The Four Hundred

Bytware today revealed StandGuard Anti-Virus, the OS/400 platform's first and only native virus scanning engine, which the company codeveloped with McAfee at IBM's urging. StandGuardAV is based on McAfee's established antivirus technology and is designed to find and eliminate Windows viruses that infect OS/400's Integrated File System (IFS), which has been an unwitting--but nearly perfect--host to viruses since its inception. In this exclusive Guild Companies report, we take a look at the news behind Bytware's mysterious month-long advertising campaign.

At first glance, the notion of OS/400 antivirus software might be a confusing one. After all, doesn't OS/400's object-oriented design make it immune to viruses? Yes, that is true, to a certain degree, OS/400 experts say. While it's not impossible to write a virus to infect OS/400, there have been no documented cases of a wildly occurring virus infecting an OS/400 server in the field. Security experts say that even if somebody had written and released an OS/400-specific virus, following good security practices would protect against it.

But the IFS is a completely different story. The IFS was designed to hold a variety of non-OS/400 file types, including those used by Lotus Domino, Java, Web and WebSphere, WebSphere MQ, and Integrated xSeries Server applications. Because of this flexibility, the IFS is also susceptible to becoming a repository for PC viruses.

Having viruses on the IFS is nothing new, says Patrick Botz, IBM's OS/400 security architect. "Whether there are files on the iSeries that are infected isn't the point. The point is, if you're using PCs, you've got to worry about PC viruses, period," Botz says. Many OS/400 shops may be unaware of the problem, either because they mistakenly believe the iSeries is totally immune to holding viruses or because they don't know they're using the iSeries as a file server in the first place.

Carol Woodbury, former IBM OS/400 security officer, and currently a consultant with Sky View Partners, says the IFS is becoming a bigger security concern as it is used to store more things. "Most people don't realize how much stuff goes into the file system. They don't realize it's being used as much as it is," she says. "It ships with authority wide open, and they don't realize they need to lock it down."

While having viruses on the IFS is predominantly a PC problem, those viruses can also pose a threat to OS/400 objects. Specifically, a virus with the right path could delete OS/400 objects, Botz and Woodbury agree. "Anybody that connects to that system, with a user profile equivalent of QSECOFR, will be able to look at most of the stuff in OS/400 because they have the authority to," Botz says. "What some folks don't consider is that, if they have a virus and it looks at every drive on the system, then it's conceivable that that virus can go out and delete OS/400 objects."

OS/400 holds the advantage in susceptibility against viruses and worms designed to infect Windows, Linux, and Unix systems. However, because of this isolation, until now nobody bothered to write an antivirus scanner for the platform, even though it had become vulnerable to storing viruses in the IFS. For years, the prescribed remedy was to send IFS data down to a PC for scanning, an inelegant solution that consumes too much network bandwidth and time.

This seclusion from the trials of the mainstream computer world sculpted the iSeries and AS/400 into the perfect virus host. OS/400 itself is virtually immune to viruses, but its IFS passes them to other PC clients and servers that don't possess immunity. These qualities have prompted some in the industry to compare the iSeries to Typhoid Mary, the infamous Irish immigrant who was immune to typhoid fever but was a carrier and infected scores of people who ate her cooking in early 20th-century New York City.

"People think the iSeries can't get viruses," says Mike Grant, founder of Bytware. "Maybe that was true at some time, but it truly is a perfect host for viruses because of the way it stores files in the IFS."

OS/400 antivirus software has been in demand for years, Woodbury says. "It's been sorely needed for a long time," she says. "The iSeries has been storing and propagating viruses since the days of shared folders."

The antivirus problem has been on IBM's Large User Group's list of requirements for four or five years, but IBM has been unable to convince any of the dominant antivirus vendors to develop an OS/400 antivirus program, which is something that Woodbury still faced while she was the OS/400 security architect.

