Chapter 4: Configuring ScanMail for Lotus Notes

Chapter 4: Configuring ScanMail for Lotus Notes

2003 Trend Micro Incorporated 53

Chapter 4: Configuring ScanMail for Lotus Notes Chapter Objectives

After studying this chapter, you should be able to complete the following objectives:

• Configure the management consoles for managing ScanMail for Lotus Notes 2.6 ¡ For the Lotus Notes client, add ScanMail icons to the Workspace ¡ For the Web console, configure ScanMail to work with a proxy server, set up rights,

set up the Internet password, and load the HTTP task for Web access

• Restrict access to the ScanMail databases to prevent unauthorized users from changing the ScanMail configuration

• Configure real-time scanning

• Configure real-time database and replication scanning

• Configure manual and scheduled scanning

• Simulate and test the capabilities of ScanMail for Lotus Notes under different virus scenarios

Setting Up the Management Consoles You can use one of the following management consoles to configure and maintain ScanMail for Lotus Notes:

• Notes client

• Web console

• Trend Micro Control Manager

The examples given in this textbook are from the Notes client.

Trend Micro Control Manager is a centralized management system that you can use to manage multiple antivirus products. For more information about Control Manager, see Chapter 9: Trend Micro Control Manager.

Trend Micro ScanMail for Lotus Notes Student Textbook

54 2003 Trend Micro Incorporated

Setting Up the Notes Client

You must manually add the ScanMail program icons to the Notes Workspace. To add these icons and access the ScanMail console, your user.id must have the necessary Notes permissions to the Domino database that contains the ScanMail databases. The user.id must have at least the Editor access right with the Delete document permission.

To add the ScanMail icons to the Notes Workspace, complete the following steps:

1. Open the Workspace from which you want to access ScanMail for Lotus Notes.

2. Right-click and select Open Database… in the popup menu that appears.

3. Select the Domino server in the Server field (see Figure 4-1).

Figure 4-1: Adding icons to the Notes Workspace

4. Select ScanMail for Lotus Notes from the Database field. The smconf.nsf database appears in the Filename field.

5. Click Open. The ScanMail console opens.

6. Repeat this process to create icons for the following databases (see Figure 4-2):

• ScanMail for Lotus Notes Log, which is the smvlog.nsf database

• ScanMail Help, which is the smhelp.nsf database

• ScanMail Pattern Database, which is the smency.nsf database

• ScanMail Quarantine Log, which is the smquar.nsf database



Figure 4-2: Accessing ScanMail for Lotus Notes from the Notes Workspace

Configuring the Web Console

Before you use the Web console to access the ScanMail server, you should complete the following tasks:

• Enter the settings for your proxy server, if you are using one

• Set up rights to run unrestricted methods and operations (Lotus Notes R6) or unrestricted LotusScript/Java agents (Lotus Notes R4 or R5)

• Set up an Internet password

• Load the HTTP task if it is not already loaded

Configure ScanMail for Lotus Notes to Work with a Proxy Server

If your network includes a proxy server between ScanMail for Lotus Notes and the Internet, you must configure ScanMail to work with that proxy server. You must configure the location of the proxy server and provide valid login credentials before you can register ScanMail for Lotus Notes or update the virus pattern file, scan engine, or spam database.

To configure ScanMail for Lotus Notes to work with a proxy server, complete the following steps:

1. Click Update | Update Setting and then go to the Proxy Server Settings portion of the screen that appears.



2. Select the type of proxy server on your network, HTTP or SOCKS, and then enter the proxy’s IP address and port number. Also enter any login credentials that might be required to access the server. Missing or incorrect proxy server settings can cause one or more of the following error messages to appear:

Error: Unable to resolve server IP -- DNS error or server not found Error: HttpConnection: Unable to create socket connection Error: TmDownloader: Unable to open resource Error: TmDownloader was unable to download file http://smln-t.activeupdate.trendmicro.com/activeupdate/ server.ini to [path] Unable to open resource Generic network error

Setting Up Rights on the Domino Server

In a Notes R4 or R5 environment, the user.id you used to sign the ScanMail databases must have rights to run unrestricted LotusScript/Java agents on that server. In a Notes R6 environment, the user.id you used to sign the ScanMail databases must have rights to run unrestricted methods and operations.

Setting Up Rights in a Notes R4 or R5 Environment

To set up rights to run unrestricted LotusScript/Java agents in a Notes R4 or R5 environment, complete the following steps:

1. From the Notes Workspace, double-click the Notes R4 Address Book or Notes R5 Domino Directory.

2. Select Server in the Domino Directory. Double-click the ScanMail server in the configuration screen.

3. For Lotus Notes R4, locate and select Agent Manager to expose the Agent Restrictions options. For Lotus Notes R5, click the Security tab and scroll down to Agent Restrictions.

4. Double-click Run unrestricted LotusScript agents or select Edit. Click the drop-down arrow to display the contents of the Notes R4 Address Book or the Notes R5 Domino Directory.

5. Select the appropriate server and users, and click Add. Click OK.

6. Click Save & Close.

aNote: If you receive the error message, Error validating user’s agent execution access, you might have selected an inappropriate Notes user or group to Run unrestricted LotusScript agents.



Setting Up Rights in a Notes R6 Environment

To set up rights to run unrestricted methods and operations in a Notes R6 environment, complete the following steps:

1. From the Notes Workspace, double-click the Domino Directory.

2. Select Servers in the Domino Directory. Double-click the ScanMail server in the configuration screen.

3. In the Server screen, click the Security tab and locate the Programmability Restrictions section.

Figure 4-3: The Server screen

4. Double-click Run unrestricted methods and operations. Click the drop-down arrow to display the contents of the Domino Directory.

5. Select the user.id and click Add. Then select the Domino server and click Add.

6. Click OK.


Setting Up an Internet Password

If you want to access the ScanMail server through a Web browser, you should set up an Internet password to protect your network. ScanMail for Lotus Notes uses the Notes password scheme to restrict database access.



