Hello,
Recently our security team decided to deploy AV to our EV 10 server without implementing any kind of exclusions.
About a week later, we noticed EV using 100% cpu constantly and spawning new index processes every second and logging the following errors in E:\Program Files (x86)\Enterprise Vault\EVIndexing\data\indexmetadata\reporting\system-reporting:
[live] [indexer] for collection [15F3CD023737CBB48B951077FCB4736C4_594] terminated unexpectedly: [A file [.\viv_idx_Q71BY7] that we created has now disappeared. Cannot continue ([index-merger.c]:1160 [Fri Apr 04 08:31:29 2014
]]
Could not start the [live] [indexer] ([E:\Program Files (x86)\Enterprise Vault\EVIndexing\bin\indexer-service]) in [E:\Enterprise Vault\Indexes\Indexes 01\Indexes\index4\103326B3E1C0BBD47B2614F0BC4251A79_434\live] for collection [103326B3E1C0BBD47B2614F0BC4251A79_434]: <log ><log ><error time="177390" date="1396564288" id="SERVICE_EXEC_FAILED" >Failed to run <string name="command" >E:\Program Files (x86)\Enterprise Vault\EVIndexing\bin\indexer-service</string> in mode <string name="mode" >--go</string> in path <string name="path" >E:\Enterprise Vault\Indexes\Indexes 01\Indexes\index4\103326B3E1C0BBD47B2614F0BC4251A79_434\live</string> using port <int name="port" >52864</int>: <string name="error" >The media is write protected.
</string>. </error></log></log>
Those errors are logged every few seconds as the indexing service fails and spawns another process.
I'm not sure why it is saying the media is write protected either, I can see that it's not and that the service account has access to write.
As an interim workaround, I closed all the indexes in question and set them to backup mode so nothing can be written to them and uninstalled the AV, I then added a set of new indexes and that has been working for now.
As this is a patchy fix, I was wondering if it is possible at all to recover the indexes that are now corrupt?
