Forum Discussion

dmc123's avatar
dmc123
Level 4
14 years ago
Solved

Enterprise Vault and Virus

When you run enterprise vault (8.0) and you have a virus that comes in on an email which is not caught prior to archiving how is this typically handled?  In other words, can I cleanse the email?  Do people remove the email?  Is there no worry about the virus?

I ask so that if we have a an issue where an infected email is archived that users to do not pull out an infected email when searching/restoring/etc the archive in the future.

Enterprise Vault
Evaluating
Information Governance
  • JesusWept3's avatar
    JesusWept3
    14 years ago

    well Enterprise Vault is typically requested to be excluded from Anti Virus detection, because a lot of times they can pick up DVS/DVSSP/DVSCC files as misidentify them as virus's, its a difficult situation to be in, if you can identify it from the client side, you can just get them to delete it from Search.asp/ArchiveExplorer etc etc

    Normally though most companies have multiple layers of security
     - on the gateway coming in and out of the company
     - on the exchange servers themselves
     - on the users client machine and with an outlook add-in

    Obviously Enterprise Vault being excluded on the temp directory and the vault stores can be seen as a big hole, but if they escape three layers of security already, it most likely wouldn't even been picked up on the EV Server either unfortunately

  • GertjanA's avatar
    GertjanA
    Moderator
    14 years ago

    If an infected item (mail/file/attachment) has been stored in EV, there is no AV solution that will scan and clean this.

    You will need to rely on the desktop/mail/gateway AV to pick up the virus if needed.

    Example.

    Virus archived without being detected (due to new virus, old definitions, no av at all).

    Month later, user wants to forward mail to someone, EV action = forward whole item. Item is scanned by now installed and up to date desktop av, CATCH.

    Or, mail is sent CATCH in Exchange, or at gateway.

    GJ

    • JackONeill's avatar
      JackONeill
      2 months ago

      Hello,

      we currently have the problem that every week an alarm is received by our CFC because an endpoint has pulled another old mail from the vault that is infected. We then scanned the vault cache and unfortunately found over 290 mails or attachments containing malware.

      Is there a way to simply delete these mails so that an endpoint does not report every week and sends an alarm?

      • GertjanA's avatar
        GertjanA
        Moderator
        2 months ago

        As it is VC, this is a copy of the actual Vault. If I recall correct, you can state that VC only has headers. That would leave the items in the archive, until recalled. Which might prevent these alerts initially.

        To 'clean', depending on your retention settings, and if deletions are allowed, you could perform a DA search on those specific items, and remove those from the archives. There's a lot of 'ifs', but it should be possible to remove the items from the respective archives.

  • JesusWept3's avatar
    JesusWept3
    Level 6
    14 years ago

    well Enterprise Vault is typically requested to be excluded from Anti Virus detection, because a lot of times they can pick up DVS/DVSSP/DVSCC files as misidentify them as virus's, its a difficult situation to be in, if you can identify it from the client side, you can just get them to delete it from Search.asp/ArchiveExplorer etc etc

    Normally though most companies have multiple layers of security
     - on the gateway coming in and out of the company
     - on the exchange servers themselves
     - on the users client machine and with an outlook add-in

    Obviously Enterprise Vault being excluded on the temp directory and the vault stores can be seen as a big hole, but if they escape three layers of security already, it most likely wouldn't even been picked up on the EV Server either unfortunately