To set up Notes Internet passwords, open the R4 Address Book or the R5/R6 Domino Directory and select the Person to whom you want to grant access. Enter a password in the Internet password field and then close and save your changes. (For more information about Internet passwords, please consult the Notes documentation.)

Loading the HTTP Task for Web Access

If you want to access the ScanMail Web console, the Domino server must be running the HTTP task. When you install Lotus Notes R6, the HTTP task is automatically added to the ServerTasks line in the Notes.ini file.

If you are using another version of Lotus Notes, you can edit the Notes.ini file and add HTTP to the ServerTasks line:

ServerTasks=dbscan MAIL.BOX,tmmscan,repscan,router,HTTP

aNote: Tmmscan and repscan should be running before the Router task starts routing email.

To manually load the HTTP task, type the following command at the Domino server console:

load http

Other Setup Tasks Before you begin to configure scanning, you should restrict access to the ScanMail databases. You may also want to complete the following setup tasks:

• Configure the visibility of the ScanMail databases

• Enable relay email scanning for Lotus Notes R4, if you are using Lotus Notes R4

Restricting Access to the ScanMail Databases

Trend Micro recommends that you restrict access to the ScanMail databases so that unauthorized users cannot change your ScanMail configurations or delete log files. You can use the Notes access control list to restrict access.

Lab Exercise 1: Installing ScanMail for Lotus Notes, Activity 5





Configuring the Visibility of ScanMail Databases

You can configure whether or not the ScanMail databases appear in the Notes Database Catalog or Open Database dialog box. You can also configure whether or not a Secure Sockets Layer (SSL) connection is required for Web access to the ScanMail databases.

You can configure these options for each ScanMail database. To access the Database Settings screen, select General Administration from the main ScanMail screen and then select Database Settings.

Enabling Relay Email Scanning for Lotus Notes R4

Lotus Notes R5 and R6 automatically support scanning outbound POP3 and SMTP traffic. If you are running Lotus Notes R4, however, you must enable relay email scanning by creating a dummy email recipient and a dummy email domain name.

To enable relay scanning on a Domino R4 server, complete the following steps:

1. Create a new Notes email user in your Address book. For example, you might create the SMLNrelay user.

2. Add two new entries to the Notes.ini file, which is located in the \Notes directory on the Domino server:

SMRelay_User=xxxx SMInternet_LocalDomain=yyyy

Replace xxxx with the user you created for relay scanning and replace yyyy with the Internet domain suffix of the Global Domain Document. You can use commas as delimiters if you have several Internet domain names.

aNote: If you have multiple Internet domains, use a comma for the delimiter. The maximum number of domain names is five.

3. Restart the Domino server.

To disable relay scanning, complete the following steps:

1. Stop the Domino server.

2. Remove the SMRelay_User and SMInternet_Localdomain lines from the Notes.ini file.

Configuring Scanning ScanMail for Lotus Notes performs four types of scanning:

• Real-time email scanning

• Real-time database scanning

• Manual database scanning

• Scheduled database scanning



You must configure the options for each type of scanning that you want to run on your Notes network. For example, if you want to run real-time email scanning, real-time database scanning on some databases, and scheduled scanning on some databases, you must configure the options for three types of scans.

You configure nearly the same options for each type of scanning. For example, you can configure the following for each type of scanning:

• You can enable and disable scanning.

• You can configure which files to scan, how to handle macros, and how to handle compressed files.

• You can scan for script bombs and embedded objects.

• You can specify which actions are taken when a virus is found.

• You can configure how alerts or notifications are sent when a virus is discovered.

• You can record or save a copy of the virus log.

• You can specify different temporary directory to use for email scanning.

Some options are available only for certain types of scanning. For example, when configuring real-time email scanning, you can configure email stamps, which verify that an email was scanned and is virus free. If you are configuring real-time database scanning, manual database scanning, or scheduled database scanning, you can select which databases to scan and which databases to exclude.

The remainder of this section explains the options that you configure for all types of scanning.

Selecting Each Type of Scanning

To select the type of scanning that you want to configure, you click Scan Options in the ScanMail main menu. The four types of scanning appear in the expanded menu (see Figure 4-4).



Figure 4-4: The ScanMail main menu

To access the options explained in the following sections, you first select the type of scanning. For example, to configure real-time email scanning, you select Mail Scan. The options for real-time email scanning appear (see Figure 4-5).

Figure 4-5: The Mail Scan screen



Enabling and Disabling Scanning

After you install ScanMail for Lotus Notes, real-time email scanning and real-time database scanning are enabled by default. When Lotus Notes is launched, real-time email scanning and real-time database scanning start automatically.

You can activate or deactivate each type of scanning. For example, to deactivate real-time email scanning, complete the following steps:

1. From the main ScanMail menu, click Scan Options and then click Mail Scan.

2. Under Scan Options, select Disabled.

3. In the action bar at the top of the screen, click Save & Exit.

When you want to restart real-time email scanning, complete the same steps and select Enabled (see Figure 4-6).

Figure 4-6: The Mail Scan screen

Stopping or Starting Scanning from the Domino Server Console

You can stop and start real-time email scanning, real-time database scanning, and manual database scanning by entering commands at the Domino server console. For example, to stop real-time email scanning, enter the following command at the Domino server console:

tell tmmscan quit

When you enter this command, real-time email scanning finishes scanning the current document and then stops running.



To start real-time email scanning, enter the following command at the Domino server console:

load tmmscan

You can also stop real-time database scanning by entering the following command at Domino server console:

tell repscan quit

When you enter this command, real-time database scanning finishes scanning the current document and then stops running.

To start real-time database scanning, enter the following command at Domino server console:

load repscan

To start a manual database scanning, enter the following command at the Domino server console:

load dbscan yourdatabase.nsf

If you do not specify a database, the default database is the Domino data directory. If you want to list multiple databases, delimit each one with a space.

