You probably think that your iSeries is impervious to Internet-borne viruses, worms, and spyware infections. If you do, you'll have to change your thinking, because most iSeries boxes can play a significant role in propagating viruses and other info-vermin on your network. Although OS/400 itself is highly resistant to viral attack — no known instance of an OS/400 infection has been reported to date — the IFS can become a vector of disease. Because infection-prone Windows computers can use the IFS to store all manner of Windows files, the IFS can become a repository of contaminated data. An infected PC stores virus-tainted files in the IFS, another PC opens them, and the infection spreads.

On a busy network, it might be only a matter of minutes before all vulnerable Windows computers are affected. Worse, the network traffic that viruses and worms generate can completely shut down your LAN, making all useful communication impossible. And because you likely aren't doing anything to disinfect your IFS, Windows computers that you take pains to clean up can rapidly become reinfected.

You could use a Windows-based anti-virus package to scan your IFS, but some problems make this solution impractical and largely ineffective. The first problem is bandwidth. Because a virus scanner must read all the contents of every file it checks, the entire contents of your IFS must be read across the LAN for every virus scan. This is probably more traffic than you care to sustain on a continuous basis, and it might simply take too long — days for large IFS stores. The second problem is security. The virus-scanning machine must have all-object authority to everything in the IFS to read, disinfect, and quarantine files. If that PC is compromised, so is your entire IFS. A third problem is reliability. A PC-based scanner can crash or lose its network connection to the IFS, leaving a scan uncompleted and the IFS unprotected. Plus, these scanners can't follow recursive links (e.g., /QOPENSYS/QOPENSYS) and will therefore loop infinitely, causing scans to never complete.

An excellent solution to these problems is to perform virus scanning natively in OS/400. That's exactly what Bytware's StandGuard Anti-Virus system does. On a scheduled basis, it reads every IFS file from within OS/400, checking for viruses. StandGuard Anti-Virus uses the well-respected McAfee scanning engine, which decompresses compressed files and recognizes even macro and script viruses embedded in Microsoft Word and Excel documents. StandGuard Anti-Virus can also scan mail messages stored in OS/400's Mail framework. Like Windows-based virus scanners, StandGuard Anti-Virus automatically downloads the latest virus definitions and software updates. And for i5/OS (V5R3) users, StandGuard Anti-Virus supports an "On Access" feature that scans files whenever they're opened or closed, providing up-to-the-second protection against infections.

To get a feel for StandGuard Anti-Virus's capabilities and ease of use, let's take a quick tour of its screens. You'll see how StandGuard Anti-Virus integrates with iSeries Navigator, how to use StandGuard Anti-Virus to establish a secure IFS perimeter, and how to get early warning of potential problems through StandGuard Anti-Virus's notification system.

Two Ways to Go

StandGuard Anti-Virus has a plug-in­based architecture, consisting of the scanning engine and virus definitions and two user-interface plug-in modules: one for green-screen administration, and one for iSeries Navigator (Figure 1a and Figure 1b, respectively). For this tour, we'll look only at the iSeries Navigator screens, but all StandGuard Anti-Virus functions are fully accessible via 5250 screens.

StandGuard Anti-Virus's main console gives you access to all the scanner's settings, grouped under individual icons in the iSeries Navigator view, as well as a list of the scheduled scan tasks. From this screen, you can update virus definitions or the StandGuard Anti-Virus software itself, configure individual scanning parameters, and schedule scanning events. When a scan detects infected files, it quarantines them for review rather than simply deleting them. The Quarantined Files Manager lets you view and act on problem files after they're out of IFS users' reach.

StandGuard Anti-Virus maintains a detailed audit trail of its activities, in the form of a log, and generates reports that detail the kinds of viruses it finds and remedies. An online users guide puts all of StandGuard Anti-Virus's operating instructions at your fingertips.

As with PC virus scanners, before you run your first scan, you should check for updated virus definitions and software modules. You do this through a virus definitions screen (Figure 2) and a product upgrades screen (Figure 3). By default, StandGuard Anti-Virus uses FTP to retrieve definition and upgrade files over the Internet. However, you could download the files separately to a local Windows computer and retrieve them from there, which you might do if you're already distributing McAfee virus definitions to other systems on your network. You can schedule automatic updates as well — as frequently as daily. You can also randomize download times slightly to avoid repetitive bandwidth bottlenecks.

