Video Screencast Help

Search and Delete Messages

Created: 25 Jul 2013 | 10 comments

Good afternoon.  We recently had a virus-laden e-mail hit our company and users had clicked on links that had downloaded some Trojan viruses.  We have this cleaned up, but it got brought up to delete any of these messages from Enterprise Vault.  I just used Discovery Accelerator to find all of the messages, but not sure if I can delete from the archive from there.  I know I can set EV policy to allow deletion, but is that just by user?  Is there a way to globally search every archive for certain messages and then purge them?

Thanks!

Operating Systems:

Comments 10 CommentsJump to latest comment

Pradeep_Papnai's picture

I can suggest you to give permission on EV all archives to single user (http://www.symantec.com/docs/TECH69114) via EVPM. Example is below.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName = all
GrantAccess = read write delete, ourdomain\user

Then need to search the suspected emails via browser search (http://evserver.domain.com/enterprisevault) against each archive and then delete. Your organization policies should allow deletion (from site setting, retention category, storage itself) & items should not be on DA hold.

Rob.Wilcox's picture

Across the board deletions, like you describe, aren't really that easy in EV unfortunately.

EV_Ajay's picture

Hi,

From Discovery Accelerator Point of view it's possible to search those Virus Email with Subject from all user archive ( If those email are archived and index by Enterprise Vault ). But it's not possible to delete those email using Discovery Accelerator.

As per design of Discovery Accelerator we able to perform action like search, review and export but not delete.

From DA you will get count / hits and user archive hits. Then we will come to know How many hits means No. of those email and in Every user archive contain No. of hits.

 

Thanks,

Ajay

Advisor's picture

So basically the virus infected email has been archived in multiple users archives. If you grant Vault Service Account Full rights on all affected archives then you can search those archives from EV Server itself.

Now once you have used Browser search, to locate the email, question is whether are you allowed to delete it?

There are 3 things which can restrict you from deleting that email from archives.

1. EVSite >> Properties >> Archive Settings section. Make sure, "Users can delete items from thier archives is ticked"

And if you have enabled recovery of deleted items, then even after deletion email will stay on storage for the period which you have configured.

2. Check the retention category which has applied to those archives/archived item. Goto properties of retention category and make sure "Prevent deletion of archived items in this category" is NOT ticked.

And it depends upon the Storage device which you use to store the archived items. If its Centera compliance or governance model then it might resctrict you deleting that item.

3. And as you said, you have searched for that email in DA, make sure that archived item is not on legal hold. If it is then you wont be able to delete it.

I hope above information will help you in further deciding the action plan.

If you dont want t take any risk and just get rid of that item asap, then call support they might help you removing the dvs directly from partition and removing entry from SQL Database.

EV_Ajay's picture

Hold.JPG

Before Deleting items from EV make sure you remove the Leagl Hold from DA Case Properties. Uncheck the option "Put items on hold".

If you ran the DA search against that email then those emails will be go on Legal hold and if you try to delete suh item from EV those will never delete. Hence after unchecking the option  "Put items on hold" from DA Case properties the user can delete such item.

 

 

Thanks,

Ajay

GabeV's picture

If you grant permissions to all archives using the EVPM script provided by EV-Couselor, using the EV search, you can search against all vaults, adding a search criteria that matches the messages you want to delete. Then, you can select the messages and use the "delete from vault" option from the search to delete those emails from vault. You need to make sure that the 3 steps that Advisor mentioned are in place; thus, you can delete data from the archives.

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

TonySterling's picture

A word of caution, depending on the number of archives you may not be able to do a search against all of them as it could time out.

 

Pradeep_Papnai's picture

Hi Dgh, 

Did you get sufficient information for your issue? do you need any more information from this post?

Regards

EV-C

dgh1981's picture

Hey guys, thank you for all of the great information.  My security guy cancelled the request so I don't need to delete from the archives now.  This will be great information for the future though.  Thanks!

 

Running EV 10.0.3

Advisor's picture

So how will you deal with virus infected email which is archived?