Troubleshooting virus scanning

Here are some things to try if it seems like virus scanning is not operating correctly.

Check health status

Open cscancfg.nsf, navigate to the Servers view, and open your server document. Check on the value of the Health status field. If it is "Service validated" or "Warnings" it indicates that Domino is able to communicate with the ICAP server.

f the health status is "Pending validation", it means that Domino has not yet attempted to connect to the ICAP server. This usually means that the mailscan task is not running. Issue the load mailscan console command and within a short period of time the health status should be updated. Add mailscan to the ServerTasks notes.ini variable to assure that the task runs when Domino starts. The "Pending validation" status also might indicate that there are no trusted root certificates for connecting to the ICAP server . In that case, make sure you have followed the steps in Importing and validating trusted roots using an ICAP connection.

If the health status is "Error", you must address the issue before virus scanning can resume. Errors are typically due to an expired ICAP server certificate. In that case, to quickly get virus scanning running again, you can edit your configuration document, select the option "Accept expired TLS certificates", save the document, and restart the mailscan task. Then you should address the problem by contacting the administrators of your ICAP server to request that they renew the ICAP server's certificate or issue it a new one. If a new certificate is used, you must follow the procedure in Importing and validating trusted roots using an ICAP connection to import trusted roots.

Check cscanlog.nsf

See the earlier section on Monitoring virus scan logs. Typically, you only log messages and attachments that contain viruses. When there are problems with virus scanning, it might be useful to temporarily log all eligible messages and attachments -- that is, all non-encrypted messages that contain at least one attachment. That way, you will see documents in this database for each successfully processed message and attachment, whether or not it contains a virus. This will help verify whether messages are being processed. Edit your configuration document and on the Mail Scan tab, set the Message log option to "Log all attachments", then save the document. You must restart the mailscan task for this change to take effect.

Check logs

To get detailed logging, edit the server document in cscancfg.nsf, change the logging level to verbose, and save the document. A restart is not required. Within 30 seconds a log message will confirm the new logging level.

You may also want to check the Log to file option in the server document. That way, virus scanning logging is contained in its own separate log file, which might make it easier to search for issues related to virus scanning. The log file is in the IBM_TECHNICAL_SUPPORT directory and has a name that includes the server name and a date/time stamp (example: cscan_Renovations_2022_08_31@12_36_59.log).

Here is an example of typical verbose logging for a message with two attachments and no viruses:
  • [48B0:0006-61EC] 09/08/2022 02:04:49 PM nmailscan: Job-1.1 assigned to worker 0
  • [48B0:0007-5058] 09/08/2022 02:04:49 PM nmailscan: Job-1.2 Attachment 0x159E - no virus detected.
  • [48B0:0007-5058] 09/08/2022 02:04:49 PM nmailscan: Job-1.3 Attachment 0x15A2 - no virus detected.
  • [48B0:0007-5058] 09/08/2022 02:04:49 PM nmailscan: Job-1.4 *No Viruses Detected* in Note 0x00001056.
  • [48B0:0006-61EC] 09/08/2022 02:04:50 PM nmailscan: Job-1.5 results 0 (No error)
Here is an example of typical verbose logging for a message with two attachments and one virus:
  • [48B0:0006-61EC] 09/08/2022 02:10:31 PM nmailscan: Job-9.1 assigned to worker 0
  • [48B0:0007-5058] 09/08/2022 02:10:31 PM nmailscan: Job-9.2 Attachment 0x15E6 - no virus detected.[48B0:0007-5058] 09/08/2022 02:10:31 PM nma
  • [48B0:0007-5058] 09/08/2022 02:10:31 PM nmailscan: Job-9.3 Attachment 0x15EA - detected virus.
  • [48B0:0007-5058] 09/08/2022 02:10:31 PM nmailscan: Job-9.4 *1 virus Detected* in Note 0x00001072.
  • [48B0:0006-61EC] 09/08/2022 02:10:32 PM nmailscan: Job-9.5 results 0 (No error)

To assist in troubleshooting, each individual message processed contains a "job number", as shown in the above logging. This allows you to easily track the processing of a single message.

Look for error messages in the log (anything outside of the typical logging above) - the specific errors will help you diagnose the problem.

