cancel
Showing results for 
Search instead for 
Did you mean: 

DLP 9.3 Evidence folder cleaning

Jump to solution

Hi

How I can clean old evidence form evidence folder ? Is any procedure for that from EPO Console ? I ran database cleaning from dlp console but files in evidence folder still exist.

1 Solution

Accepted Solutions

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

This is as designed. Evidence files must be manually deleted.

5 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

Moved provisionally to DLP for better support.

---

Peter

Moderator

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

This is as designed. Evidence files must be manually deleted.

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

thanks for replay.

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

I also am looking for a creative way to delete files in the evidence share.

I would like to maintain 6 months of evidence per internal retention schedule of this type of data.

Looks like most Windows based tools spend more time enumerating the very large file structure created by the evidence share file/folder methodology.

Currently I am using this command:

FORFILES /s /M *.dlpenc /C "cmd /c echo @fdate @path && del @path" /D -180

It works fine, it just takes a LONG TIME (days).

Our evidence share has 65k folders - 256 on root of share and then each root folder has 256 folders.  This is what I believe causes the commands I have tried so long to run.

Any other suggestions out there in the land of internet ?

Any VB based solutions people have tried?

tonyw
Level 12
Report Inappropriate Content
Message 6 of 6

Re: DLP 9.3 Evidence folder cleaning

Jump to solution

Best practice is to migrate the evidence path at the half point of your data retention policy.  If you have a 180 day plan, then migrate every 90 days.  Then once you have migrated twice, the oldest folder is deleted.

Deleting based of date is risky.  The reason why is due to the way DLP handles the retention of files.  If a file is detected and triggers an event, the file is placed in the evidence path.  If say the same file 3 months later is detected again, it is not rewritten to the evidence, the database link to the old file path to save disk space. 

If you then delete files based off timestamp, the old evidence file is deleted and any current evidence that points to that file will then return the error that the evidence cannot be found.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.