Custom DI with bad regex can crash Filereader
search cancel

Custom DI with bad regex can crash Filereader

book

Article ID: 205854

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

Filereader is crashing and dump files are filling up drive space on detection servers using the following configuration.

  1. Create a custom DI with invalid regex:   eg: {g442Uzab5Nl5roChis+d}.  
  2. Normalizer:  do nothing.  
  3. No validator
  4. Add as an exception to any Data Identifier policy.
  5. Try to create an incident by sending an email, running a scan, etc.
  6. Every time a message is processed, FR will crash.

Environment

15.7 MP1

Cause

FileReader logs will not have any errors.

In ContentExtractionHost_FileReader.log, you will see the following error:

 

11/10/20 13:26:10 | WARN | cehost | HostTaskManager [6468] | [76] | OS Error: 109, Exception thrown from : FileDescriptorWinImpl.cpp(116) | ShutdownConditionWatcher.cpp (93)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | IPCChannel shutdown completed | PluginManagementService.cpp (234)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=10 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=11 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=12 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=13 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=14 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=3 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=4 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=5 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=6 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=7 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=8 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=9 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | CEServiceManager shutdown completed | PluginManagementService.cpp (237)
11/10/20 13:26:10 | INFO | cehost | NetShareCEP [6468] | [76] | NetShare Plugin has been unloaded. | ..\..\src\NetShareCEP.cpp (856)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | CEPluginManager shutdown completed | PluginManagementService.cpp (240)
11/10/20 13:26:10 | INFO | cehost | Service [6468] | [76] | Service is shut down, ServiceID=1 | Service.cpp (113)
11/10/20 13:26:10 | INFO | cehost | main [6468] | [76] | Content Extraction Host process exited | CEHostProcess.cpp (140)

Resolution

Remove

Additional Information

If enabled, mdmp files will be created and fill up drive space.

Powered by Wolken Software