<> Trend Micro Incorporated August 9, 2024 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) ScanMail(TM) for Domino(TM) for Linux(TM) 5.8 Service Pack 1 GM Release - Build 1687 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ===================================================================== 1. About ScanMail for Domino 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 5.1 Using Trend Micro Control Manager to Manage ScanMail 6. Post-Installation Configuration 6.1 Register and Activate ScanMail 6.2 Start/Restart the Domino Server 6.3 Test Installation with EICAR 6.4 Update Components Manually 6.5 Scan Databases Manually 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ===================================================================== 1. About ScanMail for Domino (SMD) ======================================================================== Trend Micro ScanMail for Domino works in real time to prevent viruses, malicious code, and unwanted content from entering your Domino environment via email, replication, or infected documents. Malware scanning is performed in memory, which significantly increases the scanning speed. ScanMail offers flexible, scalable configuration and remote management through the Notes workspace, as well as Web access of ScanMail databases. ScanMail is fully compatible with Trend Micro Control Manager(TM), Trend Micro centralized management console that lets you consolidate antivirus and content security protection into a cohesive solution. 2. What's New ======================================================================== This patch addresses the following issues and/or includes the following enhancement(s): 2.1 Enhancements ==================================================================== 2.1.1 Support for Both 32-Bit and 64-Bit Platforms ================================================================ This version of ScanMail supports 32-bit Domino and Linux platforms, in addition to 64-bit Domino and Linux platforms. 2.1.2 Latest Platform Support ================================================================ This version of ScanMail supports the latest HCL(TM) Domino(TM) 11.0, 11.0.1, 12.0.1, 12.0.2, and 14.0. 2.1.3 Replacement of VSAPI/ATSE API with Advanced File Information (AFI) ================================================================ This version of ScanMail replaces the VSAPI/ATSE API (VSDecompress) with Advanced File Information (AFI) to resolve a potential vulnerability. 2.1.4 Deletion of Database Scan History ================================================================ This version of ScanMail enables the Delete Database Scan History feature. 2.1.5 Updated Protocol for Communicating with Trend Micro Control Manager ================================================================ This version of ScanMail changes the protocol for communicating with Trend Micro Control Manager from TLSv1 to the protocol specified by "SSL_Cipher_List" in "Agent.ini". 2.1.6 New True File Type Support ================================================================ This version of ScanMail adds support for the "VSDT_MSI" and "VSDT_LNK" true file types. 2.1.7 Enhanced dtSearch Module ================================================================ This version of ScanMail upgrades the dtSearch module to V7.2102.8730.1. 2.1.8 Enhanced Web Reputation Service (WRS) ================================================================ This version of ScanMail upgrades the TMUFE module to resolve the potential vulnerability of OpenSSL. 2.1.9 Enhanced Product Registration Module ================================================================ This version of ScanMail upgrades the Product Registration module to resolve the potential vulnerability of OpenSSL and curl. 2.1.10 Enhanced ActiveUpdate Module ================================================================ This version of ScanMail upgrades the ActiveUpdate module to resolve the potential vulnerability of OpenSSL. 2.1.11 Enhanced MCP AgentSDK Module ================================================================ This version of ScanMail upgrades the MCP AgentSDK module to resolve the potential vulnerability of OpenSSL and curl. 2.1.12 Enhanced TMASE Module ================================================================ This version of ScanMail upgrades the TMASE module to resolve the potential vulnerability of OpenSSL. 