search cancel

Error: "Error reading blob" in the DLP localhost log

book

Article ID: 175389

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

Symantec Data Loss Prevention (DLP)

14.6, 15.0, 15.1, 15.5, 15.7, 15.8

The localhost log shows this error:

Level: SEVERE

Source: com.vontu.incidenthandler.blob.MessageBlobReadService

Message: Error reading blob /storage/incident_artifacts/0000000000/033/652/567/CrackedComponent_64607406 from disk for message id 33652567

Cause:

java.io.FileNotFoundException: /storage/incident_artifacts/0000000000/033/652/567/CrackedComponent_64607406 (No such file or directory)

java.io.FileNotFoundException: /storage/incident_artifacts/0000000000/033/652/567/CrackedComponent_64607406 (No such file or directory)

      at java.io.FileInputStream.open0(Native Method)

      at java.io.FileInputStream.open(FileInputStream.java:195)

      at java.io.FileInputStream.<init>(FileInputStream.java:138)

      at com.vontu.util.filesystem.FilesystemUtil$1.getInputStream(FilesystemUtil.java:40)

      at com.vontu.util.filesystem.FilesystemUtil.getInputStream(FilesystemUtil.java:63)

      at com.vontu.incidenthandler.blob.MessageBlobReadService.fetchFromDisk(MessageBlobReadService.java:131)

      at com.vontu.incidenthandler.blob.MessageBlobReadService.getComponentStream(MessageBlobReadService.java:116)

      at com.vontu.incidenthandler.blob.MessageBlobReadService.getCrackedComponentStream(MessageBlobReadService.java:79)

      at com.vontu.manager.report.snapshot.matches.MessageComponentRecordRowMapper.getItem(MessageComponentRecordRowMapper.java:61)

      at com.vontu.manager.report.snapshot.matches.MessageComponentRecordRowMapper.getItem(MessageComponentRecordRowMapper.java:45)

      at com.vontu.query.BackgroundDataMapper.processResults(BackgroundDataMapper.java:53)

      at com.vontu.query.QueryExecutor.execute(QueryExecutor.java:114)

      at com.vontu.query.QueryExecutor.execute(QueryExecutor.java:76)

      at com.vontu.query.BackgroundQueryExecutor$1.run(BackgroundQueryExecutor.java:71)

      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

      at java.util.concurrent.FutureTask.run(FutureTask.java:266)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

      at java.lang.Thread.run(Thread.java:745)

Resolution

The SEVERE error "Error reading blob..." in the log can be misleading, in certain cases the condition is expected and simply ignored by the calling code.
This is how the code works:

  • If the attachment LOB is in the database (not externalized) and has been discarded by a response rule, the code knows from the empty or NULL LOB that it is not available, and it displays the attachment name in the UI / Incident details section with no hyperlink
  • If the attachment LOB is on the filesystem (externalized) and has been discarded by a response rule, the code knows from the fact that the file is missing that it is not available, and it displays the attachment name in the UI / Incident details section with no hyperlink
  • The incident details page also displays the file name in the middle section where the match highlighting occurs. The targetFile.rtf reference is not clickable on the left pane (green rectangle) but it is incorrectly clickable in the center pane (red rectangle), leading to a 404. 


The lack of a hyperlink is the indicator that the attachment is not available. Also, the incident History tab shows an entry such as:

"Incident data discarded based on response rule".


In any case, this does not affect the functionality of the system.
An update is planned for a later release to lower the level of these log entries from "SEVERE" to "INFO".
And the update will also correct the incorrectly clickable link in the center pane.