On-Demand Webinar

How to Protect IBM i from the New Malware Threats of 2020

IBM i
Recorded:
May 14, 2020

 

IBM i has never been immune to malware—but threats to businesses are greater than ever.

Many employees are now working from home. Research from March 2020 shows home networks are 3.5 times more likely than corporate networks to have at least one malicious program!

At the same time, criminals are launching attacks that leverage headlines about Covid-19, government stimulus programs, and stay-at-home orders. Even office-bound workers are letting their guard down.

It’s critical to grasp the impact these malicious programs can have on IBM i, so that you can keep your systems up and running. Watch this webinar, presented by Sandi Moore, to learn about the relationships between:

  • Viruses, native objects, and the integrated file system (IFS)
  • Power Systems and Windows-based viruses and malware
  • PC-based anti-virus scanning versus native IBM i scanning

There are many ways to minimize your exposure to malware and viruses, even with a remote workforce. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected.

Introduction to How to Protect IBM i from the New Malware Threats of 2020


This is the HelpSystems webinar How to Protect IBM i from the New Malware Threats of 2020, and we are recording this, so you'll be able to review this later on because I'm going to shoot a whole bunch of information at you today.

My name is Sandi Moore. I'm a principal security consultant with HelpSystems. I work with a lot of customers in evaluating security flaws on their system or holes and helping to determine the best way to remediate or mitigate some of those security issues. I've worked on the IBM i platform for almost 20 years now in a lot of different capacities training customers, working in support, supporting software, doing testing, tradeshows, but my most favorite thing to do is to present information and share information with you, so that I can help people understand what the concerns are, what they can do about it, and I love to show off our software too. It's fun for me, and I'm glad you guys were able to be here today.

I have worked in the area of the viruses and malware arena for most of my career with the company, so hopefully I'll be able to share some new information with you guys.

We'll go through the agenda here really quick, just so you have an idea of what we're going to be talking about: 

  • Changes to the threat landscape 
  • The threats that are out there
  • Any impact on IBM i there might be
  • What's at risk
  • Creating layers

Of course, we want to get to a point where we can deal with this.

Common Ways Malware Can Threaten Your IBM i


The first thing we have to think about is where these threats are initiated. Our companies are being bombarded by threats, and these threats come from multiple sources:

  • The very common criminal outsider element. Someone who wants to steal information from you or hold your information hostage, so that they can get some money out of you.
  • Competitors. Whether they're trying to destroy you or disable you or steal information from you.
  • Political, as well. You know, that's always a hot button.
  • The Insider threat, as well. Very common in that there are threats from the inside. Whether it's a negligent employee who is not doing due diligence, downloading things, or not taking the steps that are outlined in a security policy, or malicious, we've seen some malicious attacks from insiders.

AT&T comes to mind, where they had employees who were willing to install malware on servers to collect customer data, and they gained a lot of money out of this. So, there is some malicious intent or destruction of information but also accidental. Now, I don't think that most of our employees are intentionally hurting or harming our systems, but that accidental click on something is certainly going to be impactful. 

Now, unfortunately, the world we're living in right now, and I'm not going to tell you guys, we all know where we're at, we are in a global pandemic. Our world is turned upside down, and things are not normal right now. And so, what we have found is that there's a huge amount of employees that are working from home. Unfortunately, this has really changed the way threats are initiated. They've actually, with work from home employees, we now have a conduit from the outsiders to the insiders, and we're kind of standing on the fence there, and in between, and it's created an environment where we kind of have to start thinking about things a little bit differently. Whether it was you already had a lot of people working from home and you had a great plan in place, or you had a few people who might have worked from home and now you have a whole bunch of employees working from home. It definitely puts some burden and some strain on our IT departments, our equipment, our bandwidth. All of these things have really impacted where we need to start watching for these threats from. 

Now really quickly, I'm actually going to run a poll here because I want to see where you guys are at with this. I’m wondering if you guys have employees or coworkers that are connecting to IBM i remotely? 

