Hi, We have excluded all the Vault store drives along with the other recommeded exclusions (http://www.veritas.com/docs/000032085) in Enterprise Vault 12 for Exchange. However, we have noticed that there are several mails inside the store has some suspicious attachments. Though the exclusions are set in EV server, these attachments are picked for its malicious content by end point antivirus product installed on user systems while scanning the Vault Cache. Since the store has retention forever, the users are unable to delete as well as by antivirus product.
Some of these mails with attachments were received by the user several months back. However these mails and attachments were now considered as malicious with the latest antivirus signature patterns.
Would like to check with you for any best practice to follow in this case to overcome this issue.
This is an interesting discussion topic. As you realize now, sometimes infected items are archived, without detection. Then, new AV definitions, or new AV software, detects an infected item. As it is catched on the client, it should be stopped from executing, but due to your settings, it cannot be removed from the archive (as you found).
You have 2 options I think:
1 - keep as is. Inform users that if they get a warning, it is because of above described issue. As long as users are aware, they should not be alarmed.
2 - find which archives have infected items, and which items exactly. Change the config of EV to allow manual deletions. (retention category change + setting on the specific archive). Give yourself access to the archive, and find and delete the offending item. There is documentation available in the KB on how to do this. For instance: http://www.veritas.com/docs/000030011