When a user performs an action on an EV item using the Outlook Add-in, the Audit
log is supposed to record the name of the user that performed it. However, in certain situations, it records the Vault Service Account or other incorrect users as having performed the action.
No error is given. Instead, the auditing information is logged incorrectly to the auditing database.
Consider the following log from EV's AuditViewer:
In actuality, all of these deletions were performed by the user EV10\dagny, despite the fact that the Vault Service Account (EV10\evsa) is listed in the User Name column for some of them.
There is no known workaround at this time, aside from using the DCOM client where available.
Symantec Corporation has acknowledged that the above-mentioned issue is present in the current version(s) of the product(s) mentioned at the end of this article. Symantec Corporation is committed to product quality and satisfied customers.
There are currently no plans to address this issue by way of a hotfix or cumulative hotfix in the current or previous versions of the software at the present time. This issue may be resolved in a future major revision of the software at a later time. However, this particular issue is not currently scheduled for any release. If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Symantec Sales representative or the Symantec Sales group to discuss these concerns. For information on how to contact Symantec Sales, please see http://www.symantec.com.
This issue only affects actions performed using the HTTP version of the EV Outlook Add-in. DCOM versions of the Add-in are not affected.
Additionally, the issue only affects actions invoked from the EV toolbar. It does not affect EV actions that are invoked based on the Add-in's interception of normal Outlook operations performed on EV shortcuts.
For example, deleting a shortcut via the Delete button on Outlook's Home toolbar, while the EV Desktop Policy's Shortcut Deletion setting is set to Delete Both, will result in the archived item's deletion being audited correctly, because the deletion was triggered from a normal Outlook operation. Deleting an item using the Delete button on the EV toolbar, however, will result in the archived item's deletion being audited incorrectly as having been performed by the Vault Service Account.