Tour of Duty

With up-to-date virus definitions and software, you're ready to begin scanning. Select Scan Tasks from the Tools menu and double-click the New Task icon to create a new scan task. Figure 4 shows the Task Properties screen. You choose which IFS directories you want to scan. Unless you have a powerful system, it's probably unwise to scan all directories at once — better to spread the workload among several time periods. If you do have a powerful system, however, you can scan multiple directories at once. For example, if your box has 16 processors, you can set up 16 tasks to run simultaneously, and each task will use a separate processor, thus reducing overall impact on system performance while completing the scans more quickly.

Clicking the Advanced tab (Figure 5) lets you specify the level of scan detail and whether you want to scan compressed archives. With the Actions tab (Figure 6), you specify how StandGuard Anti-Virus should handle infected files: log, rename, clean, quarantine, or delete them. If you choose to quarantine files, be sure to use the console's Quarantined Files Manager to review these files periodically. The Logging tab (not shown) lets you define how much information to record about StandGuard Anti-Virus's actions, and the Schedule tab (Figure 7) lets you indicate when recurring scans should be run and what priority they should have. With the last tab, Exclusions, you can specify subdirectories that StandGuard Anti-Virus shouldn't scan, such as large read-only archives.

For your first scan, you should select only a few IFS directories and schedule immediate, one-time execution so that you can monitor the scan's progress and more quickly review results. Essential messages appear in the console in a Messages item immediately under the Scan Tasks item; click this item to view scan results (Figure 8). These messages are standard OS/400 system log messages, which means you can monitor them and redirect them to other OS/400 programs, such as pager and e-mail notification systems.

Advanced Features

StandGuard Anti-Virus's basic virus-scanning features will keep your IFS completely clean and safe all by themselves. StandGuard Anti-Virus has two advanced features, though, that augment these basic functions to improve your overall security stance.

The first is e-mail scanning (Figure 9), which interfaces with OS/400's native e-mail framework to clean all incoming SMTP-delivered e-mail. StandGuard Anti-Virus inspects all attachments for viruses defined in the current virus definitions but also uses heuristics to detect and isolate suspicious attachments that don't specifically match a known definition. You can also exclude so-called Potentially Unwanted Programs (PUPs), otherwise known as spyware. Unless you specifically forward infected messages to a quarantine mailbox, StandGuard Anti-Virus deletes them. StandGuard Anti-Virus then creates a log entry to state that a virus has been detected. For realtime notification, administrators can tie StandGuard Anti-Virus into their monitoring/notification solution (either Bytware's Messenger or another third-party product) to send a message when a virus has been detected.

The second advanced feature is On-Access scanning, in which StandGuard Anti-Virus optionally inspects files whenever they're opened or closed (Figure 10). The advantage of On-Access scanning is that an infection can be caught the instant that a file is created or modified, without waiting for a regularly scheduled scan. You have quite a bit of control over how StandGuard Anti-Virus carries out On-Access scanning, with the ability to check files only on opening or to force file operations to fail when an infected object is involved. The Advanced tab (Figure 11) also lets you fine-tune On-Access performance by limiting the kinds of scans performed at open and close.

Keeping the IFS Safe for Democracy

In today's world of rapidly spreading viruses, you need all the help you can get to keep malware at bay. StandGuard Anti-Virus's dual user interfaces let you operate in whichever environment — green screen or iSeries Navigator — best suits you. By performing IFS virus scanning natively, StandGuard Anti-Virus avoids the pitfalls of Windows-based scanners running across your network. Advanced logging and reporting give you enterprise-level notification capabilities, and StandGuard Anti-Virus's native OS/400 messaging lets you easily integrate the program into your existing management infrastructure. You also maintain tight control over IFS security and gain peace of mind knowing that StandGuard Anti-Virus's On-Access feature protects IFS files immediately upon opening or closing by Windows programs.

Windows computers are hard enough to keep clean without having to worry about reinfection from IFS-archived data. StandGuard Anti-Virus does exactly what it promises: stand guard over your IFS to ensure that it, at least, doesn't become an enemy stronghold.

Mel Beckman is a senior technical editor for iSeries NEWS.