2.2 Resolved Known Issues ==================================================================== This version of ScanMail covers the following hot fixes and enhancements. seg-150834 SMD5.8 Win EN hfb1225 ISSUE1 Issue: After Advanced File Information (AFI) is applied, the Attachment Filter sometimes incorrectly detects the true file type of files extracted from compressed packages as "DOS COM". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue. No case SMD5.8 Win EN hfb1225 Enhancement2 Enhancement: Updated the online help for this feature release and fixed outdated URLs. seg-125762 SMD5.8 Win EN hfb1225 Enhancement4 Enhancement: Enables users to configure the number of times that SMDreal tasks can check the license profile in the updated ScanMail configuration database. This allows SMDreal to retry when the first attempt to check the license profile fails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To configure the number of attempts allowed for SMDreal to check the license profile from the ScanMail configuration database: 1. Install this hotfix. 2. Log on to the Domino console and run the following command, replacing "retry_times" with a preferred number of attempts between 0 and 20: set conf SMD_CHECKCONF_RETRY=retry_times NOTES: If "SMD_CHECKCONF_RETRY" is set to a value below "0" or above "20", the number of attempts is set to "5" by default. If "SMD_CHECKCONF_RETRY" is not configured, the number of attempts is set to "0" by default. The retry interval is 1 minute. 3. Restart SMDreal. seg-124037 SMD5.8 Win EN hfb1138 ISSUE1 Issue: After SMD5.8 Patch 1 is applied and under certain conditions, the "X_ATT_NAMETRIGGERFILE" or "X_ATT_TYPETRIGGERFILE" header may remain in database documents. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Hotfix enables ScanMail to remove "X_ATT_NAMETRIGGERFILE" and "X_ATT_TYPETRIGGERFILE" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable ScanMail to remove "X_ATT_NAMETRIGGERFILE" and "X_ATT_TYPETRIGGERFILE" headers from database documents: Install this Hotfix (see "Installation"). Open "notes.ini" using a text editor. Add the following hidden key. SMDAttHeadRemove=1 Save the changes and close the file. Run a manual database scan specifying the target database in "ScanMail Configuration console > Actions > Manual scan > Databases to scan > Specify database" and clicking "Save > Scan Now". Check whether the "X_ATT_NAMETRIGGERFILE" and "X_ATT_TYPETRIGGERFILE" headers exist on the database. seg-112384 SMD5.8 Win EN hfb1097 Enhancement1 Enhancement: SMD5.8 Patch 1 replaces the VSAPI/ATSE API (VSDecompress) with AFI to resolve a potential vulnerability, however, this requires that the "Security Risk Scan" feature be enabled for the "Enable attachment filtering by file type" function to work. This Hotfix removes this limitation from the previous solution. seg-159612 SMD5.8 Lin EN hfb1230 ISSUE1 Issue: OpenSSL versions 3.0.0 through 3.0.6 are vulnerable to CVE-2022-3786 (Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (Email Address 4-byte Buffer Overflow). Trend Micro TMUFE modules used OpenSSL with the vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix updates the Trend Micro TMUFE modules to resolve this issue. seg-165018 SMD5.8 Lin EN hfb1240 ISSUE1 Issue: If the value of "NotesProgram" in the file notes.ini contains a symbolic link, ScanMail for Domino is unable to update the extension manager and loader. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves this issue. seg-151947 SMD5.8 Win EN hfb1235 Enhancement2 Enhancement: Support adding groups to the Approved and Blocked Senders lists in anti-spam configuration. seg-166075 SMD5.8 Win EN hfb1238 ISSUE1 Issue: Data Loss Prevention and Content Filtering cannot work properly after the dtSearch module is upgraded to V7.2102.8730.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue. VRTSJiraCloud-11216 SMD5.8.1 Lin EN hfb1684 ISSUE1 Issue: A flaw was found in versions 7.69.0 to 8.3.0 of curl. This flaw causes a heap-based buffer overflow in the SOCKS5 proxy handshake. ScanMail for Domino uses curl versions containing this flaw. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix updates the MCP AgentSDK and Product Registration to curl 8.4.0 to resolve this issue. SEGJiraCloud-PCT-15665 SMD5.8.1 Lin EN hfb1684 ISSUE2 Issue: Customers defined a Notes group with an Internet address in the Notes client, and specified the Internet address as the target in "General" > "Senders" > "Exclude" > "Notes User/Group" in a mail scan rule. When mails were sent from the Internet address, the "Exclude" setting of the mail scan rule did not work for the mails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue. VRTSJiraCloud-TMINTERNAL-539 SMD5.8.1 Lin EN hfb1684 ISSUE3 Issue: SMDreal may stop unexpectedly when the key "SMLD_DLP_ENABLE_INBOUND_SCAN=1" is specified in "notes.ini" and the DLP filter is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue. No case SMD5.8.1 Lin EN hfb1684 ISSUE4 Issue: There is a link error in the chapter "Accessing ScanMail Database" of the ScanMail Help Database (smhelp.nsf). