Scanmail for IBM Domino

The following section lists all Trend Micro products/versions that are considered current and are fully supported by Trend Micro, along with milestone dates (End-of-Sale and End-of-Life) that have been formally announced.Please refer to Trend Micro’s latest End-of-Life Policy for more information on milestone definitions and standard timelines. You can also view the products/versions that have reached End-of-Life in the past 12 months here.

This article provides detailed information on SMD support for the latest Domino release.

Learn all about the major systems that you can use in the redesigned Trend Micro Business Support Portal.

During the SMID product setup, the administrator specifies the SMID databases to be replicated among the different ScanMail servers. Usually, the SMID configuration database (smconf.nsf) is selected because it contains server settings and policies. Replicating the said database enables the administrator to propagate the settings to other Domino servers.

Follow this procedure to update the SMID license after renewing it.

After a fresh installation of SMD on a Windows platform, the smdreal component may fail to load successfully. This issue mostly occurs on Windows Server 2022.

ROVNIX is a Trojan that usually arrives as attachment on spam mails. The spam mail uses social engineering in order to trick the user in opening and executing the attachment. he attachment is a ZIP archive with the malware file inside. The malware uses at least two extension names: one acting as a decoy, and the other is the actual exe extension. Once user clicks the attachment thru outlook, a copy is created in a randomly-named subdirectory in temporary internet files folder. The created file remains in that subdirectory even when you exit outlook.exe. For further information on TROJ_ROVNIX variants that Trend Micro already detects, click here. Click image to enlarge. Antispam Pattern LAYERDETAILSPATTERN VERSIONRelease DateEXPOSURESpam mailsAS10607/6/2015 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN BRANCHRelease DateINFECTIONTROJ_ROVNIX.SMWENT 10.842.056/5/2014INFECTIONTROJ_ROVNIX.SMDENT 10.992.068/18/2014INFECTIONTROJ_ROVNIX.SMEENT 10.995.008/19/2014INFECTIONTROJ_ROVNIX.SM1ENT 11.181.009/29/2014INFECTIONTROJ_HPROVNIX.SMAENT 12.177.0011/27/2015 WRS Pattern (Malicious URL and Classification) LAYERDetectionClassificationRelease DateCLEAN-UPromnsiebabanahujtr2{blocked}.orgC&C1/5/2016CLEAN-UPitnhi4vg6cktylw2{blocked}.onionC&C1/5/2016CLEAN-UPromnsiebabanahujtr{blocked}.orgC&C1/5/2016CLEAN-UPromnsiebabanahujtr3{blocked}.orgC&C1/5/2016CLEAN-UPwujadrin{blocked}.comC&C1/8/2016CLEAN-UPtoykounn{blocked}.comC&C1/8/2016CLEAN-UPlastooooomene2ie2e{blocked}.comC&C1/8/2016CLEAN-UPupmisterfliremsnk{blocked}.netC&C1/8/2016CLEAN-UPtornishineynarkkek2{blocked}.orgC&C1/8/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDetectionPattern VersionRelease DateDYNAMIC4158T (terminate)OPR 153304/12/2016DYNAMIC4158F (feedback)OPR 152703/29/2016DYNAMIC1910T (terminate)OPR 152103/08/2016DYNAMIC1910F (feedback)OPR 151702/23/2016DYNAMIC4157T (terminate)OPR 152703/29/2016DYNAMIC4157F (feedback)OPR 152303/15/2016 DCT Pattern (System Clean Pattern) LAYERDetectionPattern VersionReleased DateCLEAN-UPTSC_GENCLEAN[existing][existing] Network Pattern LAYERDetectionPattern VersionRelease DateCLEAN-UPHTTP_ROVNIX_REQUEST-4RR 1.10143.0001/29/2016CLEAN-UPHTTP_ROVNIX_REQUEST-5RR 1.10143.0001/29/2016   Make sure to always use the latest pattern available to detect the old and new variants of TROJ_ROVNIX.