Botz, IFS product manager Tom McBride, and product marketing manager Lennie Broich managed to form a partnership between IBM and McAfee to build native OS/400 antivirus software. Bytware's role was critical in resolving cultural differences that McAfee faced as it tried to participate in the iSeries market for the first time, Botz says. "It took us a while to help the antivirus vendors and--McAfee in particular--to understand the economics of the iSeries environment," such as pricing and licensing, he says. "When we were finally able to get an iSeries business partner [Bytware] to hook up with the antivirus vendor, they spoke closer to the same language and helped show McAfee the business model needed in the iSeries market. Once that was put into place, things started moving very fast."

McAfee develops some of the most advanced antivirus technology on the market and is capable of detecting new viruses that haven't yet been caught, says Botz. "The neat thing about McAfee is that it works on heuristics, not just the virus signature, which means it can catch viruses for which no definition has been found," he says. "McAfee users didn't have to load any update at all to catch Bugbear [one of the most recent virus attacks]. It didn't require a DAT file."

One of the first steps in developing a native antivirus product was porting the software to OS/400. By the time Bytware started working with McAfee, more than a year ago, McAfee had already reengineered and recompiled its core scanning engine for OS/400, Grant says. "We added some of our own features, such as logging to a journal," Grant says. "We AS/400-ized it."

StandGuardAV works against many different types of threats, including macro, script, encrypted, and polymorphic viruses (which continually mutate, just like real viruses), as well as Trojan horses, worms, and malware. The product looks for these items in compressed files, executable files, and OLE compound documents, and then performs any number of actions to clean the files, log the problem, and alert the administrator.

Bytware developed a number of "scan tasks" that administrators can use to configure StandGuardAV. Administrators can define how often the product scans for viruses, which folders it looks inside of, and what it should do when it finds a virus (such as clean or repair, delete, rename, or quarantine). Grant says administrators might choose to scan the user directories daily and scan the entire IFS once a week or monthly, for instance. Other things the administrator can set are how often the product connects with McAfee to look for new virus definitions (DAT files), and how often it should check with Bytware for product updates. The DAT files are identical to the ones distributed to McAfee's Windows, Linux, and Unix antivirus solutions.

Administrators can work with StandGuardAV through a native green-screen interface or through iSeries Navigator (formerly Operation Navigator), via an OpsNav plug-in, or it can be set up to run automatically, using CL programs or job scheduling software, such as IBM's BRMS or Help/Systems' ROBOT scheduler, Bytware officials say. If an administrator commanded the product to begin scanning through the green-screen interface, the product would run in interactive mode; whereas, it would run in batch mode if set to run from a job scheduler. In terms of resource consumption, the product can take anywhere from minutes to days to complete a scan. On tests at IBM's Rochester lab, the product scanned 12 files per second, while running with 120 CPW of processor power, on an iSeries Model 890.

StandGuardAV is capable of finding a virus that already exists on the IFS. The next step is to detect that virus the moment that somebody tries to store an infected file or to open it. Real-time virus scanning is also on the Large User Group's wish list. But in order to provide real-time virus scanning, a virus scanning tool would require OS/400 resources and, therefore, the cooperation of IBM. This is also something on the Large User Group's list of requirements and could be developed in the future.

It's important to understand that nobody has written a virus to specifically attack the iSeries, says Christine Grant, a spokesperson with Bytware. But that's not to say that no one will try, and its best to tackle that issue before it becomes a problem. "Criminals are opening back doors with Trojan horses to gain access to corporate data. The type of information being stored on the iSeries is corporate America," she says.

"Your first line of defense has to be a well-thought-out and implemented object-authority scheme," Botz says. "Specifically with viruses, it's about making sure you're only serving those files that your PC users really need to have access to."

Bytware is charging for StandGuardAV based on the number of distinct copies of the program users will need. For example, users who have partitioned their iSeries into four partitions, each with its own IFS, will need four licenses for StandGuardAV if they want to scan each IFS for viruses. Each copy of StandGuardAV costs from $750 (on a P05 box) to $10,000 (on a P50 box). Maintenance, which is required to receive virus definition and product updates, is 22 percent per year. Bytware expects StandGuardAV to ship in the near future. For more details, contact the vendor at www.bytware.com.