Enabling virus scanning

Edit configuration property settings to force the applications that handle uploaded files to scan all files for viruses.

Before you begin

IBM® Connections does not provide virus scanning software, but it does enable you to use existing virus scanning services implemented within your corporate infrastructure. Before you begin this procedure, find out the location of the virus scanning service.

IBM Connections supports the Internet Content Adaptation Protocol (ICAP) and its applications use this protocol to communicate with virus detection products. Ensure that the virus detection product used in your enterprise supports the ICAP 1.0 protocol. IBM Connections is certified to work with Symantec AntiVirus Scan Engine 5.1 and McAfee web Security Appliance (3400) and (3300). Your virus detection product must include the headers X-Infection-Found and X-Violations-Found.

Note: Disable any file cleaning services that are provided by the virus scanning product you are using. Cleaning must be disabled for the virus scanner to interact properly with IBM Connections. See the documentation for the virus scanner to determine how to disable file cleaning.

To edit configuration files, you must use the wsadmin client. See Starting the wsadmin client for details.

About this task

The Bookmarks and Home page applications do not implement virus scanning because no files or images are uploaded to those application databases.

To enable virus scanning for Activities, Blogs, Communities, Files, Forums, Profiles, and Wikis, complete the following steps:

Procedure

Use the wsadmin client to access and check out the IBM Connections configuration files.
1. Enter the following command to load the IBM Connections configuration file: execfile("connectionsConfig.py")
  
  If you are prompted to specify a service to connect to, type 1 to select the first node in the list. Most commands can run on any node. If the command writes or reads information to or from a file by using a local file path, you must select the node where the file is stored. This information is not used by the wsadmin client when you are making configuration changes.
2. Enter the following command to check out IBM Connections configuration files:
```
LCConfigService.checkOutConfig("working_directory","cell_name")
```
  where:
  - working_directory is the temporary working directory to which configuration files are copied. The files are kept in this working directory while you edit them.
  - Note: When you specify a path to the working directory on a system that is running Microsoft Windows, use a forward slash for the directory.
    
    For example: "C:/temp".
    
    AIX®, and Linux only: The directory must grant write permissions or the command fails.
  - cell_name is the name of the WebSphere® Application Server cell that hosts the IBM Connections application. If you do not know the cell name, display it by typing the following command in the wsadmin client: print AdminControl.getCell()
    Note: This input parameter is case-sensitive.
From the temporary directory to which you just checked out the IBM Connections configuration files, open the LotusConnections-config.xml file in a text editor.

Uncomment the following block of XML, which can be found in the avFilter section:

<!--avFilter class="AVScannerICAP">   
<property>av.scanner.servers=myscanner.host.com</property>   
<property>exception.on.virus=yes</property>   
<property>av.scanner.service=scanner.service</property>
</avFilter-->

Replace references to scanner.service with the name of the ICAP response modification service on the ICAP-enabled scanner. Select one of the following options:

RESPMOD

Represents McAfee virus scanning software

AVSCAN

Represents Symantec virus scanning software

Or add the ICAP response modification service for the virus scanning software that you want to support.

Replace references to myscanner.host.com with the server name or IP address of the system hosting the virus scanner. To specify more than one server, separate multiple server names or IP addresses with commas.

For example:

<avFilter class="AVScannerICAP">
  <property>av.scanner.servers=myscanner1.example.com,
   myscanner2.example.com,myscanner3.example.com</property>
  <property>exception.on.virus=yes</property>
  <property>av.scanner.service=RESPMOD</property>
</avFilter>

To support scanning large files, specify values for the av.chunk.size and first.read.timeout properties:
For example:
```
<avFilter class="AVScannerICAP">
  ...
  <property>av.chunk.size=50000</property>
  <property>first.read.timeout=120000</property>
</avFilter>
```
If the scanner is not available, uploads are rejected to prevent someone from executing a denial of service attack against the scanner, intending to then upload an infected file. In the first.read.timeout property, you can set the number of milliseconds to allow a service to attempt to reach the scanner before rejecting the request.
Save your changes to the LotusConnections-config.xml file.
After making changes, you must check the configuration files back in and you must do so during the same wsadmin session in which you checked them out for the changes to take effect. See Applying common configuration property changes for information about how to save and apply your changes.

What to do next

Once virus scanning is running in your environment, any scanning-related errors are written to the SystemOut.log file. See Troubleshooting virus scanning for information about possible errors and their causes.