If you want to stop a manual database scan, enter the following command at the Domino server console:

tell dbscan quit

Configuring ScanMail for Optimal Performance

To improve performance, you can configure ScanMail for Lotus Notes to use memory-based scanning, and you can configure the amount of memory each type of scanning can use. Although there is no formula for determining the amount of memory to allocate for scanning, you can use the following guideline as a starting point. The amount of memory should be 1.5 to 2 times the size of the largest email message or database document.

For example, if you monitored 1,000 email messages, you might find the following:

• The average file size of one-third of the messages is less than 20 KB per message.

• The average file size of one-third of the messages ranges from 20 KB to 500 KB.

• The average file size of one-third of the messages ranges from 500 KB to 2 MB.

If you examine the largest messages, you might find that 10 percent of the messages exceed 2 MB and that the decompressed files fall within a range of 2 MB to 10 MB. You can select an average and then apply the guideline for calculating memory.

Alternatively, you might decide that allocating 5 MB memory for real-time email scanning is sufficient. With this amount of memory, real-time email scanning can handle 97 percent of all email processed, and scanning the largest 3 percent of email messages on the hard drive does not impact performance.



Allocating the right amount of memory is especially important if you are running multiple instances of real-time email scanning (tmmscan). For example, you might decide to allocate 25 percent of the server’s 256 MB RAM to real-time email scanning. If you run six instances of tmmscan to keep up with traffic, the total demand would exceed the available resources. As a result, 99 percent of the allocated RAM would never be used, and all tasks would default to the hard drive.

When you allocate memory for scanning, keep in mind the following:

• Memory is individually allocated, not aggregated or shared between tasks. If you employ memory-based scanning for multiple scan tasks, make sure that the aggregate amount of memory dedicated to all tasks does not exceed system resources.

• If you run multiple instances of the same scanning task, each instance uses its own block of memory. For example, when you load multiple instances of tmmscan, each instance occupies the amount of memory allocated.

• To disable memory-based scanning, enter a zero in the scan memory field

To configure memory-based scanning, complete the following steps:

1. From the ScanMail main menu, select Mail Scan, Real-time Scan, Manual Scan, or Scheduled Scan.

2. Enter a whole number in the Scan Memory field.

3. Click Save & Exit or continue to select configuration options.

Creating Multiple Scan Threads

You can create a multitasking scan environment by running more than one instance of tmmscan at the same time. For example, running two instances of tmmscan can double peak processing efficiency. Each instance of tmmscan loaded allocates the amount of memory specified in the Mail Scan configuration page.

When you are deciding whether or not to load multiple instances of real-time email scanning, you should factor in the number of MAIL.BOX databases the server has. If the server has multiple MAIL.BOX databases, you may want to load one real-time email scanning task for each MAIL.BOX plus one additional real-time email scanning task. For example, if a server has two MAIL.BOX databases, you would load three real-time email scanning tasks.

The extra real-time email scanning task ensures that the delivery of email is not delayed by large attachments. When real-time email scanning is checking a large attachment, all other email is held in MAIL.BOX and is not scanned or delivered until the real-time email scanning task finishes checking the large attachment. If multiple real-time email scanning tasks are running, one real-time email scanning task scans the large attachment. A second real-time email-scanning task continues to scan other email messages that arrive in MAIL.BOX, reducing the amount of time taken to deliver email.

When you load multiple instances of a scanning task, you must ensure that the server has enough memory and processing power to run the additional tasks.



You can load additional tasks by adding the command to the Notes.ini file or by entering the command at the Domino server console. For example, you might want to add two tmmscan commands to the ServerTasks line in the Notes.ini file as follows:

ServerTasks=dbscan MAIL.BOX,TmmScan,TmmScan,TmmScan, RepScan,Update,Replica,Router,AMgr,AdminP,CalConn, Sched,HTTP,IMAP,LDAP,POP3

aNote: Trend Micro recommends that you do not load more than three instances of tmmscan. Loading more than three instances of tmmscan may degrade performance.

Lab Exercise 2: Allocating Memory for Scanning

Selecting Which Files to Scan

ScanMail for Lotus Notes can detect viruses in any type of attachments or documents, including UUencode, BINHEX, and MIME-encoded documents. For each type of scanning, you can select which attachments or documents you want scanned. You can choose one of the following options:

• Select Scan all files to have ScanMail for Lotus Notes check every email attachment or every document—regardless of its extension—for viruses. This option is the most secure.

• Select Scan selected files to have ScanMail for Lotus Notes check only the file types you specify. By default, when you select this option, ScanMail for Lotus Notes displays approximately 60 recommended file types. You can accept this default, or you can add and remove extensions as needed.

• Select Scan all files and then configure one of the following options to exclude certain types of files: ¡ Exclude files by true file type—If you want to exclude certain types of files,

regardless of their extension, click the down arrow and select the types of files you do not want scanned (see Figure 4-7).

¡ Exclude files by extension/name—If you want to exclude files by extension, click the down arrow and select the extensions of the files you do not want scanned.



Figure 4-7: The Select Keywords dialog box

You can also specify how you want ScanMail for Lotus Notes to handle compressed files:

• Select Scan compressed files to scan attachments or documents that have been compressed. ScanMail for Lotus Notes can scan PKZIP, ZIP to EXE, LHA, and AMG files.

• Select Clean compressed files to clean compressed files of viruses. ScanMail for Lotus Notes can clean PKZIP, ZIP to EXE, LHA, and AMG files. To clean a file, ScanMail for Lotus Notes decompresses the file to one layer. If ScanMail for Lotus Notes detects an infected file more than one layer down, the entire compressed file is marked as uncleanable.

Scanning for Specific Threats

You can also configure ScanMail for Lotus Notes to scan for specific types of threats such as script bombs and script viruses in email message text. You can select the following options:

• Select Scan mail bodies for script viruses to check email message text for known script viruses (code that is written in the email body and executes when the script is run). This option is available only for real-time email scanning.

• Select Scan embedded objects to scan Object Linking and Embedding (OLE) objects that have been embedded in attachments or documents.

