IBM Support

Viruses, Malware, Spyware, Ransomware, the IBM i Operating System, and the Integrated File System

Troubleshooting


Problem

Windows PCs that have network drives mapped to the IBM i, which then contract a computer virus, can cause files on the IBM i to become encrypted/infected. 

Resolving The Problem

Viruses attack a specific computer architecture. The architecture of the IBM i system makes it highly unlikely that a virus could be written to attack it. PC-based viruses will not run on the IBM i operating system and there are no IBM Anti-Virus, Anti-Spyware, Anti-Malware, Anti-Ransomware, etc programs available from IBM for the IBM i operating system. However, the IBM i does provide Scanning support to scan for malicious activity using 3rd party software.

The Integrated File System (IFS) is a part of the IBM i operating system, it supports stream input/output and storage management similar to personal computer and UNIX operating systems, while providing an integrating structure over all information stored in the system (see File system comparison). If the stream based file system is used as a file server for PC files, the files stored on the IFS may carry viruses. An infected file that is copied, moved, or saved from a PC to the IFS and then redistributed to another PC can transmit a virus to the new PC. Likewise, if a network drive is mapped to the IFS, a virus running on a PC (and which is capable of damaging files on a network drive) can damage any file stored on the IFS.

To ensure objects on the IFS are not infected, all clients susceptible to viruses, malware, spyware, ransomware, etc, should run security suite program that monitors for unauthorized activity, and quarantines infected objects on the PC, and thus preventing the spread of infected objects to IBM i server. In addition, it is recommended that the IFS Scanning support feature be used. Scanning enablement allows security suite business partner products to 'hook' into the operating system and detect if an IFS file is a virus carrier when the object is opened (QIBM_QP0L_SCAN_OPEN) or closed (QIBM_QP0L_SCAN_CLOSE). This enablement runs the the OEM security product through the operating system exit points. These exit points allow real-time (when object is accessed) and manually started scanning. If the accessed object has a virus and cannot be repaired, the operation fails and prevents the virus from being propagated. Additionally APIs, CL commands, and system values are provided for the business partner and user to customize the scanning environment and levels of protection. An security suite package that runs on the operating system and makes use of the security suite scanning support is available from vendors: HelpSystems, RazLee, SeaSoft. For information and support on these products, please contact the OEM vendor directly.
 
Note: The OEM security suite programs must have their files updated regularly. New viruses, malwares, spywares, ransomwares appear frequently, and a security suite program cannot provide protection against a malicious activity it does not recognize. Security suite program vendors normally provide updated programs that can be downloaded free of charge from the vendor's Web site.

Protecting against computer viruses
Your security policies must be designed to protect your system from computer viruses and malicious programs.
 


What to Do If a virus is found in a stream file in the Integrated File System?

If Scanning support is enabled, actively monitoring, and disinfecting files, then ensure you have the current definitions applied on the IBM i server, along with current Cumulative, Groups, Recommended PTFs for i5/OS NetServer.

If Scanning support is not being used or enabled or if the IBM i system is an older release, then the following steps may be used to disinfect files using a clean PC with current PC OS updates that has the current security program updates and definitions applied:
 
1. Keep PC users out of the IFS by disconnecting any drives mapped to the IFS. See the section below Restricting PC Access to the Integrated File System during a security suite scan using a PC security suite Product for directions on how to restrict IFS access.
2. A single user must map a drive to each IFS share or directory and run a PC security suite program against each.

The following file systems should not be included in the scan:

QFileSvr.400 provides access to file systems and directories that reside on remote IBM i family systems. A security suite scan must be run from a PC that connects a network drive directly to the IFS on the remote IBM i family system. A security suite scan run against QFileSvr.400 may appear to complete normally; however, it does not scan the IFS on a remote IBM i family system even if the remote system has been mounted in QFileSvr.400.

QNetware provides access to local or remote data and objects that are stored on a server that runs Novel NetWare 4.10 or 4.11 or to stand-alone PC Servers running Novel NetWare. A security suite scan should be run from the Novel server rather than from a mapped network drive.

