Revisiting Domino ClamAV for databases on rest
Daniel Nashed – 24 March 2026 15:32:46
Domino 14.5.1 ships native ClamAV mail flow scan in addition to ICAP.The configuration is pretty straightforward as blogged earlier.
What is still missing is an periodic/on demand scan of NSF files.
I am revisiting my ClamAV integration on request of two customers.
One doesn't have on rest scan yet. The other one is using a solution which is discontinued soon.
Because I spent all that work already and now Domino also uses ClamAV, it's a good idea to look into it again.
Tag or quarantine messages?
The work I did was almost complete for a first round. What is still open is if we really want to remove attachments and what about quarantining messages.
For now I am just tagging mails and optionally move them to a Virus folder.
Moving out attachments would be a pretty big step for a new feature.
For the mail flow it looks a bit different, because the mail was never delivered to a user.
I think for the first step moving to a Virus folder and central reporting would be good?
Logging
Now that Domino comes with a nice cscanlog.nsf, I am just reusing what is already available.
I looked at all the fields and provide the same admin experience for the ClamAV on rest scan implementation.
It would be a separate database. Maybe even a separate per scan.
Looking for the next steps
The solution already supports incremental scans and scans for separate directories.
There is no exclude or wild-card search. But that would be easy to add. Probably better with wildcard support then using lists?
I think the first step could be wild-card support. using Unix standard regex.
But eventually I want to also support Domino pattern matching?
What do you think? I could offer both. Bot Unix pattern matching is the more standard approach.
- Comments [1]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}
1Christian Henseler 25.03.2026 7:48:34 Revisiting Domino ClamAV for databases on rest
Hello Daniel,
I think in a productive environment, potentially infected attachment should not be delivered to end users.
In my experience, users are ignoring any warnings and will open attachments.
But you've already written "the mail was never delivered to a user".
Other AV products would replace an infected attachment with a warning attachment and would deliver the desinfected mail to the user.
It might be a good idea to use the same pattern matching/regex as DBMT does use in/since 14.5.1
Best Regards
Christian
2Daniel Nashed 25.03.2026 16:28:26 Revisiting Domino ClamAV for databases on rest
Hi Christian,
the HCL build-in functionality in CScan is for mail-flow scan and offers multiple options what to do with a message.
This includes cleaning the message and delivering it.
My use case is scanning messages in mailfiles and applications.
The main question here is if we want to delete messages or at least quarantine messages before that.
But those documents would not be always messages and in a problem situation eventually false positive mails get quarantine or cleaned.
My first step is to move messages to a Virus folder and report the message. I am not saying in a future iteration I would want to allow deleting messages or cleaning them.
Cleaning message isn't simple. Domino CScan replaces the attachment inline to not break the message structure. I will need to check if there is public API that can do that.
The expressions HCL is using for DBMT and design task are actually not regex but Domino pattern maching. Which is the matches function in Notes.
There is no C-API for it .But I could use the same approach Domino backup uses (which was built using the public C-API initially).
Still I would not call that -regex. It would be matches syntax and I would add that option.
The industry is using regex for something different. I compared the two syntax options and there is quite some differences.
Only because Domino is doing something in a certain way, that does not mean it is the only right way. I can offer both.
And yes for admins probably the matches synctax is easier. But not as flexible as regex.
-- Daniel