A few of our sites are using Lotus Notes mail servers and clients.
In the past few days/weeks, users there have reported issues and even Lotus Notes crashes apparently due to VSE (no issue, no crash when VSE was disabled).
In general it seems VSE slows the Notes client way too much.
In particular, the Notes client apparently systematically crashes when one tries to open an e-mail sent through an iPhone !!
Could it be there's something peculiar in the iphonie's mail headers ? Could that disturb VSE to the point that the mail client freezes/hangs/crashes ?
Does anyone have specific info as to Exclusions (and/or High-Risk/Low-risk settings) one needs to set for
- Lotus notes clients
- the Lotus Notes server
Seems +100 people read this, but no reaction ?
Is it that noone's using Lotus Notes or what ?
I'll add description of users' problems:
I'm not suere even which logs to check and what to look for.
 specify: on workstation, we only run VSE 8.7i, on laptops we have VSE 8.7i + HIPS 7
I come from a large Domino organisation, and purposely disable Domino/Exchange scanning through Installation Designer before installing. Domino emails are scanned when they enter the Domino environment (via McAfee Security for Domino).
So why do you have it enabled? I'm not aware of any Domino related issue that VSE with Lotus scanner would detect that wouldn't be detected by ether the steps above or VSE on the client itself. I just see it as a huge overhead with lots of problems, without any real benefits.
I've had no dramas with VSE 8.5 or 8.7 (except for a weird bug in one of the VSE 8.7 patches caused by the patch not being able to handle VSE with no mail scanners - this was later corrected).
This is with Domino 6.5x clients and Domino 8.5x clients.
So there could be another cause at play, or maybe I just don't see the issues (if they were identified as a client problem rather than someone knowing it was McAfee, then it's unlikely to end up with me directly).
Thanks for your answer, I apologise for a long period of inactivity on the forum.
We have several layers of security. eMails may be scanned on the mailserver but I don't control that part.
(Not that long but mostly complicated story - I work for a govt agency, we do some centralised and most endpoint security but do not control all sites. We don't use Notes as a mailserver but some sites do and I don't control what they do on their mailserver...)
Disabling endpoint mailscan is a solution, one I'd rather avoid (have avoided - see below)
We do realise that this is an unfortunate solution because we have had cases where infected mails (and/or attachments) were detected & blocked by client mail scanning on the endpoint.
This is bound to happen when people use local mail storage and the malware is sufficiently new not to be detected right away.
Consider this situation :
I believe this is a rather common set-up.
So when an e-mail arrives it gets scanned on the proxy by AV-1 (T-0), then on the mailserver by AV-2 (T-1).
The user's mailclient gets the mail (using IMAP or POP) (T-2). Some mailclients leave the mail message on the server, some don't.
If the mail or attachment was infected by a sufficiently recent malware (0-day) it may pass detection at that time but be detected at a later time.
Thanks for your time.
SergeMessage was edited by: SergeM on 14/07/11 17:18:19 CEST
We've been running the Lotus Notes VSE scanning for a few years. Under the R6.5, with VSE 8.5i, following numerous VSE patches and hotfixes and working with support we finally got to a stable add-in.
Over time we updated to VSE 8.7i and still had a fairly happily relationship betwen Lotus Notes and VSE. However earlier this year we upgraded to Lotus Notes R8.5.x and then it all started to fall apart. For the majority of our users they are running the 'Basic' version of the R8.5.x client.
Lotus Notes client crashing, complaing of Shared Memory errors. Always step one when we have a Lotus Notes client crash is to disable the 3rd Party extensions - for the majority of our users this is exclusively the VSE add-on. All problems disappeared.
We've now lost patience with the Lotus Notes add-in and are about to remove it from our clients. I realise the correct answer would be to open a case with support and work through the issues with them, but I really don't have the time or patience at the moment to do that.
It's bad enough that both of our Mail servers crash just last week with what seems to be an issue with Security for Lotus Domino (that which we used to call Groupshield). At the moment the servers won't run when the McAfee add-in is enabled. The support request was logged last Wednesday, and yet I've still to receive any suggestions/fixes and it's now Tuesday.Message was edited by: ICHAPMAN on 21/09/10 04:43:13 CDT
Can anyone add any updated comments here? I'm currently researching Lotus Notes Client 8.5.2 & 6.5.6 exclusions for VSE 8.5, 8.7 & 8.8 and can't find anything out on the web.
I've been researching this with McAfee and IBM for over a month now.
I have a series of exclusions that I've been developing through trial & error, but it hasn't been fun or easy to say the least.
I'm in the middle of a migration from McAfee ePO 4.0, MA 4.0 & VSE 8.5 to ePO 4.6, MA 4.5 & VSE 8.8 (maybe even MA 4.6 if testing goes well)...
Supposedly, the 8.8 add-in email scanner for Lotus Notes works - however, we're using IronMail devices to scan inbound mail at the network edge and running McAfee Security for Lotus Domino 7.5 for Windows on the mail servers, so I'm inclined to believe that we've got mail covered before it hits our clients.
I'm leaning towards just disabling/removing/uninstalling the mail scanner add-in option during deployment of VSE 8.8 at the moment.
However, just removing the mail scanner doesn't help with preveinting Lotus Client slowness, hangs & crashes. The VSE On-Demand Scan also chokes on java .jar files and IBM's only 'undocumented' fix is to exclude everything in the Notes Data & Program directories (along with all of the entries in the user profiles for TEMP & working directories that Notes uses).
Then, there's the need to exclude file types *.nsf to prevent problems with notes db's in non-standard locations and *.nlo files if you're using something called DAOS (which is essentially IBM's version of transactional-logging to support data de-duplication).
I've also run into issues where we've got different versions of the client (Multi-User vs. Standard) - the folder paths vary slightly so the exclusions don't always work (nice...eh?)
Then, there's a different set of folder paths associated with different versions of the OS - XP vs. Win7 (we're using both but mostly XP).
If anyone else has any experience with taming Notes Clients in a similar environment (especially if you've got any exclusion examples) I'd love to see them! Bump this thread if you're also struggling and I'll share some of what I've figured out, as well.