I'm currently researching Lotus Notes Client 8.5.2 & 6.5.6 exclusions for VSE 8.5, 8.7 & 8.8 and can't find anything out on the web. I've been researching this with McAfee and IBM for over a month now. McAfee and Domino 8.5 Exclusions guide and issues. McAfee is a little behind on Domino 8 support. Domino server performance can take a hit. Here is some info and hotfix stuff to guide you. Caution: banned apple users 8.5.1 to 8.5.2 security policies and old Active Sync versions.
I'm in the process of trying to optimise some of the VSE settings across the board and am interesting in anything you've found along the way. We have recently deployed Notes 8.5.2 and I am hoping to rollout VSE 8.8 (upgrading from 8.5) in the coming months with performance improvements in the policies. For the desktops so far my thoughts have been to add the nlnotes.exe & notes.exe processes to the low risk area and have OAS only on write and with the 'scan inside archives' option removed (for the excessive java). Not ideal, but am hoping to combat the decision by introducing ODS into the environment with more thorough settings. Also pondering the exclusion on the workstations of. Lotus Notes (read only) for the OAS. We don't have the add-in email scanner enabled / installed.
For the servers I have the exclusions configured for DAOS, Transaction Logging,.nsf & MSDW specific files. Ok.whew.I finally scraped together a few spare minutes to update this thread. Let me first qualify these settings with a blanket statement about safety.whatever you decide to exclude, take extra care to ensure that you're covering (through some alternate form of compensating control). These particular settings work for my environment because of the unique nature of our Domino infrastructure and other countermeasures that we have deployed to mitigate the additional risk. I think that it goes without saying that this information should be tested in your environment prior to adopting it in any production scenarios. We're using MEG 6.7.2 (IronMail) devices at the network edge to scan all inbound and outbound email, GSDW7.5 is running on each Domino Server, and the Lotus Email Scanner is 'Disabled' within VSE on Servers and Workstations.
Here's what I'm using for Client-side (workstation) VSE Policy Exclusions: Exclusion Include Subfolders? Description.
NOTES Yes Lotus Notes Client Program & Data Directory installed in any path C: Documents and Settings. Local Settings Application Data Lotus Yes WinXP Notes Working Directory on Client (may just be for 6.x legacy systems) C: Documents and Settings. Local Settings Temp notes?????? Yes WinXP Notes Temp Directory on Client C: Users. AppData Local Temp notes??????
![Exclusions Exclusions](http://1.bp.blogspot.com/-kb5-yeoOtKY/T1JQWkoPoDI/AAAAAAAABdE/kCAMZ0K62qg/s1600/avast_webshield_exclusions.png)
Yes Win7 Notes Temp Directory on Client Windows File Protection N/A Windows File Protection Files File Type Exclusion: All files of type nsf N/A Notes Database Files File Type Exclusion: All files of type nlo N/A DAOS files Here's what I'm using for Domino Server VSE Policy Exclusions: Exclusion Include Subfolders? Description. bin Temp Yes MSDW Anti-Spam Add On. MSDWData Yes MSDW Anti-Spam Add On. Common Framework Yes ePO Agent System Folder. Temp mfe Yes MSDW Anti-Spam Add On.
Domino Data Yes Domino Data Folder. NOTES. Yes Domino Temp Directory. Security for Lotus Domino Yes MSDW Program Directory Windows File Protection N/A Files protected by Windows File Protection File Type Exclusion: All files of type nsf N/A Notes Database Files File Type Exclusion: All files of type nlo N/A DAOS files If anyone has any additional exclusions that they'd like to share, please post them.
This info came at the expense of many hours of research, trial and error. I hope it's useful for your environment. ICHAPMAN wrote: (.) We've now lost patience with the Lotus Notes add-in and are about to remove it from our clients.
I realise the correct answer would be to open a case with support and work through the issues with them, but I really don't have the time or patience at the moment to do that. (.) Unfortunately we've come to a similar point. With servers, users, users who do or don't report (experience) problems using VSE with Notes at different sites, and problems reproducing or having remote access to PCs or logs.
And adding that we're upgrading from VSE 8.7i to VSE 8.8 (no 'i' here?) Decision was made to drop the Notes scanner (and most mailscan) on Endpoints. We do realise that this is an unfortunate solution because we have had cases where infected mails (and/or attachments) were detected & blocked by client mail scanning on the endpoint. This is bound to happen when people use local mail storage and the malware is sufficiently new not to be detected right away.