We do know that there is a huge amount of people working from home, like I said, and when they're working from home, what are they connecting to? Is the IBM i going to be exposed that way, and this is something that we don't usually have to think about. We know our IBM i is inside our firewall, all right. Everybody tells me that when I do security scans with them, we review their security settings. Everybody says, well, I'm not worried about it, It's behind the firewall. Now, this work from home, how many people are actually connecting to that IBM i?

Most of you guys have voted here, so I'm going to not hold up this pole here, unless anybody wants to throw out an answer here quick.

Looks like we have in fact 90% of you say that, Yes, you do in fact have employees or coworkers connecting to the IBM i remotely. 3% of you say No, and 6% of you are not sure. That's actually a pretty big number. There's a lot of people that are in fact connecting to that system. That is probably or most likely from what I hear and what customers tell me, this is the core server of the business, and so we definitely have to take this into consideration.

 

>> Download the guide, "When Malware Attacks Your IBM i, AIX, and Linux Servers" to learn what protection your organization needs

The Increased Business Risk of Malware Attacks During Covid-19 and Working From Home


Let’s talk about why work from home is increasing this risk. The first thing is that everybody says, oh, I've got my users coming in through VPN connection. Okay good, so when they're connected, you've got a secure connection, and that's a beneficial thing. But, what we're finding is that those laptops and those non-company owned computers that your users are connecting from are not necessarily being kept up-to-date. They could be being used for personal reasons, and they may not have effective antivirus software or malware security software on those systems. Employees are overwhelmed right now with the news, everything that's going on, stresses, if you have kids at home, your pets are not used to you working from home, so you have this whole host of new co-workers that don't necessarily sit on the same mindset as you do of getting work done during the day. So, we're all really distracted. 

Unfortunately, the bad guys, those threat actors, those schemers, are taking advantage of that. Phishing and scam emails are through the roof. There are so many of them that are geared towards getting your attention, and those employees that they get their attention on it’s more likely from home that they're going to click through on things because they're distracted, they're busy, they're overwhelmed, they're worried about what's going on. Phishing attempts that might get them paying attention could be contact tracing. That's the new big thing is contact tracing. If you get an email that says you have someone that you know has been exposed and has contracted Covid-19. You need to respond with your personal information and fill out this form. Suddenly, you actually have a compromised employee, compromised computer.

Stimulus payments and people trying to update their banking information, checking to see if they have their stimulus payments, there are spoof websites on that, and that web browsing can also be a big part of this increased risk. The fear and misunderstanding about what's going on can drive a lot of that panic, and so people looking at emails for cures for this virus are going to click on things that they may not normally. 

Spouses or significant others that are out of work and looking for job offers. If you get a job offer in the email, you're going to click through on it. So a lot of these activities that we wouldn't normally be seeing happening have really increased the risk of our users exposing our network and our systems. 

Media, of course, we've always had media being a potential issue with thumb drives, cell phones, MP3 players. You may have employees who are connecting from their phones, that's their main source of internet connectivity, and those could be compromised, as well. There's a new Android app out that was billed as a coronavirus app, and it in fact is malware.

Then our smart home devices. Our homes are connected, and are they segregated on our home networks? So, anything that's going on in the home network while you're connected to the VPN connection may not necessarily impact the company, but once they're disconnected from the VPN, that computer is going to be impacted, and the next time they connect to the VPN, it can in fact spread back to the company. All of these things are playing into this increased risk, as far as hardware and being able to police and know that the hardware that your work from home employees are using. Do they have the router settings exactly how they were when the Spectrum guy came and installed it? Did they ever change the default password? Have they done firmware updates? All of these things have now exponentially increased what we need to be concerned about.

