Virus detection in virtual vault cache. How to identify message?
Recently had a user archive a message from 1999 that had somehow avoided AV scanning until it had been archived into EV. More accurately, the local antivirus (McAfee) on the user's workstation appears to be scanning the temp files used to populate the virtual vault cache, and alerting on the virus. AV removes the message, but it just pops right back into the cache on the next synchronization, as the message still exists in the user's Vault. Unfortunately, I'm not finding myself able to determine the details of the message from the scan output.
File information - C:\Users\xxxxxxxx\AppData\Local\KVS\Enterprise Vault\1DFA78630018A84DA6267B9315BF1AA0\TempUpload_{3EFCFD06-322A-4FB2-A7E9-3E8E5EABAEA6}.msg\__substg1.0_37010102\POSTAL.EXE
I've tried to look up the GUID of this 'TempUpload' guid .msg file in the as a component of the SSID and IDEN values in Advanced Search, to no avail. I've tried using the GUID as TransactionID in the query in https://www-secure.symantec.com/connect/forums/archived-email-attachment-infected-virus-and-deleted-antivirus with no luck. I've performed searches on both attachments (all exectuables) and Subjects that relate to 'Postal'.
I seem to be drawing a blank at this point. Any other suggestions as to how I might use the "TempUpload_{3EFCFD06-322A-4FB2-A7E9-3E8E5EABAEA6}.msg" value to key in on the message?
All items in the MDC file will be stubs/small ... until you hit the ones that the user has dragged and dropped in. They'll be bigger.
I don't *think* these items will be in the .DB files.