• Select Scan for script bombs to scan for malicious code that is known as a script bomb. This malicious code is created in Notes hot spots. By default, script scanning is



not enabled. After you select this option, you need to configure the script strings for which ScanMail searches (see the next section).

aNote: The status of the Scan for script bombs option is displayed at the top of the scanning configuration screen. Script Bomb Scanning is set to Off or On.

• Select Strip macros from Office documents to delete macros from Microsoft Office documents. Macros can contain malicious code that executes when a user opens a document and agrees to run the macros.

Configuring Script Bomb Scanning

Notes hotspots communicate additional information in a Notes document. For example, hotspots can display pop-up text, open a link, or perform a Notes action.

Unfortunately, hotspots can also be used for destructive purposes. ScanMail for Lotus Notes protects the Notes environment against the execution of malicious hotspots.

To configure script bomb scanning, select the Script Bomb Scan button at the top of the Scan Options screen. (The Script Bomb Scan button appears after you select the Scan for script bomb option.) You can then configure ScanMail for Lotus Notes to scan stored forms and rich text for hotspots that contain malicious code or URLs (see Figure 4-8).

Figure 4-8: The Mail Scan Script Bomb Scan screen



In addition to specifying the code or URLs for which ScanMail searches, you can select the actions ScanMail for Lotus Notes takes if it detects the code or URLs. If you select the Stored Form Scanning option, you can select one of the following actions:

• Select Pass to leave the stored form hotspot as is, without cleaning it.

• Select Delete to remove the stored form hotspot from the email message or database.

• Select Auto Clean to have ScanMail automatically clean stored form hotspots.

If you select the Rich Text Scanning option, you can select one of the following actions:

• Select Pass to leave the rich-text hotspot as is, without cleaning it.

• Select Auto Clean to have ScanMail automatically clean rich-text hotspots.

Configuring String Lists

To configure script strings, you use the following parameters (see Figure 4-9):

• @Function Strings can contain any valid Lotus Notes function such as the following: prompt

• @Command Strings can contain any valid Lotus Notes command, such as the following: [execute], [FileDatabaseDelete]

• Script Strings can contain any valid script command from the operating system, such as the following: shell, getobject, kill, mkdir, activate

• URLs called by @URLOPEN can contain any valid @URLOPEN command, such as the following: offensivesite.com or www.offensivesite.com



Figure 4-9: The Mail Scan Script Bomb Scan screen

Configuring a Warning Message for Hotspots

If ScanMail for Lotus Notes detects a hotspot, you can configure it to display a popup message to the user. You can enter the message you want displayed in the field under Replace hotspot with popup message. For example, you might want ScanMail for Lotus Notes to display the following message:

ScanMail detected and deleted a script bomb.

aNote: Only one line of text is allowed for the warning message. In a single-byte environment, one line of text is 199 characters; in a double-byte environment, one line of text is 99 characters. (Double-byte environments are typically used for languages that have word symbolism.) Semicolons and double quotation marks are not supported.



Configuring Additional Notification Messages

You can configure ScanMail for Lotus Notes to send you a notification message when a virus is found during script bomb scanning. You can use the default message for script bombs, or you can enter your own message (see Figure 4-10).

Figure 4-10: The Real-time Scan Script Bomb Scan screen

aNote: If you select the Disable notification when viruses are cleaned option under Virus Notification on the scanning configuration screen, ScanMail for Lotus Notes will not send the notification message.

If you select Warning to administrator(s), ScanMail for Lotus Notes sends the message to the administrator you select when you configure Virus Notification options. (For more information, see the “Configuring Notification Messages” section that follows.)



If you are configuring real-time email scanning, you can append the notification message to the original email message, rather than send a separate notification message. To append the message, complete the Add warning to original mail section (see Figure 4-11).

Figure 4-11: The Mail Scan Script Bomb screen

Enter a text message for Mail subject and Mail body.

aNote: If you select this option and also configure the Warning to recipient message under Virus Notification on the Mail Scan screen, the recipient will receive both notification messages.



Configuring Actions on Viruses

You can specify one of the following actions for an infected file:

Pass Leaves the infected file as is, without cleaning it. If the infected file is an email attachment, ScanMail for Lotus Notes sends it to the recipients. You can configure a warning message to send to the recipients.

Quarantine Moves the infected file, without cleaning, to the quarantine database. If the infected file is an email attachment, ScanMail for Lotus Notes does not send it to the recipients. However, the infected file remains on the Domino server in the quarantine database. You can configure a warning message for the sender, the recipient, or both. You can also choose not to send a warning message.

Delete Removes the infected file from the email or the Domino database and deletes the infected file from the Domino server. If the infected file is an email attachment, the original message text of the email and any uninfected attachments are delivered to the recipient. If the infected file is a database document, the original rich-text portion of the document and any uninfected attached files are left intact and replicated to other servers.

Auto Clean Cleans the infected file. If the infected file is an email attachment, it is sent to the recipient(s). Trend Micro recommends that you keep this default so that cleaned email is delivered.

Block Prevents the entire email message—including infected attachments, the message text, and the header—from being delivered. This option is available only for real-time email scanning.

aNote: When ScanMail for Lotus Notes detects a virus in an email attachment, it acts only upon the infected attachment. Unless you select the Block action (which blocks the entire message), the body of the email message and any uninfected files are sent to the recipient.

Configuring an Action for Uncleanable Files

Some viruses can be identified but not cleaned. For example, the European Institute of Computer Anti-Virus Research (EICAR), along with antivirus vendors, created a test virus that can be used to test antivirus products. This test virus was designed to be uncleanable.

If ScanMail for Lotus Notes detects an uncleanable virus, you can configure one of four actions:

• Pass

• Quarantine

• Delete

• Block (available only for real-time email scanning)



aNote: If ScanMail for Lotus Notes detects uncleanable files within a compressed archive, the entire archive is marked as uncleanable. Depending on the action you have selected for uncleanable files, the entire archive is passed, quarantined, deleted, or blocked. If the infected archive is an email attachment, the body of the email message and any other uninfected attachments are sent to the recipients unless you have selected the Block action.