Malware and the Impact on IBM i Security


As far as the threats, they can impact the availability of your hardware and business applications. If your IBM i is the core server for the business and you have the inventory, order entry, invoicing, payroll, general ledger, any of those primary functions offline because of a security incident, that can cripple the organization. Whether you are one of those companies that is overwhelmingly busy with business because you make cleaning products, or you are making paper products, you’re a transportation company, or healthcare industry, you guys are all really really really busy. And if your organization comes down and is taken offline, that's going to be huge, or if you're trying to keep afloat and you're trying to keep business going, and you're down, again, this can create some huge challenges. So, we really need to start looking at what are the things we're going to do to protect and how can we prevent security incidents from taking our main server offline?

One of the security threats of course is malware. That's why we're here talking about malware today. Malware by definition is malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the internet. All right, so it's bad stuff. Software which has been designed to operate in a malicious, undesirable manner. I found many definitions on malware, I like this one the best, but really it's an amalgamation of malicious and software. Malware. It is used very generically to discuss or describe a wide variety of malware: computer viruses, worms, Trojan horses, spyware, adware rogue software, scareware. All of these things, apps, there is a whole host of them, so we're really just talking about malicious software. Malicious software that is doing something that you didn't intend, right? That's a threat. 

What is it actually going to do? Why are we talking about it today? Because there's always been a big question as to whether or not Power servers can contract a virus. Like many people, they have always heard that IBM i is immune, AS/400 is immune. There has been this mindset that the server is not going to be impacted. It's not going to be infected, and it can't contract a virus.

I actually am going to tell you guys right now off the top that in fact, it can. IBM i (AS/400) can be impacted by malware, and it's something that we need to have. This is why we're having this conversation, and this is something that can, in fact, cause you an immense amount of frustration, pain, downtime, money, all of the above.

What I want to know is, actually through this next poll here, is to find out if your company is actually scanning for viruses on your IBM i. Because of something that hasn't been so widely known, or it's been assumed that it's not going to be impacted and it's not something that needs to be done, I want to know if you guys are actually doing it.

If you are scanning, do you scan with windows-based software or are you running your scans with a solution that runs natively on IBM i? If you're not scanning, there might be some good reasons for that. I don't know. By the time we get done with this, I bet you're going to probably say maybe we should be doing this.

It looks like some of you guys are not sure if you are in fact scanning the IBM i for viruses and malware. This is not unusual. Sometimes the network teams are tasked with scanning the servers they see as vulnerable, and they don't know about IBM i, or they just go, “Oh, yeah green screen. We're not worried about it.” Looks like most of you guys have voted here on this and overwhelming results. I'm going to go ahead and close this poll.

59% of you say that you do not in fact scan your IBM i for viruses and malware. 22% of you guys do, happy to see that, that always makes me happy. There are some of you guys that are not sure. It doesn't look like anybody is scanning with Windows-based software, and that actually makes me happy and when we get towards the end you will understand why that actually pleases me. 

I'm going to show you guys a screen here and this is why I think you should in fact be scanning your IBM i for viruses. This screenshot is from a customer system who in fact got hit by malware. It happened to have been a ransomware, and it encrypted half a million files on this customer system.

If you think about how big your IFS is and how much you have out, there half a million files, 500,000 files, encrypted and when they actually did in fact scanner IBM i for viruses, they found two hundred and forty-eight thousand copies of that particular ransomware on their IBM i server in their IFS. So, this in fact is a huge problem, and it needs to be addressed. This particular customer had some very significant downtime. Two weeks to recover, website down, they could only connect from the console because they're TCP/IP configuration files were encrypted, unavailable. Their website, which was their main source of business, was down. This was an extremely painful experience, very costly for them, and they were lucky they had backups. They were able to recover from this, but it was, like I said, a long process, very painful. 

Not everybody is going to be able to recover from this, viruses affecting IBM i. This particular company, last October in fact, got hit by ransomware. They are an IBM i shop, I know that for a fact, and their ransomware attack was so pervasive that they actually ended up letting all of their employees go, 300 people lost their jobs right before Christmas, because they could not recover from that ransomware attack.

It can be extremely catastrophic, and this is not the climate that we want to have our businesses hit so hard that we just have to close our doors and walk away. We're trying to survive here, and this is definitely not the road we want to go down.

