ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Attachment detection fails after Detection Server upgrade to 15.7 MP2 or later

book

Article ID: 226824

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

After an installation of a detection server, it is seen that the server is not able to perform successful detection on any request with an attachment. Detection works with message body but not with files. 

This is seen after an upgrade of DLP to version 15.7 MP2. With 15.7 GA, the server is working as expected.

Cause

After enabling Detection Trace Logging on the server, you may see that the attachments in the tested requests do not have a recognized filetype:

Message:
(...)
Attachment (ID=40)
Raw size: 8958 bytes
File name: file1.jpg
File type: unknown
Attachment (ID=41)
Raw size: 24362 bytes
File name: file2.JPG
File type: unknown
Attachment (ID=42)
Raw size: 3334 bytes
File name: test file3.PNG
File type: unknown

All these filetypes should have had their filetypes recognized as images. This is seen for all filetypes.

In the Content Extraction Host logs, you may see entries similar to these:

08/19/21 13:02:38 | ERROR | cehost | Verity [6420] | [7008] | Could not initialize the Verity library: GetKvFilterLibHandle("D:\Symantec\DataLossPrevention\KeyView\12.2\Protect\plugins\contentextraction\Verity\x64") failed | src\VerityImplInternal.c (170)

08/19/21 13:02:38 | WARN | cehost | CEPluginManager [6420] | [7008] | Failed to load Verity. Error: Plugin Startup - Initialization of plugin Verity failed. retVal = 1, context = 0000000000000000. Skipping this plugin | CEPluginManager.cpp (253)

This means the detector was not able to start up the Verity plugin, which is the component responsible for content extraction and filetype recognition. Without Verity functional, the detection server will not be able to perform any detection on attachments. 

Resolution

To solve the above problem, we recommend to install Microsoft Visual Studio 2019 Runtime on the detection servers which either will or have been upgraded to DLP 15.7 MP2. 

In the 15.7 MP2 Release Notes, we state the following in the system requirements section:

"Change in the dependency on Microsoft Visual Studio 2010

As of version 15.7 Maintenance Pack 2, Data Loss Prevention no longer uses Microsoft Visual Studio 2010 Runtime. Instead, Data Loss Prevention has now upgraded to Microsoft Visual C++ 2019. When you deploy 15.7 Maintenance Pack 2, Microsoft Visual C++ 2019 Runtime version 14.25.28508.3 is installed as a necessary dependency. This might overwrite any existing build of Microsoft Visual C++ 2019 Runtime.

If another application uses Microsoft Visual Studio 2015 or later on the same computer that has Data Loss Prevention installed, when you upgrade to Data Loss Prevention 15.7 Maintenance Pack 2, you will be prompted to restart the computer. If you upgrade the Enforce Server or detection servers with the guidance of a user interface, you will be prompted to restart the server at the end of the upgrade. If you perform a silent installation instead, the installation logs will indicate the need to restart. For endpoints, after you upgrade the DLP Agent, you will be prompted to restart the endpoint."