Data Loss Prevention

R ecently we had to re-image the box on which Discover server was installed. So we went ahead and installed the detection server and WinPcap on the box.

Now on the Enfroce console, it is detecting the recently added detection server, but in the overview tab - the server status is "starting" and it does not change to "Running". In events screen..there is one which says "Filereader failed to start". 

Did anyone have similar issues while installing detection server? 

Thanks,
Roop

On my VM demo box (Windows Server 2008 R2) I am having the same probelms and was just digging here around connect to see what the problem is.

If i look in the log file I get a notification that Filereader has restarted execessivley.  Running DLP 11.1, Network MOnitor.

Would be interested to see what is going on

Its the same environment at my place too. When you installed Vontu Protect on this VM, did you see any error regarding VIsual C++ 2005?

It was network monitor not network protect and i didn't see any error messages regarding Visual C++ or anything else. 

ohh yeah..i see that now. This is the error message i got when i was installing detection server on VM with Windows Server 2008 R2:

Activation context generation failed for "E:\Vontu\Protect\lib\native\ContentExtractionJNI.dll". Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found. Please use sxstrace.exe for detailed diagnosis.

We have seen this same problem and I have a case open with support on it also.  They seem to think it's a "hardening of the server" problem but I'm not convinced.  Try this, on your win 2008 box look to see if the protect folder is there under c:\users.  On our server it was not, thus the filereader doesn't have any temp space to write to thus it won't start.  For some reason the Protect user doesn't seem to have permissions that it needs to make the directory.  Try this, uninstall V11, reinstall v11 then put the Protect user in the local Administrators group then apply the v11.1.1 patch.  That's what we did and the c:\users\protect folder (and subfolders) were created and Filereader was able to start.

Hi, juliusroop,

Could you please check this log file: FileReader0.log?

there will be the detailed error message about why the filereader failed to start.

Try the following:

a) Disable all policies (if any) and try restarting the services. This will rule out any policy causing an issue.

b) In case if Filereader starts with policies disabled, enable each one by one while restarting the services each time.

c) As suggested by Red, check the size of the protect user profile temp folder. You may have to purge the temp files older than 24hrs manually, in case it is consuming disk space.

d) If the issue exists, Check the VontuMonitor.log for events arount the timestamp when you restarted the services.

Thanks a lot for responding guys! Like Red Vector mentioned, I have verified that there is a Protect folder in the C:Users directory.

Yang, I could not find any data in any of the log files on this server. I have peeped into Filereader0.log too!

Finally though it seemed to work fine..when i un-installed both Vontu and Visual C++ from the vm and rebooted it and then installed them again. Also, i went in to Users directory on the C drive and deleted all the protect folder and it's companion (protect_update).

So with a fresh install of Vontu detection server and Visual C++ 2008..i got away with those errors/events.

NOW, i have a new event..

"Failed to load database profile"

Failed to load RAM index from E:\Vontu\Protect\index\DataSource.1.109.rdx.
No incidents will be detected against database profile "CORP Source" version 109.

Noticed that my protect user on Windows Server 2008 R2 box wasn't a member of the local administrators group, so I added it to the group and still no joy on the file reader.

Will have to llok up the 11.1.1 patch

btw my path is point the system temp to c:\windows\temp and protect's temp as app data\local\temp

The "Failed to load database profile" error may occur due to the system being unable to load IDM/EDM into memory. Tweaking the following settings may help:

Note: These settings must be tweaked carefully and performance of the system must be monitored closely post the tweaks.

• ProfileIndex.MinimumMemoryReserve - This is available under the advanced settings of the Detection server. By default, this is set to 200M in 11.1.1. However, you may try increasing this and check if it resolves the issue. (This value is increased beyond 200M in very rare cases, mostly IDM)

• index_process_memory_reserve - This is available in the Indexer.properties file. You may increase this value and monitor if the issue persists.

Success

After updating my server I have everything rocking and rolling thanks for the help