How Do Viruses Spread to the IBM i?

You are probably wondering why you didn't know about this. As I alluded to already, IBM i has always been thought to be immune from viruses, and those native objects on your system, they actually are considered to be immune against viral infection. They're not going to be able to be changed and malicious code injected into your native IBM i database files. Those native IBM i programs are going to have to be recompiled before they start doing something different, so that side of the house, the native objects, that's where that reputation came from. 

But, the integrated file system (IFS) is not immune. As you saw from that screenshot, in fact, the IFS (integrated file system) can and in fact is very often impacted by viruses. It's your responsibility to immunize the IFS, so this is where you step in, and you start scanning that IFS making sure that you know what's out there, that you know what users are putting out there and what you're sharing. So if you send files off the IFS to someone else, what are you giving them? We need to actually focus on this and make sure that this is not part of the weak spot in our infrastructure, that this is not what is going to get us. 

Talking about only the IFS, right? It's only the IFS, I'm not worried about it. We don't use it. Well, I guarantee you use the IFS. You cannot have an IBM i without an IFS. We will cover that here in a second. I'll show you guys what's going to be at risk, but it's not just the IFS that can actually be impacted. Those native libraries and objects in QSYS.LIB off the root directory are not necessarily going to be infected or encrypted. Those are not where we're going to be concerned about.

However, those native structures, that QSYS.LIB, those libraries’ objects, can be renamed or deleted by malicious actors or code. So, those can be affected. If you suddenly have a database file that gets deleted, that could be a problem. Other IFS structures can be renamed, deleted, encrypted, and infected, so that can be far-reaching. This can have a huge impact from all corners of your system.

The way that we're seeing viruses being spread to the IBM i, a couple of avenues are the most common. Mapped drives are the biggest offender. This is where users have the ability to put files directly into the IFS or pull files directly out of the IFS from Windows Explorer, so the drive is available. 

Once that network connection is made, you're going to be able to get to the IFS through other interfaces, a command prompt, for example. I don’t know if you guys can see that but, once you've made that connection, that network drive is available through a command prompt, it's very easy to just do a copy from the PC to the drive. If you have malware or a threat actor who has gained access to your network through a PC, and that PC can see your system, they're going to be able to put things on the system, and they're going to be able to hide things out there on this system. We've seen a lot of threats out there where they're watching, they're monitoring the networks before they actually start doing things. They start planting malicious code on different servers. If you're using the IBM i the IFS as a file server, that direct connection is available, and your users are potentially spreading it to the system, but also they can potentially be impacted, as well.

FTP is another way that viruses can spread to IBM i. Easy to use, fast connection, you don't have to use any specialized software, you can see filezilla in the background there, but just as easily using that that command prompt again. FTP to your system, change directory to the directory you want to go, and do an MPut, and you can put multiple files onto your system. If you don't know what's being moved up there, if you're not monitoring FTP, you have no idea who's putting things on the system. If it's overwriting files or if it's putting new things on the system just waiting for someone to access it.

Those aren't the only ways that viruses and malware can be spread to IBM i. Mapped drives and FTP being the primary but install media. Do you download software from third-party sources? Do you have vendors that install software on your system? Anyone who's putting anything on your system regardless of how they're getting it on there unless they are actively scanning and can ensure that in fact, they're not sharing anything with you, you need to be looking at your system because this is where things are going to be populated on to the system.

Image catalogs, NSF mounts, UDFS mounts, anywhere where we're creating that two-way connection between other structures and our system creates that ability for that malware to spread to your IBM i.

How Can the IBM i Spread Viruses?

On the other side of it, is the IBM i going to be able to spread viruses off, so we're able to load things up on the system? All those same ways that the IBM i can in fact get malware on it, it can also happily spread it on to your users and to customers and to vendors, business partners. Whoever you work with and share information with, there's a potential it's being shared that way too.

