How does Symantec Endpoint Protection (SEP) 12.1 Notes Scanner work?

book

Article ID: 158230

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 You are currently planning to deploy SEP on your infrastructure or preparing to rollout SEP 12.1, and you wish to know more in details about the SEP plugin for Notes.

Cause

N/A

Resolution

1) What the plug-in does and how does it interact/work with Notes client?

The Symantec plugin is a file (NLNVP.DLL) hooked to nlnotes.exe via Notes Extension Manager (ExtMgr_Addins parameter in Notes.ini - http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/f4b82fbb75e942a6852566ac0037f284/d355f32262de01428525706f0065ffb3?OpenDocument, previously NSF_HOOKS for legacy Notes versions).

The Notes plugin via nlnotes.exe will be used to check incoming email's attachments for threats.

 

2) Email scanning mechanism

 - When a mail is received with an attachment, the Notes Auto-Protect scan is executed by the plugin

 - When a mail is being sent with an attachment, the mail is not scanned by the Notes Auto-Protect plugin

 - When an attachment in an NSF/PST is opened, the standard Auto-Protect feature of SEP would scan as usual

 - Mail that is already present in the inbox will not be scanned (unless the user accesses an attachment)

The Notes plugin does an individual, signature only, scan when an attachment is detected in an email. This is all before a user clicks to open the attachment (except for archives - http://www.symantec.com/docs/TECH106080). Then, when the attachment is attempted to be opened, another scan is conducted by the standard Auto-Protect feature, which is not just signature-based, but reputation-based as well.

 

3) What does it scan exactly?

The Notes plugin will analyze incoming email's attachments only.

Subject/Body content of the email is not checked, therefore a malicious URL in the email body would not be detected by the Notes plugin (this feature would rather be conducted in Anti-Spam solutions, like Symantec Messaging Gateway). However, in the case where a user would click on an email link to a malicious web site that tries to download a threat, Download Insight would be triggered.

 

4) What is the purpose of this plugin?

The Lotus Notes scanner and Outlook add-in were designed for small to medium sized companies, which do not have a centralized mail server with dedicated protection.

If you are using Domino Server and it is protected by an appropriate solution (i.e. Symantec Mail Security for Domino), the plugin on the client side becomes redundant, hence is not required.

Indeed, if a threat would to pass through the mail chain, it would be detected at the Domino level. Moreover, even if it would for any reason finally reach the client, the file would be scanned once it was opened or written to the disk by the standard Auto-Protect feature in SEP.

 

5) What are the tool's benefits compared to the standard Auto-Protect security module?

The Notes plugin is used specifically for threat analysis within a Notes scale (i.e. incoming emails in Notes client), whereas SEP Auto-Protect would work on a system scale (i.e. when files are written on the disk or executed).

SEP cannot read NSF/PST files on its own. It needs the mail application to read in the NSF/PST first (because they are proprietary formats) and then the plugin allows Auto-Protect to scan the contents.

 

NOTE – If you have no protection on your Mail Server you can test the Notes plugin using EICAR as an attachment (http://www.eicar.org/85-0-Download.html), otherwise it would be detected at Mail Server level.

 


Applies To

 SEP 12.1.