You can set up Domino to work with an ICAP protocol server to scan attachments in mail messages for viruses. You can define the actions that Domino takes when it finds messages that contain viruses.

Requirements

This feature requires:

• A minimum of Domino 12.0.2.
• Supported on Windows and Linux only.
• A third-party ICAP protocol server to do the virus scanning. TLS is required to connect to the ICAP server.

Virus scanning involves the following components:

• router, the Domino mail router task. If virus scanning is enabled, the router scans mail.box databases on the server for messages that need to be evaluated for viruses and queues them to the mailscan task for processing. The normal router processing of the message is deferred until after mailscan processes, and possibly modifies, the message.
• mailscan, a Domino task that processes messages that need to be scanned for viruses and that communicates with the ICAP server to perform the actual virus scan and collect results. By default, it logs information about attachments and messages infected with viruses. It can also be configured to quarantine infected messages to a separate database.
• Domino Content Scan Configuration (cscancfg.nsf), a domain-wide database created by mailscan used to configure virus scanning.
• Domino Content Scan Log (cscanlog.nsf), a server-specific database created by mailscan that logs the results of virus scanning for a server. mailscan creates the database when it detects an ICAP configuration for the server.
• Domino Content Scan Quarantine (cscanquarantine.nsf), a server-specific database created by mailscan in which original infected messages are saved, if administrators opt to do so. mailscan creates the database when it detects an ICAP configuration for the server.

1. Domino holds each inbound message in mail.box for virus scanning.

2. Domino evaluates each message in mail.box and takes one of the following steps:

• If the message was already scanned on another Domino server, it validates the secure token that the server placed on the message. If the token was written by a trusted server in the domain, andvirus definition signature in the token is equivalent to the current ICAP server's virus definition signature, and the data that was scanned has not been modified, it routes the message.
• If the message has no attachment, it routes the message.
• If the message contains encrypted attachments that Domino can't interpret and therefore can't scan, it routes the message.
• Otherwise, the mailscan task on the Domino server sends each of the message's attachments to the ICAP server.

4. Domino determines whether the message contains a virus by evaluating whether any of its attachments contains a virus.

5. If the message doesn't contain a virus, Domino constructs a secure token that includes a hash of the attachment data and a virus definition signature provided by the ICAP server that identifies its current virus definitions. Domino then adds the token as an item on the message, and routes the message. You may optionally configure the feature so that information on all scanned messages and attachments are logged to cscanlog.nsf, though typically you will only log when they contain viruses.

6. If the message contains a virus, Domino takes actions to assure that the infected content will not be delivered to the recipients and to log information about the infected content.

a. one of the following steps, depending on the cscancfg.nsf configuration:
• Discard message with notification: Deletes the message content and routes the message with a modified subject line and replacement body text configured by the administrator.
• Clean message and deliver: Cleans the infected attachments by replacing their content with attachment text configured by the administrator and routes the message with a modified subject line configured by the administrator.
• Silently discard message: Deletes the messages and send no notification to the user.
b. Domino logs information about the infected message and attachments to cscanlog.nsf.

c. Domino also quarantines the original message to cscanquarantine.nsf if cscancfg.nsf is configured to do so.

The Mailscan task supports multiple threads to improve performance. The default is 4 threads, and can be increased up to 20 threads using the ANTI_VIRUS_WORKER_THREADS=20 notes.ini variable.

Enabling virus scanning on a first server in a domain
Enabling virus scanning on an additional server in a domain
Enabling virus scanning on an additional Domino server can be much simpler, especially if you use the same configuration document (which implies the same ICAP server) that you defined for your first Domino server.

Creating a virus scanning Configuration
Before you enable virus scanning, you must configure at least one virus scanning Configuration.

Importing and validating trusted roots using an ICAP connection
Domino requires a secure, trusted connection to the ICAP server for virus scanning. You must establish that you trust one or more of the ICAP server's root certificates before virus scanning can operate. Domino stores data about trusted roots in certstore.nsf. To simply the configuration process, the trusted root for the connection can be automatically imported from the ICAP server using an action in the cscancfg.nsf configuration document. This process involves both certstore.nsf and cscancfg.nsf.

Configuring virus scanning on a Domino server
After you create a virus scanning Configuration, configure virus scanning on a Domino server.

Monitoring virus scan logs
After you've configured virus scanning on a specific Domino server, you can monitor scan logs in Domino Content Scan Log (cscanlog.nsf) on the server.

Troubleshooting virus scanning
Here are some things to try if it seems like virus scanning is not operating correctly.

Help on Help

All Help Contents

Help on Help