Since the days of System/36 and System/38, users have not really worried about viruses in the operating system of IBM's midrange computer. Its object-based architecture lends itself well to keeping out viruses. Although i5/OS is not infallible, it's much more difficult to introduce a virus into native objects than to UNIX and Windows files.
With the introduction of V3R1, IBM introduced the Integrated File System (IFS). Now we have a root folder on the system and a number of other file systems, including these:
· QOpenSys-POSIX-compliant file system
· QNTC-Windows Network Places
· QSYS.LIB-i5/OS and OS/400 library file system
· QfileSvr.400-Mount point for remote IFS entries
When we say we are well protected from viruses in the traditional sense, we really are only referring to the QSYS.LIB file system. Under this folder we have things like QGPL.LIB, QSECOFR.USRPRF, and QBATCH.SBSD.
These are all our standard i5/OS object types. While we should protect and secure these, and most of us do, we tend to ignore the remainder of the IFS.
The IFS has become very popular with users and ISVs over the last few years. However, I have seen many systems with weak security standards for IFS objects using the i5/OS resource security features available. Resource security is great for determining who can and can't access the IFS objects, but this is no different from access to a Windows file server.
Why is it that very few companies would implement a Windows file server without virus checking, but then not even consider running virus checking software on the IFS?
More and more applications are now using the IFS to store data and applications. These applications are storing Windows and Linux/UNIX types of files on the system, and it is these file types that are much more prone to viruses than the traditional i5/OS and OS/400 object types.
What kind of functions use the IFS?
· TCP/IP
· Apache Web Server
· PHP and MySQL
· Lotus Domino/Sametime
· WebSphere AS
· IBM MQ
· IBM Director
· DNS Server
· DHCP Server
· NetServer
· Integrated System X and BladeCenter servers
· PASE
· Secure Shell
· Java
· Qshell
These are just a few of the IBM functions and applications that use the IFS. There are many more, and I haven't even listed third-party applications. That list is very long.
My point is that you will be using the IFS, even if it's just for TCP/IP, on your system. Let's look at how a virus could get onto the system.
It's Possible to Restore Viruses
The i5/OS SAV command allows you to save files in the IFS to tape or save file. If you are sent a tape or save file and need to restore the contents to your IFS, you could be restoring virus-contaminated files into your IFS when executing the RST command.
Viruses Can Be Copied to and from Shares
Many users now use shares to allow those running Windows to access parts of the IFS as they would with a Windows server. Viruses can be copied to and from shares in the IFS just as they would be to and from a Windows server.
If a Windows virus is located in an IFS share, it cannot be executed by i5/OS, but it can be executed by a Windows user and could cause untold damage.
The IFS can also be on the receiving end of viruses located on your desktops. A few years ago, a customer was running a Web site on his iSeries with a share on the IFS to the folder containing all his HTML and graphics files. One of the company's directors opened an email that contained a virus. The virus scanned his PC for all available Windows shares and deleted graphics files. Because the IFS was not secured correctly, the iSeries NetServer share had all graphics for the Web site deleted.
It's Possible to Copy Viruses Between i5/OS and a Remote System
NFS shares are more common in UNIX and Linux environments, but they represent the same principle as Windows shares. Now, i5/OS can be both an NFS client and a server, so it can share out parts of the IFS to other NFS hosts as well as mount NFS shares from other hosts onto the IFS.
Either way, both of these allow UNIX-type files to be present in the IFS and accessed by your i5/OS users. You may be thinking that's not too much of a problem as UNIX/Linux doesn't suffer from viruses as much as Windows. There may be some truth in this, but be aware that the NFS host that you are sharing data with may be a Windows machine running NFS services, and this would allow the copying of viruses between i5/OS and the remote system.
FTP Must Be Secured
You are well aware that anyone can FTP files to or from the IFS from virtually any remote host. I can even get an FTP client on my cell phone and connect to our machines. This shows just how important it is to secure FTP and also how easy it is to copy infected files to and from the IFS.
SSH Utilities Can Transfer Viruses
SSH, or Secure Shell, is a secure Telnet-type function that has been available for many years in the UNIX/Linux world. SSH is now also available for Windows and for i5/OS since V5R3.
SSH includes the SFTP (SSH File Transfer) and SCP (Secure Copy) utilities. SFTP is a type of FTP function that works over an SSH connection to allow you to copy files to and from your IFS using commands very similar to FTP. SCP allows you to copy files to and from a remote host using a single command. i5/OS can be both a client and a server to the SCP command, so copying to or from any other SSH system is valid.
An Approach to Protecting Against Viruses
If you examine your Windows laptop or desktop and the virus protection you run on it, you will find there are a number of points at which the software checks for viruses. If we exclude emails for now, we know files are checked when they are opened, closed, or during a scan of the system.
We can do this with i5/OS too. Since V5R1, we've been able to scan emails for viruses, but not many i5/OS systems are used as a native SMTP and POP3 email server.