Configuring Actions for Virus Types

In addition to detecting viruses, ScanMail for Lotus Notes can detect the following malicious programs:

• Trojans and worms

• Joke programs

• Mass-mailing viruses

aNote: Previous versions of ScanMail for Lotus Notes did not detect these types of malicious programs.

These malicious programs are not, strictly speaking, viruses and propagate in a slightly different manner than viruses do. Because you cannot clean these malicious programs from their host files, you can configure ScanMail for Lotus Notes to take different actions for these programs. To configure the action, select each type of malicious program and click the pull-down menu to select one of the following actions:

• Pass

• Quarantine

• Delete

• Block

Configuring Notification Messages

The notification options for real-time email scanning differ from the notification options for database scanning.

Options for Real-time Email Scanning

You can configure ScanMail for Lotus Notes to automatically notify the following users if a virus is detected in an email message:

• Administrator

• Other network administrators or managers who need to know when infected files are found

• Sender

• Recipient(s)



By default, notifications are sent as separate email messages. However, you can configure ScanMail for Lotus Notes to append the notification to the original email message (see Figure 4-12).

Figure 4-12: The Mail Scan Virus Notification screen

Options for Database Scanning

If you are configuring real-time database scanning, manual database scanning, or scheduled database scanning, you can configure ScanMail for Lotus Notes to automatically notify the database owner or Notes administrator if a virus is detected in a database. The database owner is listed in the Domino database profile. If the Domino database profile does not contain an owner, ScanMail for Lotus Notes sends the notification to all users who are designated as managers in the Notes Access Control List (ACL). If you do not want to send the notification to these managers, select Disable notification to manager (see Figure 4-13).

ScanMail for Lotus Notes sends the notification as an email message. You can send the default message or compose your own message.



Figure 4-13: The Real-time Scan Virus Notification screen

In addition to the notification message, ScanMail for Lotus Notes reports details about the infection, such as the name of the infected database, the name of the virus, and the action taken. This information is also archived in the ScanMail log files.

Changing the Return Address

Because Lotus Notes uses the server name as the default name for program notification messages, the server name is used as the return address for ScanMail notification messages. You might want to change this default setting so that users can reply to ScanMail notification messages. To select an administrator as the default return address, click the down arrow and select the appropriate administrator.

Configuring Messages for Real-time Email Scanning

When you configure notification messages for real-time email scanning, you can send plain text messages, or you can use the new rich text format to customize the background, graphics, and text style of messages.

Configuring Plain-Text Messages for Viruses Detected in Email

Although not as elegant as rich text, plain-text messages contain all the necessary information to inform administrator(s), sender, and recipient(s) of virus detections.

To set up plain-text notifications for real-time email scanning, complete the following steps:

1. On the Mail Scan Virus Notification screen, ensure that Enable rich text notification is not selected.



2. Configure Warning to administrators to automatically alert the Notes administrator or other individuals who need to know when infected files are found.

2.1. In the Administrator(s) field, type the email address of the person you want notified, or click the down arrow and select the user from the list of names that appears. You can select any address, including SMTP addresses, from the Domino Directory. You can also send the notification message to more than one person. Use a comma as the delimiter between addresses.

2.2. Type the message that you want to send in the associated field. For example, you could type the following:

Administrator: ScanMail has detected a virus during a real-time scan of the email traffic.

aNote: ScanMail for Lotus Notes supports notification messages that are multiple lines. Press the Enter key at the end of each line.

3. Select Disable notification when viruses are cleaned if you do not want to be notified when viruses have been scanned and cleaned. For example, if your Notes network is frequently infected with Word macro viruses, you might not want to be notified each time an infected macro is deleted.

4. Select options for sending notification messages to the sender and recipients:

4.1. Select Warning to sender to notify the sender when a virus is found.

4.2. Select Warning to recipient(s) to notify the recipients when a virus is found.

4.3. Select Send message to sender that entire mail message was blocked to notify the sender when the entire email is blocked.

4.4. Enter the message you want the sender and recipients to receive in the associated fields. You can enter a different message for internal users and external users. (Internal users are listed in the primary Domino Directory. External users are outside the network and are listed in secondary Domino Directories.) By default, ScanMail for Lotus Notes sends the notification message as a separate email.

aNote: ScanMail for Lotus Notes also includes in its notification the date the file was sent, the sender’s name and email address, the name of the infected file, the virus name, and the action ScanMail took on the file. You cannot configure this information.

5. Configure the settings for Add warning to the original email if a virus is detected to insert warnings into the original email message that is sent to the recipient. If you configure both this option and the Warning to recipient(s) option, the recipient receives two notification messages.

5.1. Enter the message that you want to include in the Mail subject.

5.2. Select Add virus information to mail if you want to include virus details in the mail body.



Configuring Rich-Text Messages

If you want to design a background, add graphics, or use a different text style for notification messages, you can use the rich-text format. To create rich-text notification messages, you must use a Notes client. Subsequently, you can use a Web browser to change the rich text.

To enable rich text notification, complete the following steps:

1. Select Enable rich text notification.

2. Click Update rich text notification. The rich text configuration screen appears.

2.1. Enter a text message in the Subject.

2.2. If you are using the Notes client, create the rich-text notification message in the subject body. Use the menu at the top of the screen to select a font, boldface, italics, or color. If you are using a Web browser, click Browse to locate the file name that you would like to include as rich text.

2.3. Click Save & Exit.

3. Select Warning to administrators to automatically alert the Notes Administrator or other users who need to know when infected files are found.

3.1. In the Administrator(s) field, type the email address of the person you want to notify, or click the drop-down arrow and select from the list of names that appears.

4. Select Disable notification when viruses are cleaned if you do not want to be notified when viruses have been scanned and cleaned. For example, if your Notes network is frequently infected with Word macro viruses, you might not want to be notified each time an infected macro is deleted.

