It's a widely held belief that IBM i is totally immune to viruses and other malware that attack other operating systems. As we all know from our work in Windows and other operating systems, malware is a real challenge that requires constant vigilance. It's required that we run virus protection software on our desktop and laptop PCs and that that virus protection software be up to date with the latest virus information. But what about the IBM i? Isn't it vulnerable too?
IBM has provided us with a nice slice of knowledge regarding PC viruses on the IBM i. Here's a snippet of IBM Technical Document #19541539
IBM Technical Document #19541539
Viruses, the Operating System, and the Integrated File System
"The operating system is not susceptible to PC virus attacks. Viruses attack a specific computer architecture. The architecture of the IBM System i makes it highly unlikely that a virus could be written to attack it. PC-based viruses will not infect (or run on) the operating system."
Now, we all feel really safe. PC viruses won't not run on this OS. Whew!
In the very next paragraph of the IBM Technical Document, we see "More of the Story." Please read on with me. …
"Although the operating system cannot be infected by a PC virus, if the Integrated File System on the operating system is used as a file server for PC files, the files stored on the Integrated File System may carry viruses. An infected file that is moved or saved from a PC to the Integrated File System and then redistributed to another PC can transmit a virus to the new PC. Likewise, if a network drive is mapped to the Integrated File System, a virus running on a PC (and which is capable of damaging files on a network drive) can damage any file stored on the Integrated File System."
The Main Exposures
Most of us use the IFS to provide for hosting a shared network drive. We store documents, spreadsheets, and scanned images in the IFS, just as we would with any shared network drive. When we create a share and map a drive to the IFS, we open up the possibility that viruses and other malware can infect that shared drive, just as any other network drive.
If you run the POP mail server, or Domino on the IBM i, the mail attachments are stored in the IFS. We all know about viruses being sent through mail attachments. So this is another way in which malware can be brought into the IFS.
What's the Danger?
Can these viruses that live in the IFS run on the IBM i? No, but viruses living in the IFS can infect other systems that access the files. For example, if a spreadsheet stored on the IFS contains a virus and you open that spreadsheet (without current virus protection software on the client), chances are your PC can become infected with that virus and pass it on from there. The IFS can certainly be a carrier, or storehouse of a virus or other malware.
Virus-Scanning the IFS
In the past, some of us who worried about IFS contamination routinely scanned major parts of the IFS with our normal virus-scanning software with a mapped network drive. The IBM Technical Document above provides detailed instructions for running this type of scan and the file allocation issues that must be addressed in this type of scan. One problem with this scanning method is that it doesn't provide any realtime virus handling support.
Several years ago, IBM business partner Bytware introduced the first virus protection software that runs natively on the IBM i, not through a mapped network drive. Bytware employs the McAfee virus-scanning engine. Raz-Lee Security developed and markets a ClamAV open-source based native virus scanner, marketed in the US by SEA.
To support these business partner virus solutions for scanning the IFS, IBM enabled two new exit points. These are:
QIBM_QP0L_SCAN_OPEN – IFS Scan on Open Exit Point
QIBM_QP0L_SCAN_CLOSE – IFS Scan on Close Exit Point
These exit points allow a custom process to run any time a file on the IFS is accessed. One of the main uses of these exit points is to allow the virus-scanning software to do a realtime check against a file at the time it's accessed. Rather than simply scanning the IFS once a week, this allows realtime scanning of the accessed file.
In addition, IBM has introduced two system values to control the IFS scanning environment. These are QSCANFS and QSCANFSCTL.
The exit points and system values allow for solutions that can natively scan the IFS and handle realtime virus access within the IFS.
To Scan or Not to Scan
If you use the IFS to provide shared network drives or use the POP mail server, I don't think it's a question of whether to scan the IFS or not. Rather, the question is how often should you scan? And how will you scan? And do you need the realtime access protection to be provided on the host, or will all the clients that access an infected file have up-to-date virus protection to catch the problem at the client end?