A Symantec Data Loss Prevention (DLP) Detection Server shows a status of Unknown in the Enforce Server administration console. Unlike standard connectivity issues, this occurs while the detection server services are running and network connectivity is intact

Logs may indicate:

• WARNING: Reading data from storage failed: RecoverableStorageSecurityException in the SymantecDLPEnforceConnector logs.
• Errors referencing DataBufferReaderFromStorageInputReader or IllegalBlockSizeException specifically within the scan status or topic folders.

This issue is caused by corrupt scan status metadata residing in the detector's topic folders. When the Enforce Server attempts to synchronize the current data (Scan State, Incidents, Server Health, etc), the corrupt metadata prevents the EnforceConnector from successfully reporting the server's health and status, leading to the Unknown state.

There are two methods to resolve this synchronization failure. Method 1 is the preferred surgical approach, while Method 2 is the alternative used in the field.

Method 1: Surgical Metadata Cleanup

This command cannot be undone. Verify every parameter before running.

1. Stop the detection server services:
   • SymantecDLPDetectorService
   • SymantecDLPEnforceConnectorService
2. Identify the topic folder and file name from the SymantecDLPEnforceConnector#.log
   
   
3. Navigate to the detector's storage directory (e.g., \Symantec\DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\LEGACY_DISCOVER_STATE\ or the specific topic folder identified in logs).
4. Locate and delete the files mentioned in the EnforceConnector logs. Note, you'll need to delete both a file without a file extension and a matching file name with a '.mtd' file extension
5. Restart the services. The detector will regenerate clean metadata and resynchronize with Enforce.

Method 2: Detector Reset

Not recommended for discover servers due to incremental scan index being potentially very large.

1. Stop the detection server services:
   • SymantecDLPDetectorService
   • SymantecDLPEnforceConnectorService
2. Navigate to the bin folder within the installation directory (e.g. \Symantec\DataLossPrevention\DetectionServer\<version>\Protect\bin) within powershell(windows) or bash(linux)
   
   
3. Run resetDetector.ps1(windows) / resetDetector.sh(Linux)
   
   
4. Restart the services. The detector will regenerate clean metadata and resynchronize with Enforce.

Method 3: Detector Reinstallation

Not recommended for discover servers due to incremental scan index being potentially very large.

If the corrupt metadata is difficult to isolate or the file count is too high (e.g., millions of files in the storage directory), a full reinstallation of the detection server software will resolve the issue by creating a fresh storage structure.

1. Uninstall the Detection Server software from the target machine.
2. Manually ensure the previous installation directory and any remaining temp/storage folders are deleted.
3. Reinstall the Detection Server software.
4. Re-register the server in the Enforce console if necessary.

'Topic folders' are the folder found under 
<Data directory>\Symantec\DataLossPrevention\DetectionServer\Account-storage\EnforceSlot-uuid\