Announcement

**dandevoe** · April 12, 2013, 12:23 PM

Re: Potental virus on I5's ifs

Be advised that even if you explicitly exclude a user to a directory, that user will still have access to it if (s)he has *ALLOBJ authority, or your system securty level (dspsysval qsecurity) is set for 20 (you really should be using at least security level 40).

**DeadManWalks** · April 12, 2013, 02:47 PM

Re: Potental virus on I5's ifs

Really? A virus? Nope. The virus would have to be run by someone. Since you don't surf from the ibm I how would it get there?

http://publib.boulder.ibm.com/infoce...zakistrjrn.htm

**JonBoy** · April 13, 2013, 12:40 PM

Re: Potental virus on I5's ifs

Originally posted by dcutaia

Good Morning,

I am running into a problem with my IFS drive. Some of the directories are being deleted without my notice. I have restricted the directories from individual users but am still seeing them disappear. I have a couple of questions.

1. Can I run my virus checker on the ifs drive to determine if I have a virus?

If you map the IFS as a network drive, yes. I'm not aware of any other way of doing it. However - I'm not sure that it will help much. The virus would have to have infected a connected PC which has mapped the IFS. If the virus has actually infected the IBM i you'll have a world first!

2. Is there a way I can trigger or find out who deleted these directories if I'm not sure when it occurred?

Possibly by journaling IFS objects - I've never had to do it. I don't know what release you are on but this is the V5R4 start page for the topic. http://publib.boulder.ibm.com/infoce...zakistrjrn.htm

It occurs to me that you should probably check how open your system is to FTP. It can be used for more than just uploading files! That maybe the open-door on your system.

3. What is the best way to secure my read only directories on the ifs?

First you need to determine what you are protecting them from - your biggest danger is mapped network drives and FTP, etc. Beyond that I'm not an expert I'm afraid. You'll need to define exactly what/why/who you do want to enable IFS access to and go from there.

Thanks,

DAC

**arrow483** · April 17, 2013, 03:25 PM

Re: Potental virus on I5's ifs

Really? A virus? Nope

Not exactly true. The virus wouldn't be running on the IBM i, but could be running on a client PC that has access. The Audit journal may help you find the culprit.

Most virus scanners CAN be run against an IFS drive from a PC. It might find virus files on the IFS, even though the virus is not running on the IBM i. Long shot I think.

**tomliotta** · April 23, 2013, 06:29 AM

Re: Potental virus on I5's ifs

If auditing is enabled on the system and the QAUDLVL system value includes *DELETE, then the system audit journal should show T/DO entries. The DSPAUDJRNE command is a quick way start investigating. Look for object type '*DIR', and use the timestamps to look directly at the journal entries.

And viruses can infect file systems in the IFS. Essentially all known cases have executed on attached PCs when IFS files are accessed remotely, and they can delete across a network from the PC. It's technically possible to have native viruses, but no one has demo code available. AV programs can be installed on AS/400s to monitor for infections. The QSCANFS and QSCANFSCTL system values are part of the monitoring infrastructure. (You can create your own AV solution using open-source, Clam AV, for example.)

Tom

Announcement

Potental virus on I5's ifs

Potental virus on I5's ifs

Comment

Comment

Comment

Comment

Comment