• Administrators are unable to find readable metadata or artifacts within .bad files located on the Enforce server.
• Incident files (ending in =) and metadata files (.mtd) in the INCIDENTS folder on the Detection Server appear encrypted or unreadable when opened with text editors.
• Efforts to trace the originating machine name or endpoint directly from these files are unsuccessful.

• Symantec Data Loss Prevention (DLP) 16.1 and later

Starting with DLP version 16.1, the product utilizes Universal Detection Server (UDS) technology. A key security feature of this architecture is that all incident data is encrypted at rest while residing in the local storage of the detection server and during transit.

Because the data is encrypted using system-level keys, manual inspection of the following files will not yield any usable information, such as machine names, user IDs, or sensitive data matches:

• `.bad` files (corrupted or unparseable incidents on Enforce)
•  Incident files in the `INCIDENTS` folder
• `.mtd` (metadata) files associated with incidents

Since these files are encrypted by design, they cannot be manually decrypted or 'fixed' to reveal their contents.

If you are encountering .bad files or corrupted incidents, please refer to the following article for troubleshooting steps, including how to identify and remove corrupt files to restore server health:

• Incidents queueing up on DLP detection servers with High CPU usage (Article 396545)

To identify the source of a corrupted incident, you must instead rely on the SymantecDLPEnforceConnector logs on the detection server, which may log the filename and path of the incident prior to the encryption/persistence failure.