× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Mike,

Thanks, a clear & concise education for many of us.

jim

----- Original Message ----- From: "QSCANFSCTL" <QSCANFSCTL@xxxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
Sent: Friday, December 29, 2006 5:04 PM
Subject: RE: How Secure is Windows, Really?


As an iSeries anti-virus provider I feel compelled to comment on some of
these points since I deal with viruses every day and iSeries customers with
virus related issues.

As to iSeries anti-virus software, in my opinion that's one
of the bigger
misrepresentations in our marketplace.  You can only put a virus on an
iSeries by copying a file into the IFS from an infected
non-iSeries machine.

This is a bit of a tricky statement. The IFS is the entire system, it
encompasses all (7?) file systems. That's why the I in IFS stands for
Integrated. To say that something must be copied to the IFS is to say that
it must be copied to the disk in some way. That's not any different than
Windows. But I could also create a symlink to somewhere in QFileSvr.400 and
access that file without physically having the file on disk!

What I think is meant is the files must be copied to the root '/' file
system? However, I have seen viruses in QOPT, QSYS (save files), QOpenSys
and root all come to mind. There is a general mis-perception that the IFS is
separate from the iSeries and is somehow not being used or takes special
action to use it (not to imply you are saying that, its just my experience
talking with iSeries users).

Regarding the statement they must be copied from a non-iSeries machine: I
have seen viruses go from iSeries to iSeries plenty of times -- basically
any way you can move stream file data from one iSeries to another you can
transfer a virus. I have seen viruses go from system to system using FTP,
QOPT, tape, journals, even completely automated using HA solutions (if you
infect a file on systemA then it gets replicated to systemB). Of course its
not the virus doing the replicating but it still got to systemB
nevertheless. I have seen customers that restore data from backup tapes and
reinfect files, I have seen viruses get on the system from installing 3rd
party software (I wont name names, but you would be very surprised) using
save files and RSTLICPGM. I have seen them come in through automated EDI
transfers. The iSeries is a server and its very good at moving data!

I think what is meant is the viruses must INITIALLY get on an iSeries system
via a non-iSeries machine. That is partially true, at some point the file
had to get there from somewhere (ie Windows), but after that it can go from
iSeries to iSeries quite easily using any of our data transfer methods
mentioned above (ie I could FTP you a save file, I could burn a DVD, all
using my iSeries).

The virus cannot affect the iSeries, and so really isn't an
iSeries virus in
a traditional sense, any more than a virus on a CD is a "CD"
virus.

I was personally involved in a customer incident where their iSeries telnet server kept crashing. They spent several days with Rochester support loading PTFs and eventually replaced some hardware. Days later it turned out to be a virus (runnning on a Windows PC) that was flooding their telnet server with
bad packets. There's a PMR out there that addressed it, quitely as a
'Intergrity problem'. Was their iSeries affected? If you ask this customer I can assure you they wont agree the system cannot be affected. And how do you
think they felt about the 2 days of downtime they had?! To make matters
worse, once they cleaned the infected PC, the problem came back a week later because the infected file was still on their iSeries and it reinfected their PC but they never checked there. Yes they had antivirus running on their PC
but it was freeware and it didn't know about the virus.

I know of other real situations but I should leave it at that.

Intel viruses aren't going to be running in QBATCH, but that is not required
these days to affect a networked server.

They
are typically just Windows viruses that are stored on an
iSeries.  So the
place where you need to run your anti-virus software is the
machine that is
putting the bad files onto your iSeries in the first place.

I'm surprised at how often I hear this. Yes you certainly need to run AV on
a Windows PC - no question. But there are 2 basic problems with this
approach as your only defense:

1. Anti-Virus software can only detect 'known' viruses (there are
exceptions, like McAfee's heuristic technology can make an 'educated guess',
but even that is not 100%). That means if I (figuratively speaking) was to
create a virus today, and send it to you, your PC will not detect it. That
is because your PC's AV vendor doesn't know about it yet, has not put the
detection into their virus defintion files, and you have not updated your
definitions. Now the virus runs and lets say it copies itself to the IFS.
Tomorrow you update your virus defintions and your PC gets cleaned up. But
the infected file remains on the iSeries. Now you backup your iSeries to
tape, and maybe you have HA replicating your iSeries to a DR machine. The
result is Windows 0, iSeries 2 (3 if you count the tape backup). Not good.

2. In order for this method to be effective, you would need to insure all
PC's have the latest virus definitions (scheduled automatic updating), that
they actually run the update every day without ever erroring out, that no
one is ever able to disable or shutdown the AV software, that they never get
a virus that shuts down their AV software (I have lots of interesting
stories about this one), that they never install any software that disables the software (even temporarily) without their knowledge (more stories about
this one too), that you never let anyone connect a laptop to your network
without first inspecting their virus defintion levels. And you would want to
monitor all of this so you would be alerted in some way before it happens.
That's a lot of work! And even then, after all that, there is still #1
above!

The iSeries has probably the best anti-virus technology in existence. It
cant be shut down by a virus (unlike Windows). Once a file has been marked
as infected it cannot be opened in any way (without changing the system
value QSCANFSCTL). Once a file has been scanned successfully it is not
scanned again by every other user accessing that file, even if you move the ASP to another iSeries! There can be a permanent record made in QAUDJRN for
proof of scanning (good for those regulatory requirements). Sorry if that
sounds like a sales pitch its just I'm excited about the technology -- its
very impressive what IBM did. Just another example on how the iSeries is
better than other platforms (yet gets little respect)!


(Don't get me wrong: there is a niche market for anti-virus
products for
those companies who use their iSeries as their primary file
server, not just
their business logic server.  I won't argue the pros or cons
of that; it's a
business decision based on cost of disk vs. security and ease
of backup.)

Joe


Thanks for taking the time and interest Joe. I hope the information is
helpful. We don't want any of those misrepresentations out there!

Mike Grant
Bytware, Inc.
775-851-2900

http://www.bytware.com

CONFIDENTIALITY NOTICE: This e-mail message and any attachment to this e-mail message contain information that may be privileged and confidential. This e-mail and any attachments are intended solely for the use of the individual or entity named above (the recipient) and may not be forwarded to or shared with any third party. If you are not the intended recipient and have received this e-mail in error, please notify us by return e-mail or by telephone at 775-851-2900 and delete this message. This notice is automatically appended to each e-mail message leaving Bytware, Inc.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.