When an incident has the following attachments _kv0.tmp (or _kv1.tmp, _kv2.tmp etc) and the no attachments with that name exist inside the incident. What is this file? How can I find it?
The _kv0.tmp file is the extraction of a hidden file within another attachment, such as an Excel spreadsheet or PowerPoint document. We detect for hidden files to ensure that confidential information is not being included in the hidden file. This text can be extracted using tstextract.exe. The process is similar to using filter.exe to extract content, as described in the document listed in the "Related Article" section.
From a command prompt, change directory to the Vontu product tree:
For v10.5 and previous:
Windows 32-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\Win32
Windows 64-bit: C:\Vontu\Protect\plugins\contentextraction\Verity\x64
For v11 and above:
Windows 32-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\Win32
Windows 64-bit: C:\SymantecDLP\Protect\plugins\contentextraction\Verity\x64
Linux 32-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/i686
Linux 64-bit: /opt/Vontu/Protect/plugins/contentextraction/Verity/x86_64
Find the program called “tstxtract.”
Type: tstxtract <name of input file> <name of output directory> and the input file will be the original message. The output file contains the hidden file. This file can be examined as is, or you can run filter.exe on the output to examine the extracted content.
Symantec Data Loss Prevention 10.5 and below
Symantec Data Loss Prevention 11x and above
Imported Document ID: TECH222006
Subscribing will provide email updates when this Article is updated. Login is required.