search cancel

Detection fails due to ContentExtractionHost error 'Failed to create temporary directory. Last Error: No such file or directory'

book

Article ID: 213408

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

On a detection server running FileReader, you observe that although it appears to be processing messages, no incidents are generated. In the ContentExtractionHost_FileReader log you see the following events:

04/07/21 09:18:47 | ERROR | cehost | Verity [4527] | [3695359744] | Failed to create temporary directory. Last Error: No such file or directory | ../Platform.c (103)

04/07/21 09:18:47 | ERROR | cehost | Verity [4527] | [3695359744] | Could not initialize the Verity CEA plugin: Failed to create temporary directory | src/VerityImplInternal.c (153)

04/07/21 09:18:47 | WARN  | cehost | CEPluginManager [4527] | [3695359744] | Failed to load Verity. Error: Plugin Startup - Initialization of plugin Verity failed. retVal = 1, context = 0. Skipping this plugin | CEPluginManager.cpp (252)

Cause

This issue can occur on Linux based detection server when the disk that CEH (ContentExtractionHost) is using to extract files to runs out of space. This may happen due to limited drive space and high volume of large files.

It may also happen if CEH has crashed while extracting files and tmp files are left behind and not cleaned out.

When the disk is out of space and temporary files can no longer be created, FileReader continues to process messages, but because all extraction fails, no real detection takes place.

Environment

  • Linux based detection server.
  • DLP 15.x

Resolution

This can be caused by multiple issues:

  • AV exclusions for DLP folders
    • See: https://knowledge.broadcom.com/external/article/155410/recommended-antivirus-exclusions-for-sym.html
  • Multiple Enforce servers are talking to detections servers:

If you see the following messages verify there are multiple Enforce servers:

May 9, 2022 3:41:49 AM com.vontu.communication.transport.ChannelManager handleOperationSuccess
WARNING: Replaced connection for: controller-server and the remote IP for the old connection is: /192.168.1.50. There might be another client connecting to this channel.

  • Free Disk space is low 
    1. Delete the ContentExtractionTemporarynnnnn directories from /temp/ to free disk space.
    2. Restart the SymantecDLPDetectionServerService.

Additional Information

See also: large number of .tmp files in C:\Documents and Settings\protect\Local Settings\Temp\