Viruses On Your IBM i Server?
Robin Tatam
It’s interesting to talk to the IBM i community about viruses and anti-virus software. The subject comes up frequently during my travels and it’s an item that I think each enterprise should evaluate. In general, people seem to fall into two groups: either they think it’s pointless based on what they’ve heard about IBM i, or they are completely onboard with the idea and are running anti-virus software on their IBM i systems.
According to Wikipedia, a virus is a form of malware that can copy itself from one computer to another. (There are many types of malware, including Trojan horses, worms, adware and spyware. Most of us are familiar with these.) I prefer my own definition: Any unauthorized code—active or dormant—designed to perform a function that is not part of a company’s official application initiative.
IBM i has long been touted as being impenetrable to viruses. Partly because of its native object structure that prevents executable code from being embedded inside non‑executable objects. For example, you can’t hide program code inside a database, file‑type object. I have heard reports of a virus being technically possible inside IBM i, but they are far from prevalent and are usually dismissed by security officers.
However, there are important exceptions: Traditional library and object structures might not be as susceptible to viruses as a Windows server, but other structures are. For example, the Integrated File System (IFS) can easily contain infected files. Often, client-server type applications such as Lotus Domino, WebSphere, and the Navigator for i, have access to the IFS. And, outside users often use an IBM i disk as a shared network repository. A virus in the IFS is a significant threat—during a viral outbreak, most IBM i servers remain connected to the network which can cause recurring infection.
Some companies scan IBM i network drives from another network server, but this is not a good idea. Trying to remotely scan thousands of IFS objects means a strong chance of poor scanning performance and a significant increase in network bandwidth use (which translates to slower network communication for everyone). Plus, there are increased risks from the shared read/write requirement and the use of a common profile with *ALLOBJ authority.
Bytware, PowerTech’s sister company and the only supplier of a native IBM i anti‑virus solution powered by a commercial-grade scan engine, notes the following about IBM i viruses:
- IBM i is not free from virus threats and can host and spread viruses
- Viruses can be undetected on IBM i and can attack other systems
- Undetected viruses can pass through IBM i mail
- The IFS is the perfect host for viruses
IBM provides exit points to allow a program such as StandGuard Anti‑Virus from Bytware to scan. StandGuard Anti‑Virus:
- Was designed for IBM i, System p, AIX, Linux on x86, and Domino servers
- Is powered by McAfee commercial scanning engine
- Cannot be disabled by viruses
- Has both green screen and GUI interfaces
- Uses IBM i scanning for both on-demand and open/close scanning
- Uses object integrity scanning to protect IBM digital signatures
My advice is to examine how you use your IBM i file structures. If files are written to or read from the IFS, anti-virus protection is critical. If you’re not sure, give Bytware a call at 775-851-2900 and they’ll be happy to help. And don’t forget, anti‑virus software is necessary for some regulation compliance, such as requirement 5 of the Payment Card Industry’s PCI-DSS standards.
There are other types of malicious code threats. Imagine a startup program that performs a PWRDWNSYS command! Even though this might not be considered a “virus”, it would be extremely disruptive to a production environment. Or, what about an unauthorized program registered as a password change validation program that illegally records user passwords as they are set.
With the team of StandGuard Anti-Virus and PowerTech’s Compliance Monitor and Interact, you can make short work of any of these threats. This team can monitor and report any changes to system values, such as QSTRUPPGM or QPWDVLDPGM, before they become a problem. Visit www.bytware.com and www.powertech.com for more information.