Creating a virus scanning Configuration

Before you enable virus scanning, you must configure at least one virus scanning Configuration.

Open Domino Content Scan Configuration (cscancfg.nsf) and click Configurations in the navigation. Then click New Configuration, complete the tabs in the Configuration document, and click Save & Close.

Basics tab

Procedure

Enter a configuration name and optional comments.

Mail Scan tab

Procedure

  1. Complete the fields in the Scan and Log Options section:
    FieldDescription
    Virus detected action Choose from the following options to specify what happens to a message when a virus is detected:
    • Discard message with notification This option deletes the original message content. The message is sent with a Subject prefix that contains the text configured in the Subject prefix message discarded field and body text configured in the Body text message discarded field.
    • Clean message and deliver This option deletes viruses from infected attachments. The message is sent with a Subject prefix that contains the text configured in the Subject prefix virus found field and the contents of any infected attachments are replaced with the text configured in the Virus attachment text field.
    • Silently discard the message. With this option, the recipient does not receive the message or any notification about a virus.
    Quarantine action
    • Quarantine original message Original messages with viruses are saved in Domino Content Scan Quarantine (cscanquarantine.nsf).
    • Do not quarantine
    Message log option
    • Log attachments with viruses only
    • Log all attachments
    Log database Specify the name of the log database for virus scan results. Default is cscanlog.nsf.
    Quarantine database Specify the name of the quarantine database. Default is cscanquarantine.nsf
    Log retention (days) The number of days to retain log documents. Default is 40.
    Quarantine (days) The number of days to retain quarantined messages. Default is 40.
  2. Complete the fields in the Mail Scan Tab / Mail Tag for Notification section to provide information for scanning notifications:
    FieldDescription
    Subject prefix scanned The text to display before the subject in a sent message indicating that the message was scanned for viruses and none were found. For example, "Virus scanned." We recommend leaving this field blank if it is important to you for compliance reasons that message content is not modified and remains exactly as sent by the sender.
    Subject prefix virus found The text to display before the subject in a sent message indicating that a virus was found. For example, "Virus found."

    Applies when the virus detected action is "Clean message and deliver."

    Subject prefix message discarded The text to display before the subject in a sent message indicating that the message was discarded because it contained a virus. For example, "Message blocked due to virus." Applies when the virus detected action is "Discard message with notification."
    Virus view icon A number representing the icon to use in a mail view to indicate a message had a virus. For choices, see the topic Displaying an icon in a column in the Domino Designer documentation.
    Virus attachment text The text to display inside an attachment that has been cleaned due to a virus. For example, "Virus found! Attachment text replaced." Applies when the virus detected action is "Clean message and deliver." If unable to double-click the attachment to open it, open it from a text editor to read the message. To do this from Notes, right-click, select Open with..., and select a text editor.
    Body text message discarded The text to display in the body of sent message indicating that the message was discarded because it contained a virus. For example, "Virus found! Message discarded." Applies when the virus detected action is "Discard message with notification."
    Note: Use the Text Properties dialog, Paragraph Margins tab to set the left margin of this field to 1 inch to make it display properly in clients.

Scan Config tab

Procedure

  1. Complete the fields in the Scan Configuration section:
    FieldDescription
    Scan protocol Select ICAP
    Maximum scan size (MB) The maximum attachment size allow for scanning. Default is 100 MB. Most often, very large attachments do not contain viruses, so it may make sense to exempt them from scanning. Specify 0 if you wish all attachments to be scanned.
    Server DNS name/address The host name or address of the ICAP server. Depending on the product used, this server could also be a load-balancer, off-loading TLS and providing high availability.
    TLS server port The port to use to connect to the ICAP server. Default is 1344. The well-known port for ICAP is TCP/1344. Depending on the product and setup, a different port might be used. For example, a TLS-enabled server often uses TCP/11344.
    ICAP service name The ICAP "service name" defined on the ICAP server for attachment scan services. Scanning requires ICAP Response Modification Mode (RESPMOD). Contact the administrator of your ICAP server to verify that the server supports RESPMOD and to obtain the ICAP service name.
    ICAP preview If the ICAP service supports preview mode, select Enable ICAP preview. Preview mode defines how many bytes of data the ICAP client should send for pre-evaluating if the full attachment needs to be sent. Contact the administrator of your ICAP server to determine whether the server supports ICAP preview mode and if it is enabled on the server. If so, enable it here, too. If unsure, leave it unchecked.
    Note: Domino 12.0.2 does not use preview mode, even if it is checked. Scanning operates correctly, but without the potential optimization provided by preview mode for certain attachments. This will be corrected in a future release.
    Virus name formula A formula that you enter that generates the name of the virus found in an attachment. The formula is evaluated against a log document that is created for an attachment that has a virus. Domino writes an ICAP_ResponseHeaders item to that document that contains the ICAP response headers received from the ICAP server after processing the attachment data. Since each ICAP vendor's response format may differ, Domino allows you to write a formula to extract the name of the virus found from this data.

    For example, if a vendor writes the virus name to a header named X-ICAP-Virus-ID, the formula might be as follows: @Trim(@Right(ICAP_ResponseHeaders; "X-ICAP-Virus-ID:"))


  2. Important: First, follow the instructions in the topic Import and validate trusted roots using an ICAP connection. Then complete the fields in the TLS Connection Security section:
    FieldDescription
    Trusted roots

    Domino requires a secure, trusted connection to the ICAP server for virus scanning. You must establish that you trust one or more of the ICAP server's root certificates before virus scanning can operate. Domino stores data about trusted roots in certstore.nsf. To simply the configuration process, the trusted root for the connection can be automatically imported from the ICAP server using an action in the cscancfg.nsf configuration document. This process involves both certstore.nsf and cscancfg.nsf.

    For full instructions, see What to do next at the end of this table.

    Certificate subject If the server has no Subject Alternate Name (SAN), the subject used to verify the certificate. This must be the exact subject name, including proper mixed cased characters if applicable.
    Certificate expiration warning period The number of days before certificate expiration that the server sends a warning.

What to do next

.

Configure virus scanning on a Domino server