from the maintenance guide
You can store incident attachments such as email messages or documents on a file system rather than in the Symantec Data Loss Prevention database. Storing incident attachments externally saves a great deal of space in your database, providing you with a more cost-effective storage solution. You can store incident attachments either in a directory on the Enforce Sever host computer, or on an stand-alone computer. You can use any file system you choose.
Symantec recommends that you work with your data storage administrator to set up an appropriate directory for incident attachment storage.
To set up an external storage directory, Symantec recommend these best practices:
■ If you choose to store your incident attachments on the Enforce Server host computer, do not place your storage directory under the /SymantecDLP folder.
■ If you choose to store incident attachments on a computer other than your Enforce Server host computer, take the following steps:
■ Ensure that both the external storage server and the Enforce Server are in the same domain.
■ Create a "protect" user with the same password as your Enforce Server "protect" user to use with your external storage directory.
■ If you are using a Linux system for external storage, change the owner of the external storage directory to the external storage "protect" user.
■ If you are using a Microsoft Windows system for external storage, share the directory with Read/Writer permissions with the external storage "protect" user.
After you have set up your storage location you can enable external storage for incident attachments in the Installation Wizard. All incident attachments will be stored in the external storage directory. Incident attachments in the external storage directory cannot be migrated back to the database. All incidents attachments stored in the external storage directory are encrypted and can only be accessed from the Enforce Server administration console.
The incident deletion process deletes incident attachments in your external storage directory after it deletes the associated incident data from your database. You do not need to take any special action to delete incidents from the external storage directory.
https://support.symantec.com/en_US/article.DOC8731.html