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix updates the ScanMail Help Database (smhelp.nsf) to resolve the issue. SEGJiraCloud-PCT-25356 SMD5.8 Win EN no hotfix Issue: When forwarding a quarantined message from the ScanMail Quarantine database to specified recipients, not only the specified recipients but also the CC and BCC recipients of the original message can receive the forwarded message. However, the CC and BCC recipients of the original message should not receive the forwarded message. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Service Pack resolves the issue to ensure that only the specified recipients of a quarantined message can receive the forwarded message. SEGJiraCloud-PCT-31190 SMD5.8.1 Win EN no hotfix Issue: Some functions under Administration in the ScanMail Configuration database cannot work on a 64-bit HCL Notes client, with a hint "This form is only supported on a WIN32-Platform". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Service Pack removes the limit to make the functions work. SEGJiraCloud-PCT-23850 SMD5.8.1 Win EN no hotfix Enhancement: Ensure the replica ID of ScanMail databases remains unchanged during the ScanMail upgrade installation. Add UserType "Server group" for LocalDomainServers in the ScanMail databases ACL. Add UserType "Person group" for LocalDomainAdmins in the ScanMail databases ACL. Add UserType "Server" for the current Domino server in the ScanMail databases ACL. SEGJiraCloud-TMINTERNAL-1022 SMD5.8.1 Win EN no hotfix Issue: After SMD5.8 Service Pack 1 (Build 1642) was released, no data is shown in the line "Product License Information" in the Apex Center console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Service Pack resolves the issue. SEGJiraCloud-PCT-33352 SMD5.8.1 Win EN no hotfix Issue: If multiple recipients are set to receive notifications under Configuration > Policies > Notifications > Administrator > Mail Recipients, and the 'Administrator(s)' notification option is selected under Scan Options > APT Prevention Filter for a policy rule, the administrator cannot receive notifications when the APT prevention filter detects a suspicious file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Service Pack resolves the issue. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining ScanMail. To access the Online Help, go to http://docs.trendmicro.com - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining ScanMail. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to https://success.trendmicro.com 4. System Requirements ======================================================================== ScanMail for Domino requires the following hardware and software specifications on the servers where it is installed: - IBM(TM) Domino(TM) 9.0, 9.0.1, 10.0, 10.0.1 - HCL(TM) Domino(TM) 11.0, 11.0.1, 12.0.1, 12.0.2, 14.0 - Novell SUSE Linux Enterprise Server (SLES) 10 - Novell SUSE Linux Enterprise Server (SLES) 11 - Novell SUSE Linux Enterprise Server (SLES) 12 - Novell SUSE Linux Enterprise Server (SLES) 15 - Red Hat Enterprise Linux (RHEL) 5 - Red Hat Enterprise Linux (RHEL) 6 - Red Hat Enterprise Linux (RHEL) 7 - Red Hat Enterprise Linux (RHEL) 8 - Red Hat Enterprise Linux (RHEL) 9 - Oracle Linux 7 64-bit - Oracle Linux 8 64-bit - Oracle Linux 9 64-bit - Intel Pentium(TM) 4 processor or higher - 512-MB of memory; 1-GB recommended - 1.5-GB minimum per partition; 500-MB for program files; 450-MB for the /tmp folder - Internet access (for components download) NOTE: ScanMail for Domino 5.8 Service Pack 1 supports 32-bit Domino and 32-bit Linux platforms, in addition to 64-bit Domino and 64-bit Linux platforms. 5. Installation ======================================================================== Refer to the Administrator's Guide for detailed installation information. 