Ransom_LOCKY usually arrives via social engineered spam mails to trick users into clicking the attachment. No exploit was used in the spam.  The user has to click the attachment to initiate the infection chain; which has been observed to contain a DOC file that has a macro code that drops a BAT file when executed. The BAT files also drops a VBS file which downloads this ransomware. It deletes shadow copies by running vssadmin.exe and adds a run key entry to enable its execution at every system start-up.  The run key entry enables the ransomware to continue encrypting files even if interrupted during the previous execution. The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from the registry. If it fails to retrieve information from the registry, it contacts its C&C server to obtain this specific information and saves it to the registry. The public key is used for its RSA encryption algorithm. ZEPTO is known to share technical similarities with LOCKY, especially with spam email-based distribution methods to the use of RSA encryption keys for locking certain file types. Since LOCKY’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities.  After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. ZEPTO appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors. Click image to enlarge. Antispam Pattern LAYERDETAILPATTERN VERSIONRelease DateDYNAMICSpam Mail with attached documentAS 21462/21/2016 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN VERSIONRelease DateINFECTIONHB_LOCKYJENT 12.393.003/9/2016INFECTIONHB_LOCKYMENT 12.407.003/15/2016INFECTIONRansom_LOCKY.SMENT 12.359.0002/24/16INFECTIONRansom_LOCKY.SM0ENT 12.359.002/24/2016INFECTIONRansom_LOCKY.SM1ENT 12.361.0002/25/16INFECTIONRansom_LOCKY.SM2ENT 12.361.0002/25/16INFECTIONW2KM_LOCKY.AENT 12.349.0002/17/16INFECTIONX2KM_LOCKY.AENT 12.351.0002/18/16INFECTIONJS_LOCKY.AENT 12.353.0002/18/16INFECTIONRANSOM_LOCKY.DLDSWENT 12.637.007/8/2016 WRS Pattern (Malicious URL and Classification) LAYERURLCATEGORYBlocking DateINFECTIONecoledecorroy{blocked}.be/1/1.exeVirus Accomplice2/19/2016INFECTIONratgeber-beziehung{blocked}.de/5/5.exeVirus Accomplice2/19/2016INFECTIONluigicalabrese{blocked}.it/7/7.exeVirus Accomplice2/19/2016INFECTIONanimar{blocked}.net.pl/3/3.exeVirus Accomplice2/19/2016CLEAN-UPsso{blocked}.anbtr.com/domain/kqlxtqptsmys.inRansomware2/20/2016CLEAN-UPxsso{blocked}.kqlxtqptsmys.in/c43344d5351f579349b5f90e1a038859Ransomware2/20/2016CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/19/2016CLEAN-UPwblejsfob{blocked}.pwRansomware2/20/2016CLEAN-UPkqlxtqptsmys{blocked}.inRansomware2/20/2016CLEAN-UPxsso{blocked}.kqlxtqptsmys.inRansomware2/20/2016CLEAN-UPcgavqeodnop{blocked}.itRansomware2/20/2016CLEAN-UPpvwinlrmwvccuo{blocked}.euRansomware2/20/2016CLEAN-UPkvm17915{blocked}.hv9.ruRansomware2/20/2016CLEAN-UPkqlxtqptsmys{blocked}.in/main.phpRansomware2/20/2016CLEAN-UPmondero{blocked}.ru/system/logs/56y4g45gh45hDisease Vector2/19/2016CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/20/2016CLEAN-UPtcpos.com{blocked}.vn/system/logs/56y4g45gh45hRansomware2/20/2016CLEAN-UPwww{blocked}.bag-online.com/system/logs/56y4g45gh45hRansomware2/20/2016CLEAN-UP31{blocked}.41.47.37/main.phpRansomware2/20/2016CLEAN-UP188{blocked}.138.88.184/main.phpRansomware2/20/2016CLEAN-UP95{blocked}181.171.58C&C server2/19/2016CLEAN-UP185{blocked}.14.30.97C&C server2/27/2016CLEAN-UP109{blocked}.234.38.35Disease Vector2/19/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDETECTIONPATTERN VERSIONRelease DateDYNAMIC1981TTMTD 15263/23/2016DYNAMIC1981FTMTD 15294/5/2016DYNAMIC1980TTMTD 15263/23/2016DYNAMIC1980FTMTD 15294/5/2016DYNAMIC1856TOPR 148310/6/2015DYNAMICRAN2013TOPR 15657/21/2016DYNAMICRAN4705TOPR 15819/1/2016 DCT Pattern (System Clean Pattern) LAYERDETECTIONPATTERN VERSIONRelease DateCLEANUPTSC_GENCLEANLatest DCT OPRBUILT-IN Network Pattern LAYERDETECTIONPATTERN VERSIONRelease DateCLEANUPHTTP_RANSOM_LOCKY_REQUESTRR 1.10151.003/15/2016   Make sure to always use the latest pattern available to detect the old and new variants of Ransom_LOCKY / ZEPTO.

BEBLOH is a spyware that monitors a machine and can steal sensitive information and send gathered information to a remote server. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It executes the downloaded files and, as a result, malicious routines of the downloaded files are exhibited on the affected system. It also gathers information and reports it to its servers. Click image to enlarge. Antispam Pattern LAYERDETECTIONPATTERN VERSIONRELEASE DATEEXPOSUREAll related email samplesAS12821/25/2015 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN VERSIONRelease DateINFECTIONTSPY_BEBLOH.SMMOPR 12.4093/17/2016INFECTIONTSPY_BEBLOH.SMM1OPR 12.4073/16/2016INFECTIONTSPY_BEBLOH.SMM2OPR 12.4073/16/2016INFECTIONMal_BEBLOH-1OPR 12.54705/24/16INFECTIONMal_BEBLOH-2OPR 12.54705/24/16 WRS Pattern (Malicious URL and Classification) LAYERURLScoreBlocking DateCLEAN-UPuswmrmsu1fgdmm{blocked}.netC&C3/2/2016CLEAN-UPespedidasalacarta{blocked}.com/ontv.exeDisease Vector3/10/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDetectionPattern VersionRelease DateDYNAMIC1933QOPR 155506/21/16 (Batch 1) Network Pattern LAYERDetectionPattern VersionRelease DateCLEAN-UPHTTP_BEBLOH_REQUEST-2RR 1.10155.004/13/2016DYNAMIC   Make sure to always use the latest pattern available to detect the old and new variants of TSPY_BEBLOH.

Meltdown and Spectre are not vulnerabilities in Trend Micro products. These vulnerabilities could be exploited at a hardware (CPU) layer on multiple operating systems including Microsoft Windows, Linux and MacOS. SMID 5.6 supports both Windows and Linux platform. When Windows and Linux OS vendors started to release patches and updated kernels to address recently disclosed processor vulnerabilities, the SMID product team did the compatibility for these patches and updated kernels as well.