Moved provisionally to DLP for better support.
This is as designed. Evidence files must be manually deleted.
thanks for replay.
I also am looking for a creative way to delete files in the evidence share.
I would like to maintain 6 months of evidence per internal retention schedule of this type of data.
Looks like most Windows based tools spend more time enumerating the very large file structure created by the evidence share file/folder methodology.
Currently I am using this command:
FORFILES /s /M *.dlpenc /C "cmd /c echo @fdate @path && del @path" /D -180
It works fine, it just takes a LONG TIME (days).
Our evidence share has 65k folders - 256 on root of share and then each root folder has 256 folders. This is what I believe causes the commands I have tried so long to run.
Any other suggestions out there in the land of internet ?
Any VB based solutions people have tried?
Best practice is to migrate the evidence path at the half point of your data retention policy. If you have a 180 day plan, then migrate every 90 days. Then once you have migrated twice, the oldest folder is deleted.
Deleting based of date is risky. The reason why is due to the way DLP handles the retention of files. If a file is detected and triggers an event, the file is placed in the evidence path. If say the same file 3 months later is detected again, it is not rewritten to the evidence, the database link to the old file path to save disk space.
If you then delete files based off timestamp, the old evidence file is deleted and any current evidence that points to that file will then return the error that the evidence cannot be found.