QNTC is the Microsoft Windows NT server file system. This file system provides access to Windows servers - both servers running on an Integrated Netfinity or xSeries server and those on PC servers. The security suite scan should be run on the Windows server rather than on drives mapped to QNTC shares.

QOPT is the Optical file system. This file system provides access to stream data that is stored on optical media (a CD). Because QOPT points to a CD rather than an area on the IFS, a security suite scan should not be run on QOPT.

QSYS.LIB is the file system that contains operating system libraries and database files. This file system does not use the same sort of architecture that PCs use and is immune to viruses. In addition, its size makes a scan very time-consuming.

Note: A network drive must not be connected to any IFS file system that allows a remote operating system to be mounted. Any security suite scan done on such a remote system or server must be run from that system or server rather than using a PC network drive.
3. All PCs must have a security suite scan run on them before reconnecting to the network drive to prevent reinfection.



Restricting PC Access to the Integrated File System during a security suite scan (Using a PC security suite scan Product)
 
Note: If scanning support enablement is being used, the follow steps may not be required.

Use one of the following methods to restrict access to the IFS:

Method 1: Restricting Integrated File System access by ending all network drive jobs and starting one job only to run the security suite scan

One way to keep PC users out of the IFS while running a PC security suite scan is to end all i5/OS NetServer and File Server jobs. Then, start one i5/OS NetServer job only to do the security suite scan.
 
o To end all i5/OS NetServer and File Server jobs, run the following commands:

ENDTCPSVR *NETSVR
ENDPJ SBS(QSERVER) PGM(QSYS/QZLSFILE) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QZLSFILET) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSO) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSS) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVS2) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERV) OPTION(*IMMED)
o Record the current values for QZLSFILE from the Display Prestart Job Entry Detail screen using the following steps:

DSPSBSD SBSD(QSERVER)
Select Option "10. Prestart job entries"
Select Option "5=Display details" on QZLSFILE.
Record values for:
  • Initial number of jobs
    Threshold
    Additional number of jobs
    Maximum number of jobs
    Maximum number of uses
o To start one job to run the security suite scan over an i5/OS NetServer network drive, restart i5/OS NetServer by following these steps:

Change the QZLSFILE prestart job description to allow only one i5/OS NetServer job to start and then start the job:

CHGPJE SBSD(QSERVER) PGM(QSYS/QZLSFILE) INLJOBS(1) THRESHOLD(1) ADLJOBS(0)

STRPJ SBS(QSERVER) PGM(QSYS/QZLSFILE)
STRTCPSVR *NETSVR
ENDPJ SBS(QSERVER) PGM(QSYS/QZLSFILET) OPTION(*IMMED)
o The user who is running the scan must map a network drive to the IBM i system and follow Step 2 and Step 3 from the section above entitled What to Do If a Virus Is Found in a File in the Integrated File System.
o After scanning and disinfecting the IFS and all PCs on the network, return the i5/OS NetServer QZLSFILE prestart job parameters to their original values. Run the following commands (substituting the original values for the 'n's):

ENDTCPSVR *NETSVR
ENDPJ SBS(QSERVER) PGM(QSYS/QZLSFILE) OPTION(*IMMED)

CHGPJE SBSD(QSERVER) PGM(QSYS/QZLSFILE) INLJOBS(n) THRESHOLD(n) ADLJOBS(n)
o Restart the i5/OS NetServer and File Server Host Server jobs by running the following commands:

STRPJ SBS(QSERVER) PGM(QSYS/QZLSFILE)
STRPJ SBS(QSERVER) PGM(QSYS/QZLSFILET)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSO)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSS)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVS2)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERV)

STRTCPSVR *NETSVR



Method 2: Restricting Integrated File System access by preventing access to the ports used by i5/OS NetServer

An alternate way to keep PC users out of the IFS while running a PC security suite scan is to restrict access to the ports used by the i5/OS NetServer drives. This method will restrict all but one PC (virus-free) to the IFS using IP filter rules. Note: Once the IP filter rules are implemented successfully, all traffic to these ports will be blocked immediately, including currently established connections. Therefore, the need to end NetServer is not necessary; however, it ensures that a share to the Root of IFS, with Read/Write Access, has been created. If needed, use the RMVTCPTBL command to remove the filter. To restrict the ports, do the following:
1. Restrict port access to all PCs, except for one PC, by implementing TCP/IP filter rules on the IBM i system. Attached is a sample filter rules file, which you may use.