5. Select options for sending notification messages to the sender and recipients:

5.1. Select Warning to sender to notify the sender when a virus is found.

5.2. Select Warning to recipient(s) to notify the recipients when a virus is found.

5.3. Select Send message to sender that entire mail message was blocked to notify the sender when the entire email is blocked.

aNote: The same rich-text notification message is sent to the administrator(s), sender, and recipient(s). If you want to send only a rich-ext notification message, make sure that the regular Text notification fields are empty.

6. Configure the settings for Add warning to the original email if a virus is detected to insert warnings into the original email message that is sent to the recipient.

6.1. Enter the message that you want to include in the Mail subject.

6.2. Select Add virus information to mail if you want to include virus details in the mail body.



Configuring Messages for Database Scanning

To configure a notification message for real-time database scanning, manual database scanning, or scheduled database scanning, complete the following steps:

1. In the Notification message return address field under Virus Notifications, enter the email address that you want to appear in the From field of the notification message. You can also click the drop-down menu and select the email address from the pop-up menu.

2. Click Warning to database owner to have ScanMail automatically notify the person who is listed in the database profile as owner. (If this option is selected but no owner is found, ScanMail for Lotus Notes notifies all Notes managers unless you select Disable notification to manager.)

aNote: Previous versions of ScanMail for Lotus Notes do not include the Warning to database owner option.

3. In the Warning to administrator(s) field, type the email addresses of the persons you want to notify or select the person from the drop-down list. To specify multiple recipients, delimit addresses with a comma.

4. Next, type the message you want to send in the associated field. For example, you could type the following message:

Administrator: ScanMail for Lotus Notes has detected a virus during a real-time database/replication scan.

Configuring Virus-Logging Options

The virus-logging options are not selected by default. You can select two options for saving information in log files:

Save a copy of infected documents in Quarantine database

Select this option if you want to save copies of infected documents in the \data\smquar.nsf directory. If you do not select this option, infected documents are deleted from the Notes network.

Keep a log and a copy of encrypted documents in Quarantine database

Select this option if you want to keep a log and a copy of encrypted documents. Because only the recipient can open encrypted documents, ScanMail for Lotus Notes cannot scan these documents for viruses.

Specifying the Temporary Directory

ScanMail for Lotus Notes requires a temporary directory for email and database scanning. Unless you specify otherwise, ScanMail for Lotus Notes creates the temporary directory in the following location:

\Lotus\Domino\Data\smln\SMTemp\MailTemp\



If you want to change the location of the temporary directory, you can enter the new directory. You should ensure that Access Control List (ACL) for the parent directory allows the creation of files. If the ACL does not allow the creation of files, ScanMail for Lotus Notes will not have access to a temporary directory. When ScanMail for Lotus Notes begins to scan files, you will receive an error, stating that ScanMail could not detach the file for scanning.

You need to stop and restart real-time email and database scanning before the new temporary directory will be used. To stop real-time email scanning, type the following commands at the Domino server console:

tell tmmscan quit

To restart real-time email scanning, type the following command at the Domino server console:

load tmmscan

To stop real-time database scanning, type the following command at the Domino server console:

tell repscan quit

To restart real-time database scanning, type the following command at the Domino server console:

load repscan

Saving the Configuration

To save the new configuration, click Save & Exit at the top of the ScanMail screen. To cancel your changes and revert to the last saved configuration, click Cancel.

You do not need to restart the Domino server for the configuration changes to take effect. ScanMail for Lotus Notes scans all email messages and database documents according to your new configuration settings.

Show Change History

The Show Change History option displays a table that lists information about changes made to the ScanMail configuration. For example, the table lists how many revisions were made, the author, and the date and time the revisions were made.



Configuring Options for Real-time Email Scanning Real-time email scanning has several unique options. For example, you can configure email stamps so that users know that the email messages they receive are virus free. You can configure the following options only for real-time email scanning:

Identifying Trusted Servers

With ScanMail for Lotus Notes, you can identify trusted servers so that email messages sent across your enterprise are not scanned multiple times. For example, when Server1 sends an email message to Server2, ScanMail on Server1 scans the message before it is sent, and ScanMail on Server2 scans the message when it is received. To increase the efficiency of your ScanMail environment, you can select Server1 as a trusted server when you configure Server2. Then when Server2 receives an email message from Server1, Server2 does not rescan the message for viruses.

If you want to identify a trusted server, select the Trusted AV Servers option. You can select Domino servers or an SMTP server:

SMTP servers

Type the fully qualified domain name (FQDN). This SMTP server should be running virus-scanning software and should be the first server that handles email entering your Notes network. If you trust more than one server that receives email from the Internet, use a semicolon as the delimiter.

Domino servers

Click the down arrow to select the servers to trust or type the Domino server names in the text box.

aNote: When you type the server name, use the fully qualified name, such as server1/OU1. If you use a country code, include this code as well.

aNote: Wildcards are not valid for the server and organizational unit.

Stamping Email

You can use email stamps to append plain-text messages to the subject field of email. For example, you can use email stamps to notify recipients that an email message has been scanned and does not contain viruses. You can also use email stamps if an email message is encrypted and cannot be scanned or if macros have been stripped from the email message.



To enable email stamps, select one of the following options:

Safe stamp Informs users that their email was scanned and was found to be virus-free. Enter the message that you want ScanMail for Lotus Notes to append to the subject line of the email message. For example, you could enter

(ScanMail—safe message).

Encrypted stamp

Informs users that their encrypted email message was not scanned for viruses before it was delivered. Enter the message you want ScanMail for Lotus Notes to append to the subject line of the email message. For example, you could enter

Encrypted: Not scanned.

Office macro strip notification

Informs users that an office macro was stripped out of an email message. Enter the message you want ScanMail for Lotus Notes to append to the subject line of the email message. For example, you could enter

Office macro security is enabled. Office macro(s) have been stripped from this document.

Disclaimer Inserts a message at the end of the email body. Enter the text of the message you want users to receive.

~Warning: The Safe Stamp is added to an email message when no viruses have been found. However, if you have not enabled script bomb scanning, the email message could still contain malicious content.

If you do not want to notify users about an event, do not select the option. For example, if you want ScanMail for Lotus Notes to operate invisibly in the background unless a virus is found, do not select the Safe Stamp option.

