The databases created during the installation of Symantec Mail Security are not signed during installation.

This document describes how to use a trusted ID to sign all the database design elements for all supported versions of Symantec Mail Security for Domino

Signing design elements with a trusted ID is integral to Lotus Notes workstation security.

Note: Before signing a database, choose which ID to sign it with. Read the document Best practices for Symantec products in the Lotus Domino environment - Installation for information on choosing an ID.

If you attempt to execute workstation commands in an unsigned Symantec Mail Security database, the Execution Security Alert dialog box appears. This dialog box presents the user with three options.

In Domino R5, the options are "Abort," "Execute Once," or "Trust Signer."

In Domino 6.x and higher, the options are "Do NOT execute the action," "Execute the action this one time," and "Start trusting the signer to execute this action."

If "Trust Signer" or "Start Trusting..." is selected with "-No Signature-" as the signer, it is a security risk. The "-No Signature-" account will gain elevated rights on your workstation. Furthermore, components of Symantec Mail Security that require a valid signature will not work properly as long as the databases remain unsigned.

Note: These instructions assume a high level of knowledge about Lotus Domino and the Domino Administrator client. If you are not familiar with either program, please consult your Lotus Domino documentation before installing Norton AntiVirus or Symantec AntiVirus.

Symantec recommends immediately signing all relevant Symantec Mail Security databases.
Use the following sections to sign databases for Symantec Mail Security using a trusted ID.
Please note that the account used to sign the databases should already appear on your workstation's Execution Control List (ECL).

To sign a Symantec Mail Security database

1. Open the Domino Administrator client.
2. Navigate to the Files tab, and then to the Sav folder.
3. Right-click Sav.nsf, and click Sign.
4. Verify that the correct ID is selected - "Active User’s ID" or "Active Server's ID," depending on which ID you prefer.
5. Verify that "All design documents" is selected.
6. Verify that "Update existing signatures only" is not selected.
7. Click OK.
8. Repeat steps 4-7 for the Savlog.nsf, Savquar.nsf, and, if applicable, the Savdefs.nsf.

Note: Any time a database is recreated for any reason, it will need to be re-signed.