Even experienced IBM i admins sometimes question whether malware protection is necessary for this platform. It's true that IBM i (AS/400, iSeries) can't be infected by a PC virus. But anti-malware software is necessary to prevent the IFS from acting as a host and delivery mechanism for viruses and malware, and to prevent viruses from indirectly affecting IBM i operations.
If the integrated file system (IFS) is used as a file server for PC files, the files stored on the IFS have the potential to carry viruses. An infected file that is saved from a PC to the IFS and then redistributed to another PC can transmit a virus to the new PC.
Let's examine three specific ways viruses and malware can get onto the IFS.
Discoverable Shares
One way a virus can be spread to the IFS is through discoverable shares. In Windows, discoverable shares are found under the option for “network” on the very bottom of the left sidebar of the File Explorer tool. If network discovery is not turned off, you will be able to see all the discoverable file shares that exist on your network as an available resource.
If malware infects a device that is connected to your organization’s network and does not have discovery turned off, the attacker will be able to take advantage of the authorities of that user. That means they can potentially view, encrypt, alter, and delete all discoverable shares spanning your entire network regardless of whether they’re mapped as a drive by the end user. The same principle applies to the IP address of a server. If an attacker knows the IP address and discovery is turned on, they have access to all your shares.
Attacks stemming from discoverable shares are tricky from a security standpoint. Stopping them is difficult because the actions being performed are valid and therefore hard to identify as malicious. Removing file shares completely can be helpful, but if they’re needed for legitimate business transactions, this is not the best solution.
Your IBM i needs the right tools to tackle today’s malware. Powertech Antivirus for IBM i uses behavior-based anti-ransomware technology to sniff out intruders performing malicious actions against your servers. This way, you can fulfill the business need for file shares without compromising your security. Watch the video below for an explanation of why behavior-based detection is important and how Powertech Antivirus for IBM i executes it.
Image Catalogs
Image catalogs, NFS mounts, and UDFS mounts are yet another way viruses can spread between servers. An image catalog is basically a file that appears to another system as a CD, and is often used for loading software. IBM i uses image catalogs to load Linux on a partition. Viruses that have infected a file in the image catalog or virtual drive will be loadable by any remote server that uses them.
Client Access
Client Access has been another source of virus outbreaks. We had a customer contact us about a problem they were having with viruses on their network that kept reinfecting their PCs, despite all of their cleanup efforts.
To make a long story short, the PCs were all running Client Access (which we all do), and the setup.exe file for Client Access, which is located on the IFS, was infected. Each time the PC’s ran an automatic update, which was every day, it would run the setup.exe file on the IFS and start the virus infection all over again.
Are Windows Viruses a Threat?
There is often confusion around whether Windows viruses can affect IBM i—meaning impact IBM i performance. Here's the deal:
- Viruses cannot hide inside RPG and CL programs
- Viruses cannot hide inside Physical and Logical files
- IBM i cannot run .exe files that contain viruses
- IBM i can run Java and UNIX executables that contain viruses
- Viruses can hide inside Java and UNIX stream files
Windows viruses can affect IBM i, for example:
A DOS command could be issued to "delete all" from a directory, which is mapped to the IBM i. IBM i libraries will appear as a directory to a malicious program or virus running on the PC. The DEL *.* command could be used to delete all objects in an IBM i library, rendering the system useless.
Viruses can use the Client Access ODBC or JDBC driver running on a PC to execute commands through SQL statements. An example could be an Excel spreadsheet with a SQL command, which sends a clear lib QUSRSYS command. At a minimum it would destroy everything the current user owns. If it was running under an administrator’s profile the virus would have enough authority to destroy the operating system.
Final Thoughts
While viruses and malware might not infect IBM i in the traditional sense, these malicious programs can have a devastating impact that includes entire days or weeks of downtime. If your organization is required to comply with mandates like PCI DSS, malware protection is required. Even if you're not affected by a government or industry requirement, consider whether the risk is worthwhile. Getting started with virus protection on IBM i (and AIX and Linux) is simple, and it begins with a free scan to identify any threats that are already on your system. Request your free scan today to begin protecting your mission-critical servers.
Scan your server. Avoid an epidemic.
Request your free virus scan to see how easy it is to protect IBM i, AIX, and Linux from malicious programs.