Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SYMANTEC DLP Vontu - Extracting emails out of .pst files during discover scans

Created: 21 Aug 2014 • Updated: 21 Aug 2014 | 7 comments

SYMANTEC DLP ( data loss prevention Vontu ) - Apparently version 12 offers an option to extract individual emails in format .msg .eml out of .pst files

I wanted to scan a file share for pst files and specific keywords from there I would like to extract the emails that contained those keywords into a quarantined locaiton.

Comments 7 CommentsJump to latest comment

jjesse's picture

Do you have Outlook installed on the server that is doing the Network Discvoer scan?  You don't have to have it confiugred with a mail profile it just needs to be able to open up the file.  

Jonathan Jesse Practice Principal ITS Partners

Wax0n-Wax0ff's picture

Hi jjesse,

Question for you regarding the scanning of PSTs.

We are trying to scan .pst files looking for .emls within to match against keywords and DCMs for Bloomberg archived chats and messages. As a test, I created 2 PST files with test keywords placed into a few. I also created a .eml file, by itself, outside of the .pst in the same directory in an effort to create an incident.Multiple scans have no produced any incidents. I did however run a scan that shows 1 incidents but when I look at the incident list there is nothing shown.

We have Outlook 2007 (32 bit) installed on a Windows 2003 Server (32 bit) and 11.6.3 Vontu running on the detection server.

We previously were receiving the error "The Crawler threw an exception" when trying to run a discover scan on .pst files Error: The crawler threw an exception.  Scan details log indicates "Failed to initialize MAPI: 80004005" which was addressed in this support article: http://www.symantec.com/business/support/index?page=content&id=TECH219374.

After installing Outlook we do not receive the error anymore but the scans still do not match any incidents. Is there something I am missing or overlooking?

Any thoughts would be appreciated.

Thanks in advance.

stephane.fichet's picture

as jjesse wrote, you just need to have microsoft outlook proprietray libs available on your server in order to have it able to analyse pst content.

nelsonlee's picture

Please try the following:

version 12.0 on windows

setup your policy with specific keywords

setup a discover scan job with that policy

under "Scanned Content" tab, setup your network share to scan

under "Advanced" tab, check "Scan PST files" in "PST Scanning" section

under "Protect" tab, check "Copy" in "Allowed Protect Remediation" and setup your destination network share to copy to in "Quarantine/Copy Share"

Wax0n-Wax0ff's picture

I was under the impression that email files (.eml) contained in the .pst files could not be individually analyzed during a Network Discover scan.

Are you stating that if we are on version Vontu 12.x and running Outlook Express on the scanning server, it can parse the individual email messages from the .pst file and match against the Network Discover policy?

Would you or anyone else be able to comment on this? Please help me to understand.

Thanks in advance.

stephane.fichet's picture

hello,

 I am not sure it will work with outlook express ...but i never tried it. I will be interested to know if someone seens PST scanning working with only outlook express installed on scanning server.

 regards.

Wax0n-Wax0ff's picture

Installing Outlook is not an issue? Express is just easier but nevertheless...My main question is surrounding the extraction of the individual .eml and .msg files from the .pst for content inspection against our DLP policies. Is this performed by Vontu?

Thanks in advance.