Scanning message attachments for viruses

You can set up Domino to work with an ICAP protocol server to scan attachments in mail messages for viruses. You can define the actions that Domino takes when it finds messages that contain viruses.


This feature requires:
  • A minimum of Domino 12.0.2.
  • Supported on Windows and Linux only.
  • A third-party ICAP protocol server to do the virus scanning. TLS is required to connect to the ICAP server.


Virus scanning involves the following components:
  • router, the Domino mail router task. If virus scanning is enabled, the router scans databases on the server for messages that need to be evaluated for viruses and queues them to the mailscan task for processing. The normal router processing of the message is deferred until after mailscan processes, and possibly modifies, the message.
  • mailscan, a Domino task that processes messages that need to be scanned for viruses and that communicates with the ICAP server to perform the actual virus scan and collect results. By default, it logs information about attachments and messages infected with viruses. It can also be configured to quarantine infected messages to a separate database.
  • Domino Content Scan Configuration (cscancfg.nsf), a domain-wide database created by mailscan used to configure virus scanning.
  • Domino Content Scan Log (cscanlog.nsf), a server-specific database created by mailscan that logs the results of virus scanning for a server. mailscan creates the database when it detects an ICAP configuration for the server.
  • Domino Content Scan Quarantine (cscanquarantine.nsf), a server-specific database created by mailscan in which original infected messages are saved, if administrators opt to do so. mailscan creates the database when it detects an ICAP configuration for the server.

How scanning works

  1. Domino holds each inbound message in for virus scanning.
  2. Domino evaluates each message in and takes one of the following steps:
    • If the message was already scanned on another Domino server, it validates the secure token that the server placed on the message. If the token was written by a trusted server in the domain, and virus definition signature in the token is equivalent to the current ICAP server's virus definition signature, and the data that was scanned has not been modified, it routes the message.
    • If the message has no attachment, it routes the message.
    • If the message contains encrypted attachments that Domino can't interpret and therefore can't scan, it routes the message.
    • Otherwise, the mailscan task on the Domino server sends each of the message's attachments to the ICAP server.
  3. The ICAP server scans each attachment and responds to the Domino server indicating whether the attachment contains a virus.
  4. Domino determines whether the message contains a virus by evaluating whether any of its attachments contains a virus.
  5. If the message doesn't contain a virus, Domino constructs a secure token that includes a hash of the attachment data and a virus definition signature provided by the ICAP server that identifies its current virus definitions. Domino then adds the token as an item on the message, and routes the message. You may optionally configure the feature so that information on all scanned messages and attachments are logged to cscanlog.nsf, though typically you will only log when they contain viruses.
  6. If the message contains a virus, Domino takes actions to assure that the infected content will not be delivered to the recipients and to log information about the infected content.
    1. one of the following steps, depending on the cscancfg.nsf configuration:
      • Discard message with notification: Deletes the message content and routes the message with a modified subject line and replacement body text configured by the administrator.
      • Clean message and deliver: Cleans the infected attachments by replacing their content with attachment text configured by the administrator and routes the message with a modified subject line configured by the administrator.
      • Silently discard message: Deletes the messages and send no notification to the user.
    2. Domino logs information about the infected message and attachments to cscanlog.nsf.
    3. Domino also quarantines the original message to cscanquarantine.nsf if cscancfg.nsf is configured to do so.


The Mailscan task supports multiple threads to improve performance. The default is 4 threads, and can be increased up to 20 threads using the ANTI_VIRUS_WORKER_THREADS=20 notes.ini variable.