  • Web servers. You wouldn’t want to actually have a web server that has a page on it that is actually hosting malware. That would not be good, and it doesn't look good for you.
  • High availability and I'll talk about that here in a second, as well. 
  • Backup media. If you don't know when the last time your files were clean, so to speak, did not have malware in it, how do you know how far back to go in your backups to make sure that you are able to restore a good copy of that file or that object back onto the system?

As far as viruses being able to affect your IBM i, well, a malicious program, as we said, does things that are inappropriate or malicious. That's by the by the name of it, that malware is going to do something that is not nice. You have a PC for example, and it can see your E:Drive, and that happens to be your mapped drive to your IFS and that malicious program does a delete E star dot star (del E: \*.*) for that directory, that user has enough authority that the PC is compromised from, they could potentially delete pretty much everything on the system. So, it can have a huge impact. 

Malicious programs can also issue commands. So, not every virus writer or threat actors behind these malicious programs know something about IBM i, but it really only takes one of them to know something about it to create some issues. You can see here the ability to run an SQL statement and actually issue a remote command from a PC and have it impact the IBM i. I'm showing here just to send message to a message queue QSYSOPR with the word boo. What if that command that's being sent is a delete library (DLTLIB) or power down system (PWRDWNSYS), or create library (CRTLIB) for a hacker? Those are the things that we have to start thinking about. Can someone from a PC remotely or issue commands on the system, and what are those commands going to be able to do?

Of course, the shared files that our users are using, that your applications may be using, can be modified or deleted by malicious programs. So, the fact that the files exist, and that user can see it, if they're able to delete it or modify it, suddenly your processes break. Things may not work anymore.

Whether it's relying on it to be there because it's a an update process or you're trying to open up client access and your session doesn't work because that piece of information is now missing or it's been corrupted or compromised. So, shared files modified and deleted can impact the business.

What is at Risk of Viruses?

Obviously those files that we’re putting up there for file storage, whether it's imaging software, invoicing software, or it could be billing order entry, all sorts of things end up getting stored in the IFS, but that's not the only thing that's at risk. 

This is where we should become a little bit concerned, if you're not already, is that the operating system can be impacted, and it is part of the IFS. If you go into navigator for IBM i and look at the integrated file system (IFS), QSYS.LIB is right there underneath ROOT. If you do a work link (WRKLNK) to the root directory, QSYS.LIB is there. Then, you also have even through a command prompt; you connect to the system or you have that drive map to the root directory and you do the directory command or the list command, you're going to see QSYS.LIB. 

The operating system itself is vulnerable and can in fact be impacted. If a user has the ability to delete, and I'm going to just throw it out here if they have all object authority (*ALLOBJ), they can delete anything including the operating system, that can be impacted. That is definitely a concern, it’s a huge risk. 

If you don't have all object, and you don't necessarily have a mapped drive to the root directory, what else could be at risk? Well, your TCP/IP configuration files are there. If you have that QSYS.LIB available, and that user has access, they can in fact impact those TCP/IP configuration files. What does that mean for you? What's the risk? You may not be able to connect to the system. 

Going back to that screen shot from the customer that was impacted by that massive ransomware attack, they could not get to their system. They could only sign on from console, and it took them hours to figure out where the problem was. The individual I worked with actually was trying to check in from home because their backups didn't complete. They couldn't get on the system from home, figured, “Oh that's kind of weird.” They go to the office, try to sign on from their workstation, couldn't get onto the system there either. Okay, so now you start to panic. You go to the console, you sign in, and you're like, “Oh things are not good here.” This can be something that can roll out slowly, and by the time you realize it, things are already in really bad shape.

7 Suggestions for Layers of IBM i Malware Protection

Now, of course, we have high availability, and I already mentioned that maybe that could be something that's good, but the problem with the high availability is that it's really good at replicating changes. So, if you have malware that is deleting objects out of your IFS, guess what? Your HA software is going to replicate that to the backup system. That object is also going to be deleted from your HA system.

