Attachment Folders from External Storage Disk are not removed while "Retaining Incident" and "Deleting Original Message/Attachments/Files". Although the Folder is completely removed if "Delete Incident Completely" is selected and executed.

Applicable to Symantec Data Loss Prevention (DLP) version 15.x onwards

ID Flow:

• When an incident/s are deleted completely, count for the same will be displayed in the incident queue and the when the incident deleter runs it will remove the incident completely.
• When an incident is retained but the original message (for Network incidents) and/or the attachments are deleted each of this will be counted separately but will not be part of the count in the UI for the next ID run.
• When ID runs, it will mark the LOB's in earlier step for deletion and remove the incidents that were completely to be deleted. On completion, the queue count will reflect the LOB's that were marked for deletion by last run of ID

LOB’s on disk

When an incident is externalized to disk there are several files created to store the LOB type data that would have otherwise been stored in the DB if externalization was not set ON.

1. Network Original Message (NetworkOriginalMessage is filename)
2. UnCrackedComponent_x (These are the incident attachments if any)
3. CrackedComponent_x (This stored a part of the LOB that we need to show the incidents
4. CrackedComponentMarkers_x (Used by DLP for violations)

As highlighted above, the LOB portion will be 1 & 2 as this is the where the bulk of the data is stored. 3 &4 are not considered LOB data as that is the information retained by DLP for an incident and it is a minuscule part of the larger LOB and will remain unless you delete the incident completely.

• If you retain original message and mark attachments for deletion, then all the files with name UnCrackedComponent_x will be deleted.
• If you delete original message along with attachments, then all files with name UnCrackedComponent_x and NetworkOriginalMessage file will be deleted.
• If you delete original message only then the NetworkOriginalMessage file will be deleted.

LOB’s in database

• If you retain original message and mark attachments for deletion then we set the UnCrackedComponent field to NULL in the DB.
• If you delete original message along with attachments, then we set UnCrackedComponent and the NetworkOriginalMessage to NULL in the DB.
• If you delete original message only then the NetworkOriginalMessage field is set to NULL in the DB.

The CrackedComponent and CrackedComponentMarkers field are never deleted by the ID even when incidents are in DB.