Check Domino statistics

There are numerous statistics under the category Mail.Cscan to help you verify whether virus scanning is running.

Feature Health:

These statistics provide basic health information.
  • [5F7C:000B-02E0] Mail.CScan.AV.Enabled = 1
  • [5F7C:000B-02E0] Mail.Cscan.MailScan.MailScanTask = Idle

This second statistic shows the same status you see when in the mailscan output of the "show tasks" console command.

If the antivirus scanning is enabled and the mailscan task is not started you will see:
  • [4D54:000B-2754] Mail.CScan.AV.Enabled = 1
  • [4D54:000B-2754] Mail.Cscan.AV.LastVirusDefinitionSignature =
  • [4D54:000B-2754] Mail.Cscan.MailScan.MailScanTask = Warning: Scanning is enabled but MailScan task is NOT Running!
If the antivirus scanning is enabled and the mailscan task has been manually stopped you will see:
  • [5F7C:000B-02E0] Mail.Cscan.MailScan.MailScanTask = Stopped
Other status you may see are:
  • [5F7C:000B-02E0] Mail.Cscan.MailScan.MailScanTask = Connecting...
  • [5F7C:000B-02E0] Mail.Cscan.MailScan.MailScanTask = Scanning

"Connecting..." indicates mailscan is waiting to connect to the ICAP server at startup or after interrupted communications.

"Scanning" indicates mailscan is actively scanning.

ICAP Server Info

These statistics give a clear indication that Domino is in contact with the ICAP server:
  • [5F7C:000B-02E0] Mail.Cscan.AV.LastHealthCheck = 09/12/2022 15:56:22 EDT
  • [5F7C:000B-02E0] Mail.Cscan.AV.LastVirusDefinitionSignature = "TMWS,3.5605"
  • [5F7C:000B-02E0] Mail.Cscan.AV.LastVirusSignatureUpdate = 09/12/2022 15:52:34 EDT

The LastHealthCheck statistic indicates either the latest time a message was scanned or the latest health check time during idle periods.

Work Load

  • [5F7C:000B-02E0] Mail.CScan.Messages.Examined = 229
  • [5F7C:000B-02E0] Mail.CScan.Messages.SentToScanner = 116
  • [5F7C:000B-02E0] Mail.Cscan.Messages.InScannerQueue = 41
  • [5F7C:000B-02E0] Mail.Cscan.Messages.Scanned = 75
  • [5F7C:000B-02E0] Mail.Cscan.Messages.Scanned.Pct = 49
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.Infected = 0
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.Infected.Pct = 0
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.VirusFree = 75
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.VirusFree.Pct = 100
  • [5F7C:000B-02E0] Mail.CScan.Token.Rejected = 0
  • [5F7C:000B-02E0] Mail.CScan.Token.Self = 78
  • [5F7C:000B-02E0] Mail.CScan.Token.Self = 78

The Examined statistic shows how many messages were examined to see if they required virus scanning. SentToScanner is the actual number of messages that required a scan.

The statistic InScannerQueue indicates messages that are queued but have not yet been processed. Scanned is the number of messages that have been scanned. Those two statistics should add up to the SentToScanner value.

Several Result statistics show how many messages were infected or not infected, providing both counts and percentages.

The Token statistics relate to the $CScanToken item that is placed on messages that have been successfully scanned <possibly refer to "How Scanning Works" subsection of "Scanning message attachments for viruses">. Rejected counts messages where there was a token present, but it did not pass verification, thus the messages required a new scan. Self counts messages that were scanned by the current server and stamped with a token. TrustedServer counts messages where there was a token present and it passed verification.

Note that there is some latency in the statistics being updated since the statistics are refreshed periodically, thus the statistics might not perfectly balance out. Once all the outstanding messages have been processed, the statistics should balance out such that SentToScanner equals Scanned, which also equals the sum of Infected and VirusFree, as in the following example.

  • [5F7C:000B-02E0] Mail.CScan.Messages.SentToScanner = 116
  • [5F7C:000B-02E0] Mail.Cscan.Messages.Scanned = 116
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.Infected = 0
  • [5F7C:000B-02E0] Mail.Cscan.Scan.Result.VirusFree = 116