V5R3 introduced two new system values and exit points that allow third-party virus-checking applications to plug in to i5/OS to provide IFS virus checking at runtime.
Scheduled Scanning
Your Windows virus-checking software will do a daily and weekly scan of your hard drive for infected files, so it makes sense to do the same on the IFS with third-party or open-source software. This kind of virus checking requires a job to be executed that will access, check, and clean or quarantine any infected files found in the IFS.
The drawback to this method of virus checking is that you won't be alerted to the presence of a virus until the weekly scan has detected it.
Scan as a File Is Opened
You have probably noticed that Windows tends to get a bit slower after you install anti-virus software. This generally is due to the fact that the software is scanning files as they are opened and closed. While this can slow your system down somewhat, it does ensure that every file accessed is checked for viruses. The anti-virus applications available for i5/OS also have this facility, so you could see an increase in processor utilization if you are a heavy user of the IFS.
Use System Values to Control Scanning
Two new system values introduced with V5R3 are available for handling how IFS virus scanning is handled and controlled. The QSCANFS system value allows you to specify if virus scanning is active or not. You set it off by specifying *NONE. You set it on by specifying *ROOTOPNUD, which tells i5/OS to refer to the IFS scan exit points. The QSCANFSCTL system value determines when scanning will occur and what happens when an infected file is detected when being scanned.
The other selections that are available under this tab include the following:
· *FSVRONLY-"Scan accesses through file servers only" means that native calls to IFS objects will not cause a scan of the file being accessed, but external servers accessing the IFS will cause the file to be scanned.
· *ERRFAIL-"Fail request if exit program fails" determines what should happen if, during the scan of a file, the exit program fails. If set, then the system will cause an error on the opening and closing of the file as it will be unable to determine if the file being accessed is clean of viruses. If this option is not set, then a failure of the exit point program will be ignored as if the file hasn't been scanned.
· *NOWRTUPG-"Perform write access upgrade." If a file is opened for read-only and the scan determines the file is infected but can be fixed, we need to be able to change the file from read-only to read/write. Setting this in iNav allows this to happen. Specifying *NOWRTUPG in green-screen mode prevents this from happening.
· *USEOCOATR-"Use 'only when objects have changed' attribute to control scan." By default, the system will decide that all files need scanning after the anti-virus software has been updated. This value allows you to override this behavior and specify that files should be scanned only when they are changed by an application.
· *NOFAILCLO-"Fail close if scan fails during close." Setting this value in green-screen mode tells i5/OS not to generate an error if a file fails a scan as it is being closed. Un-checking this value in iNav causes the same.
· *NOPOSTRST-"Scan on next access after object has been restored." This value determines whether a scan of an IFS object is carried out as part of a restore process.
New Exit Points
IBM provides two exit points at V5R3 that provide the plug-in to the system to manage virus scans:
· QIBM_QP0L_SCAN_CLOSE-Scan IFS object on file open
· QIBM_QP0L_SCAN_OPEN-Scan IFS object on file close
Normally, you wouldn't do anything with these; your virus-checker software provider would use these to implement its own scanning programs as necessary. Needless to say, from the descriptions, one exit point controls the program(s) called when an IFS file is opened, and the other exit point controls the program(s) called when a file is closed.
Set Scan Attributes to Control Which Files Are Scanned
Your IFS can or may contain many thousands of files, all of which may not require on-access scans, so how do you control this?
You may recall that we have both *TYPE1 and *TYPE2 IFS file systems. An upgrade to V5R3 converts your IFS to *TYPE2, and this is the only type of file system supported by the scan system values and exit points. That's not to say that virus checking is not available to a *TYPE1 IFS as your virus software provider may not choose to use the scan system values and exit points.
The QSCAN and QSCANFSCTL system values only call the exit point programs when access is being made to the following file systems: / (root), QOpenSys, and UDFS.
UDFS stands for User-Defined File System. Basically, this is part of your IFS that is located in an ASP or IASP.
What this means is that files in /QNTC and QFileSvr.400 will not be checked as these will be physically located on a remote Windows or i5/OS system. It also means that the /QSYS.LIB file system will not be valid for scanning either. Remember, we are looking at virus scans for Windows- and UNIX-type files; therefore, we don't need to be so concerned with the native i5/OS libraries and objects.
Files in the IFS have attributes associated with them that allow you to control things such as whether the file can be saved or not. A SCAN attribute can be set too:
· *YES-The file can be scanned by the exit-point programs.
· *NO-The file will not be scanned by the exit-point programs.
· *CHGONLY-Scan only if the file has been changed since the last scan occurred.
You can set these attributes by running the CHGATR command. In iNav, right-click on an IFS file, select Properties, and then go to the Security tab, where you'll see the scanning options. While you're there, take a look at all the options available on the other tabs too.
How to Test Your Anti-Virus Solution
Although I've described the mechanics of virus scanning in i5/OS, it's unlikely any of us will actually implement our own anti-virus solution. More likely, you will purchase one of the third-party solutions available.