Configuring an Action on Files That Cannot Be Scanned

You can configure ScanMail for Lotus Notes to handle other threats:

• Messages that cannot be opened

• Messages that contain attachments that cannot be opened

• Compressed files that consume hundreds of megabytes when extracted

• Compressed files that contain 20, 30, or even 40 layers

Because virus-protection software cannot open and scan files that are password-protected, encrypted, or corrupted, malicious people can use such files to harbor viruses. Malicious people can also use large compressed files to crash the email server by consuming all free space or CPU processes.



You can configure ScanMail for Lotus Notes to take one of the following actions if it detects a file that cannot be scanned:

• Quarantine

• Delete

• Pass

When ScanMail for Lotus Notes detects a file that cannot be scanned, the event is recorded in a log. You can also configure ScanMail for Lotus Notes to send a warning message to administrators, the sender, and recipients.

Configuring Delivery of Email When ScanMail Is Not Running

By default, Lotus Notes continues to deliver email messages when you stop the real-time scanning task, and email messages are not scanned for viruses. If you want to stop the delivery of email messages, you can configure the following variable in the Notes.ini file:

SMStopMail = 1

To stop real-time email scanning, you type the following command at the Domino server prompt:

tell tmmscan quit

Email is then held until the real-time scanning task is restarted. For example, you might want to stop the delivery of email messages if a virus outbreak occurs and you are waiting for a new pattern file.

aNote: If you disable real-time email scanning in the ScanMail interface, the Domino server will continue to deliver email, regardless of the SMStopMail variable.

To deliver email messages without scanning, you can configure the variable as follows:

SMStopMail = 0

Lab Exercise 3: Configuring Real-time Email Scanning

Configuring Options for Real-Time Database Scanning Real-time database scanning has only one unique option. You can select the databases that are protected by real-time scanning.

Real-time database scanning can be time-consuming if your Notes system includes many databases and thousands of frequently updated files. In such cases, you might want to activate real-time scanning only for the databases that are the most vulnerable to virus infections. For example, user databases are probably more vulnerable to virus infections than the Domino program databases are. To protect databases that are not modified frequently, you can use manual or scheduled database scanning.



aNote: After you change the status of Databases to Scan (by including or excluding different files), you do not need to restart the Domino server.

To configure the databases you want scanned, select Databases to Scan in the Real-Time Scan screen. If you want ScanMail for Lotus Notes to scan all databases in real time, select All databases. If you want ScanMail for Lotus Notes to scan only selected databases, complete the following steps.

1. Select one of the following options:

• Scan selected databases only—Select this option if you have only a few databases that you need to scan.

• Exclude selected databases from scanning—Select this option if you have a large number of databases and need to exclude only a few from scanning.

2. Click Add.

3. From the list that appears, select the databases you want scanned, or select the databases you want to exclude. You can select multiple databases at once. Click OK.

aNote: After you select the databases you want scanned, ScanMail for Lotus Notes runs a quick cleanup script called Delete all db-documents. This script does not act upon your databases; instead it deletes a temporary list of documents that ScanMail created.

aNote: You cannot select directories for real-time database scanning.

4. Click Remove to remove individual databases from the list that appears if you do not want them scanned. Click Remove All to remove all databases from the list.

Lab Exercise 4: Configuring Database Scanning, Activity 1


Configuring Manual and Scheduled Database Scans After installing ScanMail for Lotus Notes, you should run a manual database scan on all directories that contain Domino databases to find and clean any existing viruses. After you perform this initial scan of all Domino databases, Trend Micro recommends that you create a scheduled database scan to periodically check Domino databases on the local or remote hard drives.



Scanning Selected Databases

To specify the databases you want scanned, select one of the following options:

Scan directories

Select this option if you have only a few databases that you need to scan. You must enter the directories you want scanned in the Directory field.

Exclude selected directories

Select this option if you have a large number of databases and need to exclude only a few from scanning. Enter the directories you want to exclude in the Directory list field.

Manually specify databases

Select this option if you want to exclude a list of databases from scanning or if you want to include a list of databases for scanning. Select Exclude the databases listed below or Include the databases listed below. Click Add. From the list that appears, select the databases you want scanned, or select the databases you want to exclude. You can select multiple databases at once. Click OK.

aNote: After you select the databases you want scanned, ScanMail for Lotus Notes runs a quick cleanup script called Delete all db-documents. This script does not act upon your databases; instead it deletes a temporary list of documents that ScanMail created.

Configuring an Incremental Scan

If you select the Incremental Scan option, ScanMail for Lotus Notes scans only documents that are new or have been modified since the last manual or scheduled scan. By limiting the scan to these documents, you save server resources and time.

Performing a Manual Scan

If you are performing a manual scan, you can start the scan from the Notes client or from the Domino server command line. To start the scan from the Notes client, complete the following steps:

1. Click Scan Now at the top of the Manual Scan screen.

2. Enter the fully qualified server name if you are prompted:

Server1/OU1/US

3. In the Server console command field, enter the following command:

load dbscan

You can also enter the following command at the server command line:

load dbscan yourdatabase.nsf

If you do not specify a database, the default database is the Domino data directory. If you want to list multiple databases, delimit each one with a space.



Scheduling a Database Scan

To schedule a database scan, complete the following steps:

1. Ensure that Enabled is selected at the top of the Scheduled Scan screen.

2. Select Schedule Scanning at the top of the Scheduled Scan screen. The Notes Domino Directory and the Programs screen appear.

3. Click Add Program in the action bar.

4. In the Program name field, enter the filename of the scheduled database scanning program:

pscan

5. Leave the Command line field blank.

6. Click the drop-down menu next to Server to run on field, and select the Domino server that has the databases you want scanned.

