Policies stop working after adding a regex to a custom data identifier
search cancel

Policies stop working after adding a regex to a custom data identifier

book

Article ID: 163242

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

After adding a new regular expression pattern to a custom data identifier that is used in a policy, all policies in Symantec Data Loss Prevention (DLP) stop working. 

A review of File Reader log on any of the impacted detection servers shows the following error for every message to be processed:

com.vontu.detection.DetectionChain processMessage
WARNING: Error processing message [<Message ID>]
java.lang.IllegalArgumentException: <\b> not a valid letter for index.
at com.vontu.detection.dataidentifier.PatternUtil.convertLetterToArrayIndex(PatternUtil.java:63)
at com.vontu.detection.dataidentifier.PatternUtil.convertLetterToArrayIndex(PatternUtil.java:68)
at com.vontu.detection.dataidentifier.patternfsm.FsmUtil.findBestNodeMatch(FsmUtil.java:53)
at com.vontu.detection.dataidentifier.patternfsm.PatternFsm.addLinksToAllNodes(PatternFsm.java:112)
at com.vontu.detection.dataidentifier.patternfsm.PatternFsm.addPattern(PatternFsm.java:87)

Cause

Custom Data Identifiers have a limited regular expression functionality.

Some Regular Expression constructs will not work in the Custom Data Identifier pattern.

There is limited validation in the user interface, so it is possible to save an incorrect Regular Expression.

This article contains a partial list of regular expression constructs that will not work within a custom Data Identifier (DI).

The following characters do not function as they do in standard Regular Expressions.

* Asterisk
+ Plus Sign
| Pipe
. Period
\w Word Character; cannot be used to match the underscore, _ , character.
\s Whitespace Character; Restricted. Replace with whitespace to be matched.
\b Word Boundry; Restricted. Not supported by the DI engine.

 

Resolution

Remove the invalid character identified in the File Reader log from the regex pattern most recently added to the custom data identifier.

The Invalid DI can be found by running the following SQL replacing the highlight with the character from the error above

select di.name from dataidentifierpattern dip 

join DATAIDENTIFIERBREADTH dib on dip.BREADTHID = dib.BREADTHID

join DATAIDENTIFIER di on di.DATAIDENTIFIERID = dib.DATAIDENTIFIERID

join DATAIDENTIFIERCONDITION dac on di.DATAIDENTIFIERID = dac.DATAIDENTIFIERID

where dip.pattern like '%\b%';