cancel
Showing results for 
Search instead for 
Did you mean: 

Search and Delete Messages

dgh1981
Level 3

Good afternoon.  We recently had a virus-laden e-mail hit our company and users had clicked on links that had downloaded some Trojan viruses.  We have this cleaned up, but it got brought up to delete any of these messages from Enterprise Vault.  I just used Discovery Accelerator to find all of the messages, but not sure if I can delete from the archive from there.  I know I can set EV policy to allow deletion, but is that just by user?  Is there a way to globally search every archive for certain messages and then purge them?

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Pradeep-Papnai
Level 6
Employee Accredited Certified

I can suggest you to give permission on EV all archives to single user (http://www.symantec.com/docs/TECH69114) via EVPM. Example is below.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName = all
GrantAccess = read write delete, ourdomain\user


Then need to search the suspected emails via browser search (http://evserver.domain.com/enterprisevault) against each archive and then delete. Your organization policies should allow deletion (from site setting, retention category, storage itself) & items should not be on DA hold.

View solution in original post

Rob_Wilcox1
Level 6
Partner
Across the board deletions, like you describe, aren't really that easy in EV unfortunately.
Working for cloudficient.com

View solution in original post

10 REPLIES 10

Pradeep-Papnai
Level 6
Employee Accredited Certified

I can suggest you to give permission on EV all archives to single user (http://www.symantec.com/docs/TECH69114) via EVPM. Example is below.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName = all
GrantAccess = read write delete, ourdomain\user


Then need to search the suspected emails via browser search (http://evserver.domain.com/enterprisevault) against each archive and then delete. Your organization policies should allow deletion (from site setting, retention category, storage itself) & items should not be on DA hold.

Rob_Wilcox1
Level 6
Partner
Across the board deletions, like you describe, aren't really that easy in EV unfortunately.
Working for cloudficient.com

EV_Ajay
Level 6
Employee Accredited

Hi,

From Discovery Accelerator Point of view it's possible to search those Virus Email with Subject from all user archive ( If those email are archived and index by Enterprise Vault ). But it's not possible to delete those email using Discovery Accelerator.

As per design of Discovery Accelerator we able to perform action like search, review and export but not delete.

From DA you will get count / hits and user archive hits. Then we will come to know How many hits means No. of those email and in Every user archive contain No. of hits.

 

Arjun_Shelke
Level 6
Employee Accredited

So basically the virus infected email has been archived in multiple users archives. If you grant Vault Service Account Full rights on all affected archives then you can search those archives from EV Server itself.

Now once you have used Browser search, to locate the email, question is whether are you allowed to delete it?

There are 3 things which can restrict you from deleting that email from archives.

1. EVSite >> Properties >> Archive Settings section. Make sure, "Users can delete items from thier archives is ticked"

And if you have enabled recovery of deleted items, then even after deletion email will stay on storage for the period which you have configured.

2. Check the retention category which has applied to those archives/archived item. Goto properties of retention category and make sure "Prevent deletion of archived items in this category" is NOT ticked.

And it depends upon the Storage device which you use to store the archived items. If its Centera compliance or governance model then it might resctrict you deleting that item.

3. And as you said, you have searched for that email in DA, make sure that archived item is not on legal hold. If it is then you wont be able to delete it.

I hope above information will help you in further deciding the action plan.

If you dont want t take any risk and just get rid of that item asap, then call support they might help you removing the dvs directly from partition and removing entry from SQL Database.

EV_Ajay
Level 6
Employee Accredited

Hold.JPG

Before Deleting items from EV make sure you remove the Leagl Hold from DA Case Properties. Uncheck the option "Put items on hold".

If you ran the DA search against that email then those emails will be go on Legal hold and if you try to delete suh item from EV those will never delete. Hence after unchecking the option  "Put items on hold" from DA Case properties the user can delete such item.

 

 

GabeV
Level 6
Employee Accredited

If you grant permissions to all archives using the EVPM script provided by EV-Couselor, using the EV search, you can search against all vaults, adding a search criteria that matches the messages you want to delete. Then, you can select the messages and use the "delete from vault" option from the search to delete those emails from vault. You need to make sure that the 3 steps that Advisor mentioned are in place; thus, you can delete data from the archives.

I hope this helps.

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

A word of caution, depending on the number of archives you may not be able to do a search against all of them as it could time out.

 

Pradeep-Papnai
Level 6
Employee Accredited Certified

Hi Dgh, 

Did you get sufficient information for your issue? do you need any more information from this post?

Regards

EV-C

dgh1981
Level 3

Hey guys, thank you for all of the great information.  My security guy cancelled the request so I don't need to delete from the archives now.  This will be great information for the future though.  Thanks!

Arjun_Shelke
Level 6
Employee Accredited

So how will you deal with virus infected email which is archived?