Note: The sample filters file denies only inbound traffic to all but one PC on ports 445, 137, 138, 139, and 8473 from accessing IBM i objects. These filters do not effect other TCP/IP ports or traffic, for instance, Telnet, FTP, etc. In this example, the IP address of 1.1.1.1 represents the PC that is virus-free and has a security suite scanning software with current updates; change the IP address to reflect the PC you are going to use for mapping and scanning. Similarly, the IP address 10.10.10.10 represents the IBM i server, replace this IP address to reflect your IBM i server.

2.
Create a read/write hidden share to the root of IFS:
If not already available, install the GO NETS tool using these instructions : Manage IBM i NetServer without Navigator - GO NETS 
Add a hidden NetServer share over the root of the IFS with Maximum users set to 1.
 ===> ADDNSVFSHR SHARE(ROOT$) DIR(/) TEXT('RW hidden Root share - Max users 1') ACCLVL(*RW) MAXSSN(1)
3. Map a drive to the IFS from the PC, to the root share.
4. Scan for Viruses, Spyware, Malware, Ransomware, etc.
5. Remove filter rules using the RMVTCPTBL command on the green screen.



Method 3: Restricting Integrated File System access by allowing only a single connection to an i5/OS NetServer share.

Another way to keep PC users out of the IFS while running a PC security suite scan is to restrict access to the i5/OS NetServer shares. This method restricts all but one user with virus-free PC to access the IFS using NetServer hidden share.
 
Note: The user that maps to the share first will have access to the share, and all others will fail to connect.
1. End the i5/OS NetServer by running the following command:

ENDTCPSVR SERVER(*NETSVR)

Note: All active i5/OS NetServer and File Server users are dropped when these commands are issued. Any user trying to map a new network drive after these commands have been issued will receive an error message.
2. End the File Server daemon job QPWFSERVSD by running the following command:

ENDHOSTSVR SERVER(*FILE)
3. Rename QAZLSSHR file to QAZLSSHR.OLD by running the following command:

RNM OBJ('/QIBM/UserData/OS400/NetServer/QAZLSSHR') NEWOBJ(QAZLSSHR.OLD)
4. Start the i5/OS NetServer by running the following command:

STRTCPSVR SERVER(*NETSVR)
5. Perform Steps 2 through 4 listed in Option 2 above.
6. End the i5/OS NetServer.
7. Delete QAZLSSHR file by running the following command:

RMVLNK OBJLNK('/QIBM/UserData/OS400/NetServer/QAZLSSHR')
8. Rename QAZLSSHR.OLD file to QAZLSSHR by running the following command:

RNM OBJ('/QIBM/UserData/OS400/NetServer/QAZLSSHR.OLD') NEWOBJ(QAZLSSHR)
9. Start the i5/OS NetServer.
10. Start the File Server daemon job QPWFSERVSD by running the following command:

STRHOSTSVR SERVER(*FILE)



Example of Restricting Integrated File System "Virus-Like" Activity with a File Server Exit Program

A preventative option is to write a file server exit program to restrict virus-like activity. For example, the sample program VIRUSEXIT prevents all users from creating files with extension type exe and from opening any file with an extension of exe for write access.
 
Note: All samples on the following FTP site are available for public use. These samples are provided "as is". Assistance with these sample programs is available only by IBM Lab Services via Consulting.
The sample is available at the following URL:

ftp://public.dhe.ibm.com/services/us/igsc/cs2/ApiSamples/

The save file (SAVF) VirusExit.savf contains the ILE C source.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGvAAM","label":"Integrated File System"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
04 March 2021

UID

nas8N1021452