7. In the Comments field, enter a note to explain the scheduled program.

8. In the Enabled/disabled field, select Enabled.

9. In the Run at times field, enter 1:00 AM.

10. In the Days of week field, make sure each day of the week is listed.



Reviewing the Order in Which Options Are Executed ScanMail for Lotus Notes applies the options that you configure in a certain order. The scanning options you select for real-time email scanning are executed in the following order:

Option Execution

eManager filter rules eManager scans messages for content. If an email message matches a mail filter rule, the specified action is triggered. (eManager is an add-on product that provides content filtering.)

Trusted server scanning ScanMail for Lotus Notes does not scan email messages from trusted servers.

Attachment blocking ScanMail for Lotus Notes compares the email attachments with the file exclusion list. If an attachment matches, ScanMail for Lotus Notes blocks the attachment; it is not scanned.



Option Execution

Embedded object scanning

ScanMail for Lotus Notes scans Microsoft Office objects that have been embedded in email messages for malicious code.

Macro scanning ScanMail for Lotus Notes strips potentially destructive macros from Microsoft Office documents.

Virus scanning ScanMail for Lotus Notes scans attachments for viruses. • If ScanMail detects a virus, it performs the action you

specified. Depending on the options you selected, ScanMail for Lotus Notes might block the entire message. ScanMail for Lotus Notes sends notification messages to the administrator, sender, or recipients.

• If you have configured email stamps, ScanMail for Lotus Notes stamps the following: • If ScanMail for Lotus Notes did not detect a virus, it

stamps the email as safe. • If the email or attachment is encrypted, ScanMail for

Lotus Notes stamps the email with an encryption stamp.

• If ScanMail for Lotus Notes strips macros from a file, it can stamp the email with this notification stamp.

• If you configured a disclaimer stamp, ScanMail for Lotus Notes stamps all email messages that are scanned for viruses.

Script scanning ScanMail for Lotus Notes scans Notes hotspots in stored forms and rich text fields for malicious script commands and URLs. If ScanMail for Lotus Notes detects destructive code, it performs the action you configured. Depending on the options you select, ScanMail for Lotus Notes replaces the hot spot with a customizable message and sends notification messages to the administrator(s), sender, and/or recipient(s).

The scanning options you select for real-time database scanning, manual database scanning, and scheduled database scanning are executed in the following order:

Option Execution

Incremental scanning

If documents have previously been scanned, ScanMail for Lotus Notes does not rescan them. This option is available only for manual and scheduled database scanning.

Embedded Object scanning

ScanMail for Lotus Notes strips potentially destructive macros from Microsoft Office documents.

Macro scanning ScanMail for Lotus Notes strips potentially destructive macros from Microsoft Office documents.



Option Execution

Virus scanning ScanMail for Lotus Notes scans attached files for viruses. If ScanMail for Lotus Notes detects a virus, it performs the action you specified: It cleans, passes, quarantines, or deletes the file. ScanMail for Lotus Notes sends notification messages to the administrator or other specified users.

Script scanning ScanMail for Lotus Notes scans Notes hotspots in stored forms and rich text fields for malicious script commands and URLs. If ScanMail for Lotus Notes detects destructive code, it will perform the action you configured: clean, pass, or delete the hot spot. Depending on the options you select, ScanMail for Lotus Notes replaces the hot spot with a customizable message and sends notification messages to the administrator(s), sender, and/or recipient(s).

Testing Your Configuration After you configure ScanMail for Lotus Notes, you might want to test your configuration to verify that it is working as you intended. For example, you can see if ScanMail for Lotus Notes detects viruses and sends the notifications you configured.

The European Institute for Computer Antivirus Research (EICAR) developed a test script that can be used to test antivirus software. This script is an inert text file whose binary pattern is included in the virus pattern file from most antivirus vendors. This script is not a virus and does not contain any program code.

~Warning: Never use real viruses to test your antivirus installation.

You can download the EICAR virus file from the EICAR Web site or from the Trend Micro Web site. Before you download the EICAR file, you must disable any antivirus software running on your network or computer. Otherwise, the antivirus software will detect the EICAR test file as a virus and prevent the download.

To download the EICAR virus file, visit the following URLs:

• http://www.trendmicro.com/vinfo/testfiles/

• http://www.eicar.org/anti_virus_test_file.htm

You can also create your own EICAR test script by typing the following into a text file and then naming the file eicar.com:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*




Chapter 4 Summary and Review Questions

Summary

After you install ScanMail for Lotus Notes, you should add the ScanMail program icons to the Notes Workspace and configure the web console. You can then use the Notes client or the web console to manage ScanMail for Lotus Notes. You should also restrict access to the ScanMail databases to prevent unauthorized users from changing your configuration.

You must configure the options for each type of scanning you want to use on your Notes network. For example, if you want to use real-time email scanning, real-time database, scanning, and scheduled database scanning, you would configure options for each.

You configure nearly the same options for each type of scanning. For example, you can enable and disable scanning, you can select the files you want scanned, you can scan for script bombs and embedded objects, you can determine the actions ScanMail takes if a virus is detected, you can configure the notifications ScanMail sends, and you can record or save a copy of the virus log.

Some options are available only for certain types of scanning. For example, you can configure incremental scans for manual database scanning and scheduled database scanning. You can configure email stamps for real-time email scanning.

Review Questions

1. What type of scanning would you use to scan every document accessed in the Domino databases?

a. Real-time email scanning

b. Real-time database scanning

c. Manual database scanning

d. Scheduled database scanning

2. What option would you select to scan for malicious code in hot spots?

a. Scan embedded object

b. Scan for script bombs

c. Strip macros from Office documents

d. Scan for script viruses



3. Which two of the following actions can you select for uncleanable files when you configure real-time database scanning? (Select two.)

a. Auto Clean

b. Pass

c. Delete

d. Quarantine

4. Which two of the following email stamps can you configure for real-time email scanning? (Select two.)

a. Safe stamp

b. Scanned stamp

c. Encrypted stamp

d. Password-protected stamp

5. Which option can you configure only for manual database scanning and scheduled database scanning?

a. Trusted AV servers

b. Incremental scan

c. Exclude selected database from scanning

d. Warning to database owner

Documents

Chapter 4: Configuring ScanMail for Lotus Notes