000037104 - FileNotFoundException in RSA NetWitness Endpoint ConsoleServer-Error.log

Document created by RSA Customer Support Employee on Jan 16, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037104
Applies To 
RSA Product Set: NetWitness Endpoint
   RSA Product/Service Type: NetWitness Endpoint
   RSA Version/Condition: 4.3.x.x, 4.4.x.x
   Platform: Windows
   Platform (Other): SQL 2014 Standard/Enterprise, SQL 2012 Standard/Enterprise
IssueModules are downloaded and written to the \Files directory according to the settings specified in the Global Parameters page as shown below.

Global Parameters

When the file is written to this directory, an underscore is appended to the filename to prevent inadvertent execution of the module. The file name is written to the database when this download is completed and is available for analysis should an analyst decide further investigation is required.

RSA has observed instances in which a module is present in the database but is NOT present on disk. When access to this file is attempted, the following error is logged in the ConsoleServer-Error.log file:
 

[8] System.IO.FileNotFoundException:
Could not find file 'C:\ECAT\server\Files\9039\aaaaa_5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_00001.exe_'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at a.a.a.Xᜄ.ᜀ(String A_0, Xᜅ A_1, Int32 A_2, CancellationToken A_3)
at a.b.Xᜁ.ᜀ(X᜘ A_0, Boolean A_1, Boolean A_2)
CauseIn most cases this is due to AV software quarantining or deleting the file in question although there are other potential causes of this error such as lack of drive space.  
ResolutionTo correct this error requires that you first inventory the files in the \Files directory and then compare the files on disk to those in the database.  Finally, any files that are present in the database but are not present on disk will be removed from the database.  RSA has provided a simple tool (ExportEcatRelFiles.exe) that will inventory the \Files directory and export the relative path of these files to a text file.  Once this is complete, run the attached query “Delete Entries From MachineDownloaded.sql” to remove unwanted entries from the database.

  1. In a command prompt, execute ExportEcatRelFiles.exe using the following syntax:
    ExportEcatRelFiles.exe <path to \Files directory> <output filename>


     


    User-added image
     

  2. The resulting file should look something like this:
    Results


     

  3. Open SQL Server Management Studio, make sure ECAT$PRIMARY is the selected database and open "DeleteEntriesfromMachineDownloaded.sql".
  4. Update the path to the output file created in step 1; in this example we ran the inventory from C:\Temp and wrote the output file to that directory.
    query update


     

  5. (OPTIONAL) By default, the SQL query will not make any changes to the database.  By default ROLLBACK is enabled while COMMIT is commented - no changes will be written to the database.  Run the query to discover how many entries will be removed from the database when the COMMIT is enabled.
    safe to run


     

  6. To remove the orphaned entries from the database you must comment the ROLLBACK entry and uncomment the COMMIT entry.
    will update database

  • Run the query
 
WorkaroundNONE.

Outcomes