vontu.messaging.FileReaderSetup initialize
SEVERE: (DETECTION.3) Failed to initialize Detection
com.vontu.cracker.jni.NativeException: Failed to start Engine

Cause

FileReader fails to start if event id 6005 (EventLog Startup event) is missing from the windows system event queue.

If Windows Event Log doesn't contain the Startup Event (Event 6005) for any
reason, then get_bootstamp returns an empty string. CallStack:

shared_memory_object::priv_open_or_create
  ipcdetail::create_tmp_and_clean_old_and_get_filename
    create_tmp_and_clean_old
      tmp_folder
        get_bootstamp
          get_last_bootup_time

When create_tmp_and_clean_old tries to delete all the entries for the previous boot sessions, the empty string (that is delete all folders except "") causes it to delete the current session's files as well.

Workaround :

We can use PowerShell to emulate a reboot by introducing a windows reboot event.

-Using Admin privileges on the detection server open up PowerShell.exe

-Use the following PowerShell script to generate a windows event ID.

  Write-EventLog –LogName System –Source “EventLog” –EntryType Information –EventID 6005 –Message “The Event log service was started.”

-Restart the Vontu services on the detection server.

 
 
 

Resolution

For each case we have seen with this appears to have Mcafee AV installed.

Check For Mcafee Antivirus and ensure proper exclusions are in place per Best practice: DLP Servers with Antivirus protection