Network Monitor is throwing error 2500 Message chain #1 encountered an unexpected error processing a message

book

Article ID: 194459

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Network Monitor

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Two Network Monitors

The Packet Capture service will not start on either of the Network Monitors 
All other DLP services are up.


SEVERE: Message chain #2 encountered an unexpected error processing a message.
java.lang.NoClassDefFoundError: Could not initialize class com.symantec.dlp.imagepreclassifier.NativeImagePreclassifier
at com.vontu.messaging.chain.imagepreclassifier.ImagePreclassifierManager.getNativeImagePreclassifier(ImagePreclassifierManager.java:241)
at com.vontu.messaging.chain.imagepreclassifier.ImagePreclassifierManager.performAdvancedPreclassification(ImagePreclassifierManager.java:200)
at com.vontu.messaging.chain.imagepreclassifier.ImagePreclassifierManager.applyPrefiltersOnImages(ImagePreclassifierManager.java:146)
at com.vontu.messaging.chain.MessageContentExtractor.processMessage(MessageContentExtractor.java:184)
at com.vontu.messaging.chain.MessageContentExtractor.processMessage(MessageContentExtractor.java:161)
at com.vontu.messaging.chain.MessageChain.processMessage(MessageChain.java:211)
at com.vontu.messaging.chain.MessageChain.run(MessageChain.java:133)
at java.lang.Thread.run(Thread.java:748)
Oct 29, 2019 6:00:08 AM com.vontu.logging.LocalLogWriter write
SEVERE: Unexpected Error Processing Message. Message chain #1 encountered an unexpected error processing a message. See the log file for details.


Cause

Mis-configured temproot file.

Environment

Release : 15.5 and 15.7 MP1
                 DLP is installed on RHEL 7.8
                 Oracle Enterprise 12c on RHEL 7.3

Component : Network Monitor

Resolution

Change the temproot file from:

symantecdlp ALL=(ALL) ALL, NOEXEC: NEVEREXEC

to

symantecdlp ALL=NOEXEC: NEVEREXEC

 

While the original line essentially gives root permissions, it does still require the user to type their password to run commands.
Since temproot gets loaded after the Symantec DLP sudoers file (S comes before T), this overrides the what we set for NOPASSWD.
The sudo only remembers the last rule it loads, not necessarily the most restrictive rule.