When testing your anti-virus solution, you will need a virus to do some testing with. The European Institute for Computer Antivirus Research provides a file called EICAR
which can be downloaded and saved to your IFS so that you can check that your virus-scanning solution is working. The EICAR file won't do any harm and can be deleted once you have finished testing.
Capabilities to look for in anti-virus software might include these:
· Does it prevent your IFS from infecting your system with viruses?
· Does it prevent malicious code from stealing data and system resources?
· Will it scan the System i mail server for viruses and send an email alert to a predefined address?
· Assuming an SMTP mail server is defined in the System i, will the product send a mail alert to the recipient, in place of the virus, together with relevant details?
· Does it support downloading signature files directly to a Web-connected PC, (thus affording maximum protection since it can be disconnected from the Web when connected to the System i or from a Web-connected System I)?
· Is there a built-in scheduler for scanning your system for viruses?
The listing below is an example of the output from one popular anti-virus program. We have a folder called /test that contains a number of viruses, including EICAR.COM, plus a clean PDF file. Note the VIRUS ALERTs relating to different types of viruses as well as the SCAN SUMMARY at the end of the report.
**********************Program Start***************************
start: Wed May 23 10:28:25 2007
-> Start Virus DataBases Loading...
Wed May 23 10:30:25 2007
->DB loading finished.Start Virus scan...
********************************************************
*Scanning /test/DarthVader
/test/DarthVader: DarthVader FOUND
#W#####################START OF SCAN ALARM######################
#W# Time . . . . . .: 2007-05-23-10:30:27
#W# Message . . . . : VIRUS ALERT: /test/DarthVader is infected . . .
#W# Virus Name: . . . DarthVader
#W# File size . . . : 38.
#W# AV Program used : AVSCANALL .
#W######################END OF SCAN ALARM######################
/test/DarthVader: moved to '/SMZVDTA/quarantine//DarthVader.001'
*Scanning /test/Basic_iSecurity_Audit_Implementation.pdf
/test/Basic_iSecurity_Audit_Implementation.pdf: OK
*Scanning /test/BeBe
/test/BeBe: BeBe2 FOUND
#W#####################START OF SCAN ALARM######################
#W# Time . . . . . .: 2007-05-23-10:30:28
#W# Message . . . . : VIRUS ALERT: /test/BeBe is infected . . .
#W# Virus Name: . . . BeBe2
#W# File size . . . : 41.
#W# AV Program used : AVSCANALL .
#W######################END OF SCAN ALARM######################
/test/BeBe: moved to '/SMZVDTA/quarantine//BeBe.001'
*Scanning /test/eicar.com
/test/eicar.com: Eicar-Test-Signature FOUND
#W#####################START OF SCAN ALARM######################
#W# Time . . . . . .: 2007-05-23-10:30:28
#W# Message . . . . : VIRUS ALERT: /test/eicar.com is infected . . .
#W# Virus Name: . . . Eicar-Test-Signature
#W# File size . . . : 68.
#W# AV Program used : AVSCANALL .
#W######################END OF SCAN ALARM######################
/test/eicar.com: moved to '/SMZVDTA/quarantine//eicar.com.001'
*Scanning /test/MyDoomS
/test/MyDoomS: Trojan.Mydoom.S-unp FOUND
#W#####################START OF SCAN ALARM######################
#W# Time . . . . . .: 2007-05-23-10:30:28
#W# Message . . . . : VIRUS ALERT: /test/MyDoomS is infected . . .
#W# Virus Name: . . . Trojan.Mydoom.S-unp
#W# File size . . . : 137.
#W# AV Program used : AVSCANALL .
#W######################END OF SCAN ALARM######################
/test/MyDoomS: moved to '/SMZVDTA/quarantine//MyDoomS.001'
----------- SCAN SUMMARY -----------
Known Viruses: 93189
Engine version: 0.88
Scanned Directories: 1
Scanned Files: 5
Infected Files: 4
Data scanned: 0.00 MB
Press ENTER to end terminal session.
For more information on protecting against viruses, visit the i5/OS Information Center
or the European Institute for Computer Antivirus Research (EICAR) for a test file.
Glenn Robinson is Managing Director of Quattro Consulting Limited. Quattro, a leading UK-based IBM System i Business Partner and distributor of Raz-Lee Security products, specializes in providing technical infrastructure solutions based around System i technologies. Glenn is a regular contributor to leading industry publications and is a frequent speaker at IBM events, including COMMON. He can be reached at
Eli Spitz is Vice President of Business Development for Raz-Lee Security, the developer of iSecurity, a comprehensive System i security solution that helps companies quickly attain SOX, HIPAA, and other forms of compliance. The software's real-time antivirus detection prevents the IFS from infecting your network with viruses and prevents malicious code from stealing data and system resources. It also scans the System i mail server for viruses. For information, visit Raz-Lee. Eli can be reached at
LATEST COMMENTS
MC Press Online