If the object is renamed by that malware or hacker, it's going to be renamed on the HA system too. So, using this as your recovery plan, HA is not going to be a good failsafe for a malware attack.

We need to start really thinking about how are we going to prevent this from happening in the first place as best as we can, adding layers of control, so that we're not stuck in a situation where our primary and backup system are both hammered. Let’s give you some ideas for some layers of control that you can add. 

First things are doing some cleanup and utilizing some operating system controls that are available, using what IBM has given you, which we don't often do, so we'll talk about each of these. The first thing is to eliminate those read/write shares to the root directory. If you have them, you need to be very concerned. Very often, what I find is if the root directory is shared, there's usually some other not-so-great security controls in place, and users have a lot more authority than we really want them to. Therefore, eliminating those read/write shares to root is absolutely one of the first things I want you guys to consider doing. 

Last time, I told somebody to do this in a conversation, they said, “Well, I don't know who's using it. I don't think anybody is supposed to be using it.” Well, if they're not supposed to be using it, you should be able to take it away, and it won't impact them. Right? If somebody is using it, you need to know about it. If you take that read/write share away, they're going to complain, and you're going to know what they're doing, and then you can figure out a better way to do it. There might be a valid reason, maybe, but really what we want to do is start getting to where those shares are read-only. 

Eliminating the ability for someone to actually change things, upload, rename, or delete the objects in our IFS, so that read-only shares, is not always an option. In those instances, we have to start thinking about how else can we do that because we're going to have to let users have access to the system, right? This is how they get their jobs done. This is where the data is stored. This is where were the work happens. So, another thing to look at is setting the public authority on the root directory to have data authority read/execute and then object authority star none (*NONE). The funny thing about IFS security is the authorities on it. You actually have two types of authorities. You have data authorities and object authorities, so users don't need that object authority off the root. So, setting that but also pay attention to the data authority.

Consider setting the *PUBLIC authority on the directories that have confidential or PII data to data authority exclude (DTAAUT (*EXLUDE)), object authority star none (OBJAUT (*NONE)), and then only give authorized profiles with a business need access to those directories with that confidential or PII data. Most of your users don't need it. Really this is going to be that take it all away and only give it back where we have a justifiable need for it. Having it wide open is going to backfire. 

One of the things that I've been reading a lot is in fact with some of these ransomware attacks, they're taking this data, and they are holding it for ransom, and their threat is that if you don't pay the ransom, they're going to expose that data. So, if you have directory sitting out there with some confidential information, it is in fact potentially compromised at that point. We don't expect it to come from that direction, we trust our employees and not really the best policy to have everybody have access to everything and trust that they're going to do the right thing, but you know, that's where a lot of our businesses are. We need to scale back there and really pull back that control.

I also highly recommend reducing the number of users with all object (*ALLOBJ) special authority. Time and time again, when I review customer systems for their security settings, we look at those special authorities that our users are carrying, and I am seeing a tremendous amount of users with all object special authorities. Whether it's coming through a group profile or it’s assigned to the user directly, this is a huge exposure.

I've said it a couple times already, with all object you can delete anything on the system, including your operating system. Just by the sheer fact of removing that all object special authority, you're going to reduce some of this exposure that malware has created.

Now, one of the things you have to keep in mind is that if you go through and you change that public authority on root and those PII data, those confidential directories, those all object authorities still can get to those. All object trumps those, so you're still going to have to deal with them.

Another thing you can do are with those shares that you can't get rid of and that you need to maintain, is to actually hide them. You can hide shares by adding a dollar sign to the end of the name when it's created. So, share name dollar sign. If it's the home directory, it'll be home dollar sign. By hiding those shares, they're no longer going to be discoverable on your network. If you have somebody who has come in through a back door into your system and is just watching the traffic, poking around to see what's going on, where things are, what's interesting, and they're going to start looking for anything on the network that looks like it has something valuable, valuable data, valuable information. So, hiding those shares can reduce the ability for someone to take advantage of that.