5.1 Using Trend Micro Control Manager to Manage ScanMail ===================================================================== To manage ScanMail from a Control Manager management console, you must be running any of the following releases on the Control Manager server: - Trend Micro Control Manager 5.5 with Service Pack 1 - Trend Micro Control Manager 6.0 - Trend Micro Control Manager 7.0 6. Post-Installation Configuration ======================================================================== After you have successfully installed ScanMail, Trend Micro recommends performing the following post-installation configuration steps. 6.1 Register and Activate ScanMail ===================================================================== NOTE: Skip this step if you have already activated ScanMail during installation. After you have successfully installed ScanMail, check the license status and expiration date on the Configuration Database by clicking "Administration > License Information". If the status is not activated or is expired, obtain an Activation Code and then perform the following: a. Open the ScanMail Configuration Database. b. Click "Administration > Product License". c. Create a license profile. d. Delete the old license profile. Refer to the "Registering and Activating ScanMail" topic in the "Administrator's Guide" or "Help Database" for details. 6.2 Start/Restart the Domino Server ===================================================================== Start/Restart the Domino server to load ScanMail real-time scan tasks. 6.3 Test Installation with EICAR ===================================================================== Trend Micro recommends testing ScanMail and confirming that it works by using the EICAR test file. To test the ScanMail installation with EICAR: a. Open an ASCII text file and copy the following 68-character string to it. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* b. Save the file as "eicar_test.com" to a temp directory and then close it. c. Attach "eicar_test.com" to an email and send it to yourself or a test mailbox. d. Check the virus log in the ScanMail Log Database or notification sent to administrator (if Notification is set). 6.4 Update Components Manually ===================================================================== Use the Configuration Database to invoke on-demand antivirus and content security products update. To update components manually: a. Open the ScanMail Configuration Database. b. On the left-hand menu, click "Actions > Manual Update". c. On the working area, click "Edit". d. Select which component(s) to update. e. Set the update source. f. Configure proxy settings for component download. g. Define the update notification. h. Click "Update Now". i. Click "Save & Close" to save the on-demand component update settings. 6.5 Scan Databases Manually ===================================================================== Use the Configuration Database to invoke manual database scanning. To scan databases manually: a. Open the ScanMail Configuration Database. b. From the left menu, click "Actions > Manual Scan". c. From the working area, click "Edit". d. Click the "General" tab to enable incremental scanning and specify the number of minutes that corresponds to the duration of the scan. e. Click the Databases to scan tab to choose which database(s) to scan: All databases: ScanMail scans all databases stored on the Domino server. Scan selected databases only: ScanMail scans specific database(s) based on the directory and database list. Exclude selected databases from scanning: ScanMail skips scanning of specified database(s). Click "Add", "Remove", or "Remove All" to configure the database(s) in the list. f. Click the "Scan Options" tab to set the following scan options: - Security Risk Scan - Scan Restrictions - Script Filter g. Define the notification template. h. Click "Scan Now". i. Click "Save & Close". 7. Known Issues ======================================================================== There are no known issues for this release. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Previous releases include the following: - ScanMail for Domino 3.1, February 25, 2008 - ScanMail for Domino 3.1 Patch 1, March 31, 2011 - ScanMail for Domino 5.5, November 7, 2012 - ScanMail for Domino 5.5 Patch 1, May 14, 2013 - ScanMail for Domino 5.6, July 4, 2014 - ScanMail for Domino 5.6 Service Pack 1, April 30, 2015 - ScanMail for Domino 5.8, January 30, 2019 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2024, Trend Micro Incorporated. All rights reserved. Trend Micro, ScanMail, Control Manager, eManager, Data Loss Prevention, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide