cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Virus detection in virtual vault cache. How to identify message?

Go to solution
LucasRL
Level 2

‎05-20-2014 02:51 PM

Recently had a user archive a message from 1999 that had somehow avoided AV scanning until it had been archived into EV.  More accurately, the local antivirus (McAfee) on the user's workstation appears to be scanning the temp files used to populate the virtual vault cache, and alerting on the virus.  AV removes the message, but it just pops right back into the cache on the next synchronization, as the message still exists in the user's Vault.  Unfortunately, I'm not finding myself able to determine the details of the message from the scan output.

File information - C:\Users\xxxxxxxx\AppData\Local\KVS\Enterprise Vault\1DFA78630018A84DA6267B9315BF1AA0\TempUpload_{3EFCFD06-322A-4FB2-A7E9-3E8E5EABAEA6}.msg\__substg1.0_37010102\POSTAL.EXE

 

I've tried to look up the GUID of this 'TempUpload' guid .msg file in the as a component of the SSID and IDEN values in Advanced Search, to no avail.  I've tried using the GUID as TransactionID in the query in https://www-secure.symantec.com/connect/forums/archived-email-attachment-infected-virus-and-deleted-... with no luck.  I've performed searches on both attachments (all exectuables) and Subjects that relate to 'Postal'.

 

I seem to be drawing a blank at this point.  Any other suggestions as to how I might use the "TempUpload_{3EFCFD06-322A-4FB2-A7E9-3E8E5EABAEA6}.msg" value to key in on the message?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Rob_Wilcox1
Level 6
Partner

‎05-20-2014 11:13 PM

All items in the MDC file will be stubs/small ... until you hit the ones that the user has dragged and dropped in. They'll be bigger.

 

I don't *think* these items will be in the .DB files.

Working for cloudficient.com

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
Rob_Wilcox1
Level 6
Partner

‎05-20-2014 02:59 PM

looks like virtual vault trying to upload data  to the archive. this means the user has dragged and dropped stuff from pst or similsr into virtual vault. so.. best bet... take a copy of the mdc file, rename it to pst and open it on a machine which doesnt have the ev outlook addin installed, then look for the large (ie non stub) items.

Working for cloudficient.com
0 Kudos

Go to solution
LucasRL
Level 2

‎05-20-2014 06:12 PM

We're not using Shortcuts in the environment, so I don't have the luxury of icon size to differentiate local vs server content in the MDC.  Pulled it down anyway as it seemed like a good idea, only to remember that attachment information won't be in the metadata.  This suggestion may have put me on the right path for taking a look at each .DB file as a .PST though, and trying to track down the suspect attachment.  Can't say that 5GB+ (over 15,000 messages) is going to be fun to slog through, especially with no feedback from the user as to how to narrow down the sent/received timeframe of the message itself.

 

Will post back here with results, but I was really hoping there was some skeleton key to tracking down the message hidden in the filename there.

0 Kudos

Go to solution
Rob_Wilcox1
Level 6
Partner

‎05-20-2014 11:13 PM

All items in the MDC file will be stubs/small ... until you hit the ones that the user has dragged and dropped in. They'll be bigger.

 

I don't *think* these items will be in the .DB files.

Working for cloudficient.com
0 Kudos

Go to solution
RichardG
Level 5
Employee

‎05-21-2014 01:36 AM

I agree with Rob. When an item has been dragged into VV it is eventually syncronised to the archive on the server. The temp file (starting TempUpload_) is created as part of this Vault Cache sync process. The full item is kept in the MDC until the item has been sucessfully syncronised to the server.

If the user looks in VV at the "To Archive" search folder, one of the items listed there will be the problem item.

 

0 Kudos