Dealing with corrupt incidents.
search cancel

Dealing with corrupt incidents.

book

Article ID: 437104

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

You've noted you are not getting the expected incidents persisted and upon further investigation you've identified instance(s) of corrupt incident(s)

Enforce side:
When enforce receives a corrupt incident and is unable to persist the incident to the database, a system event occurs 'Incident Persister failed to process incident'

Detector side:
No System event occurs, but you may notice incidents not being sent to Enforce. 
within the SymantecDLPEnforceConnector#.logs on the detector you may see the following error:
Apr 9, 2026 11:16:10 AM com.symantec.dlp.storageinfrastructure.databuffer.DataBufferReaderFromStorageInputReader handleIOException
WARNING: Reading data from storage failed: 
com.symantec.dlp.storageandnotification.exceptions.RecoverableStorageSecurityException: Something went wrong while decrypting and reading data.File: <long file name ending with "="> , Folder: INCIDENTS

Cause

Causes of corrupt incidents can vary and surrounding log entries may provide more context. 

Resolution

Enforce side:
When the system even 1801 error occurs, the incident file on Enforce <Data Directory>\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents will get marked as .BAD and no further attempts to reprocess them will occur. No action is necessary, however you may attempt to reprocess the incident by renaming the .bad file to .idc. 

Detector side:
When writing an incident fails on the detector side. it never makes it to Enforce Furthermore no automatic action takes place and the detector will continually attempt to persist the incident repeatedly. It may be necessary to rename files manually 
these will be located in <Data directory>\Symantec\DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\INCIDENTS
The filename will be present in the SymatnecDLPEnforceConnector#.logs that is failing. When you identify that file there will be two similarly named files. one ending in "=" and one ending in ."mtb". Both of these files should be renamed to prevent the server from continually attempting to process them. It is recommended you use a similar naming convention as the automatic Enforce process and rename them with a .bad extension. 

 

*note for RHEL servers reverse the "\" for directory traversal. 

Powered by Wolken Software