After adding a new regular expression pattern to a custom data identifier that is used in a policy, all policies in Symantec Data Loss Prevention (DLP) stop working.
A review of File Reader log on any of the impacted detection servers shows the following error for every message to be processed:
com.vontu.detection.DetectionChain processMessage
WARNING: Error processing message [<Message ID>]
java.lang.IllegalArgumentException: <\b> not a valid letter for index.
at com.vontu.detection.dataidentifier.PatternUtil.convertLetterToArrayIndex(PatternUtil.java:63)
at com.vontu.detection.dataidentifier.PatternUtil.convertLetterToArrayIndex(PatternUtil.java:68)
at com.vontu.detection.dataidentifier.patternfsm.FsmUtil.findBestNodeMatch(FsmUtil.java:53)
at com.vontu.detection.dataidentifier.patternfsm.PatternFsm.addLinksToAllNodes(PatternFsm.java:112)
at com.vontu.detection.dataidentifier.patternfsm.PatternFsm.addPattern(PatternFsm.java:87)
Custom Data Identifiers have a limited regular expression functionality.
Some Regular Expression constructs will not work in the Custom Data Identifier pattern.
There is limited validation in the user interface, so it is possible to save an incorrect Regular Expression.
This article contains a partial list of regular expression constructs that will not work within a custom Data Identifier (DI).
The following characters do not function as they do in standard Regular Expressions.
* | Asterisk |
+ | Plus Sign |
| | Pipe |
. | Period |
\w | Word Character; cannot be used to match the underscore, _ , character. |
\s | Whitespace Character; Restricted. Replace with whitespace to be matched. |
\b | Word Boundry; Restricted. Not supported by the DI engine. |
Remove the invalid character identified in the File Reader log from the regex pattern most recently added to the custom data identifier.
The Invalid DI can be found by running the following SQL replacing the highlight with the character from the error above
select di.name from dataidentifierpattern dip
join DATAIDENTIFIERBREADTH dib on dip.BREADTHID = dib.BREADTHID
join DATAIDENTIFIER di on di.DATAIDENTIFIERID = dib.DATAIDENTIFIERID
join DATAIDENTIFIERCONDITION dac on di.DATAIDENTIFIERID = dac.DATAIDENTIFIERID
where dip.pattern like '%\b%';