Data Loss Prevention

I recently upgraded a 10.5 system to V11 on RHEL and have had some not so pleasant experiences.  These are only two so far, but it's only been 3 days and I'm not too impressed, has anyone experienced anything similiar to this?  Thanks.

1.  The Plugins.properties file cannot handle more than one module in the execution chain.  Example, I put Live Ldap plugin into the plugins.properties file, and it works fine.  As soon as I add Data Insight, it fails miserably.  I've added every possible combination from the documentation and it does not work, and I have done this before so I'm not sure what the issue is.

2.  After upgrading to V11 my N. Prevent for web servers all of a sudden just stopped creating incidents.  As soon as I found the new log directory (thanks symantec for passing this info on to us... )I was able to only see one error (FileTypeIdentifierImpl.cpp throws exception, no incidents are being created).  Looks like the web prevent is unable to inspect the traffic.  (#414229943)Sometimes the file reader process will restart on its own and suddenly start working. It has not gone down one time during the 10.5 install, now it cant stay up longer than 10 hours. 

For question 1:

Do you made a backup of your Plugins.properties on the 10.5 before the upgrade? If so, replace the backup one to 11 and check the result.

For question 2:

What is the process of your upgrade? Did you upgrade the Oracle DB? The File Reader process is the core service/process of the Network Prevent to detect the incident. 

plugins properties file contained LDAP only prior to upgrading.  DI was added after the upgrade and fails miserably.  I'm aware of what File Reader does and it's relation to DLP, thank you.

The oracle db was backed up, and upgraded to v11 also. 

Process:

1.  back up oracle

2.  perform upgrade of DLP

3.  upgrade Oracle

4.  configure DI with new version of DLP

So, it's best to call the local TS to help you to troubleshooting the issue. It's seems a little complex.

We performed the upgrade from 10.5 to 11 a week ago and at first the enforce server wasn't available because of missing libraries.  So beware of those.

If you could post your plugins.properties file I bet we can help find the problem for you.  I have been testing the config in my lab over the last few days and I was having a similar problem getting LDAP and Insight plugins to load at the same time.  Below is what the top part of the file should look like...my suspicion is that you need to comment out some of the excess "com.vontu.api.incident.attributes.AttributeLookup.plugins" settings because they are overwriting each other when the config file loads:

----------------
# AttributeLookup plug-ins.
# A comma-separated list of attribute lookup plug-ins and JARs they depend on
# specified as Specification-Title attribute of plug-in JAR manifest or JAR file name.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup,Data Insight Lookup

# Plugin Execution Chain.
# A comma-separated list of attribute lookup plug-ins to be executed in sequence.
# Example: com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.xls.ExcelLookup, com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.datainsight.DataInsightLookup
# This example will execute Script Lookup #1 -> ExcelLookup -> Script Lookup #2 -> Data Insight Lookup
# Even if there is only one plugin in the chain, it must be listed here.
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup, com.vontu.lookup.datainsight.DataInsightLookup

# Plugin JAR manifests to enable Live LDAP lookups
#com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup

# Plugin JAR manifests to enable Data Insight lookups
#com.vontu.api.incident.attributes.AttributeLookup.plugins=Data Insight Lookup

--------------------------

smithsolomon:  you are somewhat correct, after further digging we discovered that the ceh process which hosts the c++ libraries for Vontu was overwhelming the file reader process which in turn would not let incidents be inspected, and thus making the solution not work.  This is being investigated by the vontu development team, however I am very surprised this wouldn't have been caught in QA, but needless to say I'm glad it will be fixed and should have a MP to resolve it asap.. I hope.

GregMartin: the properties file remains onsite with my customer, I have no access to it however if someone can post a "working" properties file that we can fill in our own info with that would be great. 

**Update**

Network Monitor is also experiencing the same thing. 

We were on a v9 installation and installed  a fresh greenfield v11 instance to avoid the whole upgrade mess. 60+ Monitors and Discover servers were in a very stable state under v9.  But after migrating them to v11.1.1 this has been our experience:

-filereader process is overwhelmed

-incidents trickle into the Enforce server although drop_pcap directories fill faster than they are emptied

-ceh.exe is filling the C: drives with tmp files under the protect user home dir

-cpu's are maxed on the effected systems

-some systems (discover and monitor) are totally uneffected and operating normally although they're running at the same patch level as the above

We've had a case open for more than a week but Support is stumped.