Data Loss Prevention

Good Morning,

We're in the process of running network discover scans on several of the file shares located within our network. About half of our scans end in error:

We initially thought that this was due to a permissions issue, however, the DLP service account used for the scanning has domain admin access. I've looked through the logs on both the Enforce server and the Network Discover server used for scanning and have turned up with nothing. I will attempt to run an incremental scan tonight to see if it will complete.

Has anyone ran into this problem before?

Hey,

Unknown error can mean many different things.

Try map the shares you're targetting while RDP'd into the Discover servers with the service account. If it doesn't work, it could be firewall/network related or try using the IP of the servers instead of DNS names.

Dean

We have experinced this as well and it's not a permissions error, firewall, or DNS.  The account can map a drive from the Windows 2012 based scanner to the network storage and it is able to browse everything just fine.  TCP/8100 is open in the firewall and the Enforce server can communicate with it fine. Scanner and network share is on the same network.

DLP version 14.5.0100.01060

FileReader0 log did have this though (highlighted in bold below):

Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.RepositoryCrawler openContentRoot
INFO: (DISCOVER.120) Opening content root //SERVER NAME REDACTED/SHARE NAME REDACTED
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.ContentRootCleanup closeContentRoot
INFO: (DISCOVER.123) Closing content root //SERVER NAME REDACTED/SHARE NAME REDACTED, status: Unknown Error.
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.RepositoryCrawler handleRepositoryException
INFO: (DISCOVER.122) Failed to open content root //SERVER NAME REDACTED/SHARE NAME REDACTED, reason: Unknown Error.
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.RepositoryCrawler handleRepositoryException
SEVERE: Unknown Error.
com.vontu.discover.repository.RepositoryException: Unknown Error.
              at com.vontu.filesystemcrawler.ExceptionConverterImpl.createRepositoryException(ExceptionConverterImpl.java:134)
              at com.vontu.filesystemcrawler.ExceptionConverterImpl.convertSmbException(ExceptionConverterImpl.java:201)
              at com.vontu.filesystemcrawler.RootFileFactory.createRootFile(RootFileFactory.java:63)
              at com.vontu.filesystemcrawler.FileSystemContentRoot.open(FileSystemContentRoot.java:87)
              at com.vontu.discover.crawler.framework.RepositoryCrawler.openContentRoot(RepositoryCrawler.java:657)
              at com.vontu.discover.crawler.framework.RepositoryCrawler.crawlUserContentRoot(RepositoryCrawler.java:502)
              at com.vontu.discover.crawler.framework.RepositoryCrawler.crawl(RepositoryCrawler.java:393)
              at com.vontu.discover.crawler.framework.RepositoryCrawler$CrawlerThread.run(RepositoryCrawler.java:267)
Caused by: jcifs.smb.SmbAuthException: Access is denied.
              at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:546)
              at jcifs.smb.SmbTransport.send(SmbTransport.java:663)
              at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:390)
              at jcifs.smb.SmbSession.send(SmbSession.java:218)
              at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
              at jcifs.smb.SmbFile.doConnect(SmbFile.java:914)
              at jcifs.smb.SmbFile.connect(SmbFile.java:960)
              at jcifs.smb.SmbFile.connect0(SmbFile.java:883)
              at jcifs.smb.SmbFile.exists(SmbFile.java:1458)
              at com.vontu.filesystemcrawler.file.SmbFileAdapter.ensureExists(SmbFileAdapter.java:231)
              at com.vontu.filesystemcrawler.file.FileFactory.createFile(FileFactory.java:72)
              at com.vontu.filesystemcrawler.RootFileFactory.createRootFile(RootFileFactory.java:59)
              ... 5 more
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.RepositoryCrawler crawl
INFO: Crawl complete.
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.ContentRootCleanup closeContentRoot
INFO: (DISCOVER.123) Closing content root //SERVER NAME REDACTED/SHARE NAME REDACTED, status: Unknown Error.
Jan 19, 2017 1:22:26 PM com.vontu.discover.crawler.framework.ContentRootCleanup completed
INFO: Scan completed successfully
Jan 19, 2017 1:22:26 PM com.vontu.discover.remediation.detection.task.ScanCompletedTask run
INFO: (DISCOVER.125) Catalog create/update complete for target id: 24646, scan id: 58566, update count: 0
Jan 19, 2017 1:23:27 PM com.vontu.itemcatalog.derby.BloomFilterTableCompressor$1 executeUpdate
INFO: Compressing incremental index DerbyDatabase [MONITOR\TARGET_24646, 1761945847]
Jan 19, 2017 1:23:27 PM com.vontu.itemcatalog.derby.BloomFilterTableCompressor$1 executeUpdate
INFO: Compression complete
Jan 19, 2017 1:23:27 PM com.vontu.itemcatalog.derby.DerbyDatabase shutdown
INFO: Closing incremental index: DerbyDatabase [MONITOR\TARGET_24646, 1761945847]
Jan 19, 2017 1:23:27 PM com.vontu.itemcatalog.derby.DerbyDatabase shutdown
INFO: Incremental index is now closed: DerbyDatabase [MONITOR\TARGET_24646, 1761945847]

Duplicate post.  I tried to edit my original and it spawned a 2nd one.  Weird.