Server settings reviewed, most of which were at default.

Confirmed the upstream "proxy" is not a supported Web Proxy - however, it did previously create incidents for DLP, so continued troubleshooting.

We noticed there is a log on the Web Prevent server for OCR: "OcrRequestsRecord0.log".

This log has been recording data since before the current FileReader problems, e.g.,

Aug 28, 2020 3:42:43 PM com.vontu.messaging.chain.ocr.OcrImageStatisticsLogger log
INFO: Aug 28, 2020 03:42:43 PM: Message received with candidate OCR images. [Number of images in last 24 hours: 1047. Percentage of Messages containing images that need OCR: 77.1719%. Average number of OCR images per message: 6.0]

By default there are 5 ADV Server Settings for OCR, 4 of which should be "true" but the fifth one should be "false".

• OCR.RECORD_REQUEST_STATISTICS
• false
• When set to true, this setting enables the OCR sizing tool.  The OCR sizing tool gives insight into image traffic data, which helps determine the sizing requirements for the OCR implementation.

If the customer does not have an OCR Server, this setting would not usually be enabled.

The customer at some point had changed the above setting to "true".
This means that DLP is taking SOME bandwidth from every ICAP request coming in to analyze the content for images.

To correct this, change the setting back to FALSE, and restart the Symantec DLP Detection Server service.