cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Is there a way for admins to delete vault messages without allowing users to do so ?

Go to solution
samtl008
Level 2

‎02-04-2015 03:45 AM

Hi All, 

We've recently installed Enterprise Vault (v.11.0.0.1444) into our environment (2x Exchange 2010 CAS/HT/MB in DAG). We have enabled most users now and have come up with our first virus alert on the EV front end server.

We are using Trend Officescan 10.6 SP3 and it flagged an infection:

Virus: TROJ_DALEXIS.SMH
Location: \Device\HarddiskVolumeShadowCopy58\Enterprise Vault Stores\MBXVaultStore01 Ptn1\2015\01-28\0\000\ 0000E5463CFA3D1F929DB469C2473761~25~44062B41~00~1.DVSSP

We have used a SQL query to find out the specific user and folder which we have tracked down to an email in the Junk E-Mail folder, however the next step is to remove the email from the Vault console which is where the problem arrives.

At the moment, we have not got the setting "Users can delete items from their archives" turned on as we do not want users to be able to accidentally remove items. From reading TECH128602  it says we must turn this on, but it is a global setting on the EV site, so we could not get away with enabling it, without allowing users to also delete items.

Surely there is a way that admins can browse a user's vault and remove an email without giving everybody the privilege, does anyone know if this is possible ?

Otherwise I can only assume we would have to turn it on out of hours, remove the message and then turn it off again.

 

Thanks

Sam

2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-04-2015 04:07 AM

First, you should NOT scan your vaultstore partitions, indexes etc.

This might cause a corruption. See http://www.symantec.com/docs/TECH48856

and as you say, you will need to do this outside of business hours. there is no way to do this without giving your users the same ability...

 

Regards. Gertjan

View solution in original post

0 Kudos

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-04-2015 05:43 AM

ah, no, your scanning your shadow copy file location too, which generates the alerts.

Blanket rule requires more, but excluding locations is the way to go.

*.dvs, *.dvssp, *.dvssc, *.cab and also *.archdvs, *.archdvssp, *.archdvssc, *.archcab

The general rule of thumb we go by is:

Do not scan EV-locations at all. If there is a virus in an archived message, it will be catched when the message is opened on the workstation. Scanning EV locations gives you the risk of corrupting your EV-environment. (think of the AV solution quarentining or deleting files). That is a big nono as far as I am concerned. As the EV data is in i't's own format, there is no risk of accidental execution on the EV-server.

 

 

 

 

Regards. Gertjan

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-04-2015 04:07 AM

First, you should NOT scan your vaultstore partitions, indexes etc.

This might cause a corruption. See http://www.symantec.com/docs/TECH48856

and as you say, you will need to do this outside of business hours. there is no way to do this without giving your users the same ability...

 

Regards. Gertjan
0 Kudos

Go to solution
samtl008
Level 2

‎02-04-2015 04:31 AM

Hi GertjanA,

We do have exclusions in place for the following locations:

C:\Program Files (x86)\Enterprise Vault

C:\Users\SVC_EV\AppData\Local\Microsoft\Windows\Temporary Internet Files

C:\Windows\Temp

C:\Windows\Inf\Enterprise Vault Index Query Server

C:\inetpub\temp\apppools\EnterpriseVaultAppPool

D:\Enterprise Vault Installation Files

D:\MSMQ

D:\PSTHolding

D:\PSTMigrator

D:\ServerCache

D:\Shopping

D:\StorageQueue

D:\Temp

E:\Enterprise Vault Stores

F:\IndexLocation1

F:\IndexMetadata

 

It wasn't me who originally put this in, so I'm picking things up as I go along. I was thinking that as we had E:\Enterprise Vault Stores excluded, it was covered, but the virus log location is:

\Device\HarddiskVolumeShadowCopy70\Enterprise Vault Stores

So I guess I need to see how we exclude shadow copy in Trend Officescan. I have looked in the virus logs and the location changes each time it picks the file up:

\Device\HarddiskVolumeShadowCopy73\Enterprise Vault Stores\MBXVaultStore01 Ptn1\2015\

\Device\HarddiskVolumeShadowCopy70\Enterprise Vault Stores\MBXVaultStore01 Ptn1\2015\

\Device\HarddiskVolumeShadowCopy61\Enterprise Vault Stores\MBXVaultStore01 Ptn1\2015\

Perhaps a blanket rule for all file types ending .DVSSP ? I couldnt see anything specifically mentioning the file extension to be excluded.

 

As for removing the message, I guess it will have to be out of hours.

 

Thanks

 

0 Kudos

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-04-2015 05:43 AM

ah, no, your scanning your shadow copy file location too, which generates the alerts.

Blanket rule requires more, but excluding locations is the way to go.

*.dvs, *.dvssp, *.dvssc, *.cab and also *.archdvs, *.archdvssp, *.archdvssc, *.archcab

The general rule of thumb we go by is:

Do not scan EV-locations at all. If there is a virus in an archived message, it will be catched when the message is opened on the workstation. Scanning EV locations gives you the risk of corrupting your EV-environment. (think of the AV solution quarentining or deleting files). That is a big nono as far as I am concerned. As the EV data is in i't's own format, there is no risk of accidental execution on the EV-server.

 

 

 

 

Regards. Gertjan
0 Kudos