Admin Alert: Don't Forget the IFS When Virus Scanning

by Joe Hertvik

The LoveGate worm recently spread across the Internet, replicating itself via e-mail and through shared network files. LoveGate fills a user's hard drive with images of itself, and it creates security risks for Internet-enabled PCs. AS/400 and iSeries administrators usually rest easy while viruses like LoveGate target Microsoft Windows machines, but they face a secondary problem: OS/400 cannot be a victim of PC viruses, but it can be a carrier.

That's because of the OS/400 Integrated File System. The IFS is legendary, in that it can store not only DB2 UDB files in OS/400's native EBCDIC code but also ASCII stream file data in three separate places: in folders residing off the IFS Root (/) directory, in the shared folder file system (QDLS) and in the Unix-like QOpenSys file system. These iSeries and AS/400 file systems can be accessed by Web servers and Windows PCs via mapped network drives, made possible through OS/400's NetServer file-sharing feature.

And when it comes to Windows viruses, OS/400's IFS system has both good news and bad news. The good news is that OS/400 by itself has no native processor facility for running Windows executables; therefore OS/400 isn't susceptible to worms like LoveGate, because it can't process the executables.

The bad news is that, because the IFS stores and serves stream files for other computers, it can become a nice storage cooler for viruses and worms. Viruses and worms migrate to the IFS from mapped network drives on Windows clients. After transmission, the viruses wait patiently until another unsuspecting computer maps a drive to the IFS and becomes infected. So although most viruses can't infect an iSeries box (except to use precious IFS DASD), they can serve as carriers--unwitting sponsors of computer terrorism, if you will--passing viruses to unsuspecting client computers.

Given this, it's wise to worry about viruses on the IFS. I recommend mapping a network drive to the IFS root directory (/) and scanning it for viruses on a regular basis. Since most viruses are stream files, any of the popular PC-based virus scanning programs can do the trick on the IFS.

However, scanning for IFS-based viruses is a little trickier than scanning for their PC-based counterparts, and there are a few things to watch out for. In particular, pay attention to the following items when setting up antivirus software to scan the IFS.

Since the virus-scanning software can't run inside OS/400, and viruses can migrate to the IFS from many different machines, you won't be able to catch viruses at the moment they migrate to the IFS (as you can with PC-based virus-scanning software). You'll have to schedule full, periodic, regular scans from a third-party machine that will only catch and clean viruses after the fact.

Since stream files can only reside in the QDLS file system, the QOpenSys file system, and in user-created folders off the root directory (/) of the IFS, you only need to scan these particular file systems for viruses. So when you set up virus scanning, you can generally omit the following IFS file systems from your scanning:

• QFileSvr.400 provides access to other file systems on remote iSeries or AS/400 servers.
• QNetWare provides access to objects stored on a remote Novell NetWare server.
• QNTC provides access to data and objects stored on a remote Windows NT 4.0 or Windows 2000 server.
• QOPT provides access to stream files stored on optical media, such as a CD-ROM drive. In some cases, you might want to scan QOPT media libraries, but, generally, you can omit it.
• QSYS.LIB stores native DB2 UDB programs and physical and logical files, as well as all supporting objects for OS/400 processing.

To avoid scanning these file systems, set your virus scanning software to skip any IFS folders that begin with these names.

IBM reports that scanning OfficeVision/400 documents may modify the file types that are seen by OV/400. If you're still running OV/400, check out IBM software technical document 17781819, OfficeVision/400 Document Type Changes from RFTAS400 to RFTDCA, for advice on handling this problem.

Because the IFS can be used by multiple users and machines, restricting IFS access during a virus scan can be a little tricky. IBM offers two methods for performing this task, on the Viruses and the OS/400 Operating System Web page.

If you're running Lotus Domino on your iSeries or AS/400 box, invest in a Domino-compatible virus scanning program, such as TrendMicro's ScanMail for Lotus Notes. These programs load up with Domino and automatically scan for viruses in databases and e-mail attachments. And these programs do run inside Domino on the iSeries and AS/400.

Scanning computers for viruses is a distasteful but necessary part of an administrator's job. Make your job a little easier by including IFS virus checking as part of your regular virus-prevention routine.

Sponsored By BYTWARE

Implementing security can seem like an enormous task and many companies put it off month after month. They may wait, but risk does not. Fortunately protecting your data and systems from intentional or accidental loss doesn't have to take a long time. With the pre-configured filters in Bytware's StandGuard you can put a solution in place over lunch. Get Secure. Get StandGuard. www.bytware.com