Symantec DLP Enforce UI incidents are marked for deletion by accidently. Last Chance for recovery before the purge process permanent delete from the database all marked incidents.
1. Log into SQLPlus as the protect user.
> sqlplus protect — SQLPlus will prompt for the password after, hiding it as it is typed.
> Password:
SQL> UPDATE incident SET isdeleted=0 where isdeleted = 1 and detectiondate > TO DATE(’06-29-14 17:01:01′, ‘MM-DD-YY HH24:MI:SS’);
About Purge Time;
Incidents deleted within the UI are purged from the Oracle database on a regular interval.
The interval is controlled by the manager.properties
com.vontu.manager.system.IncidentDeletion.delay=21600000
com.vontu.manager.system.IncidentDeletion.period=86400000
Both property values are milliseconds.
The delay value is how long after the Enforce starts that the first purge occurs.
The period value specifies how long after the first purge (and all subsquent purges) the next purge will occur.
The above values specify a delay of 6 hours before the first purge,
(6 hours * 60 min/hour * 60sec/min * 1000msec/sec = 21600000 msec)
and a period of 24 hours.
(24 hours * 60 min/hour * 60sec/min * 1000msec/sec = 86400000 msec)
If the Enforce Server is started at 5PM, the initial incident purge will occur 6 hours later, at 11 PM that day. All subsequent purges will occur 24 hours later, or 11 PM every day.