Last thing here to consider is to restrict access to the QSYS.LIB file system when it's accessed through Windows Explorer or navigator for IBM i by excluding users from the QPWFSERVER authorization list. This authorization list is going to control whether or not QSYS.LIB is visible and available to traverse through those mapped drives. We don't need people getting to QSYS.LIB through a mapped drive. This is one where there is really very little valid business need. I have a very hard time coming up with a list of reasons for you guys, so be cautious with this though. I did have someone watch one of my webinars, and they misread the information here and instead of changing the public authority to *EXCLUDE on the authorization list, they unfortunately changed the public authority QSYS.LIB to a public exclude, and they created some panic because no one could get to the system, so you have to be careful. Please know what you're doing. Don't take this lightly. You can actually create more problems if you are not knowledgeable about authorization lists, and how these authorities work.
With that said, you guys can get some help for this. Our HelpSystems Security Services team does security remediation services. This is something that they can help you with. They can take a look at your system from a neutral perspective. They're not involved with the company. They're not wowed by the fact that the CEO has to have access to the root directory, and he needs all object authority. They're going to take that perspective of these are the things that need to be done, this is what we suggest, and they can help you implement those changes, so that your system is not impacted, so that you're not scrambling to undo the changes that you've made. This is definitely something that can help you out with that, and they have a great team. They have a ton of experience, so it's definitely an option for helping you get that system cleaned up, get those shares cleaned up, and utilize the operating system controls that are there.

Steps to Take to Mitigate IBM i Malware Today

Native virus scanning. I already asked you guys if you're doing that. Mitigating malware on IBM i is obviously a critical step here, so things that I want you to be doing are:

  • I want you to automatically scan those files in the IFS as your users are opening and closing them through your mapped drives. Prevent malware from spreading from the IBM i to the PC but also prevent that PC from putting malware on the system. We're trying to close that gap there and not allow that malware to be resonant on the IBM i or impact it.
  • Scan all the files in the IFS through an on-demand batch job. The files that are open through the mapped drives, those are obviously the ones that are going to be our biggest threat, and those are going to be our soft underbelly. As we talked about before, there's a lot of other ways that files actually do get on to the system, so we need to evaluate and make sure that all those files we just loaded up from that new software we added, doesn't have an infected file in it.
    • I have seen third-party applications with infected files in their IFS directories. It does happen. We all assume everybody else is watching for this stuff, but not enough people actually are, so you take control, and you decide that your system you're going to look at it, and you're taking responsibility for your system and not leaving it on somebody else who is ultimately not going to pay that price.
  • Review and delete infected files from the quarantined directory promptly. You're scanning the system. You're looking for the malware. If it is found and it cannot be cleaned, it's going to be dropped into the quarantined directory. If you're using proper antivirus software for that, you need to clean it up. Figure out which PC is in fact the weak link. What IP address, who owned that file, who's been accessing it and go talk to that user. If it's a work from home person, maybe they do have that compromised home network and something has happened. 
  • Make sure you stay up-to-date on your virus definition. Your antivirus software and your anti-malware software is only as good as the information that's provided to it, so those virus definitions, those DATs files, have to be kept up-to-date.
  • There are a lot of government and audit and SOX regulations that actually require antivirus on your servers, so by using native virus scanning, you're actually going to be able to meet those requirements. A lot of people overlook it. If you have HIPAA or you fall under PCI or GDPR, native antivirus software is a critical component.
    • It is often overlooked because the network guys are in charge of that, and they have dismissed the IBM i as part of the problem. 
  • Finally, what I really want to see is you using a commercially-backed antivirus solution. 

Our Powertech Antivirus for IBM i is actually powered by McAfee. It was built with the McAfee scan engine ported over to the IBM i, and it ties in two critical pieces of the operating system. You have two exit programs and two system values that actually provide the structure for that native virus scanning. IBM added those at V5R3, so this isn't something new. This is something they added a long time ago because they saw that the integrated file system (IFS) in fact is a weak spot for malware, and it does create that environment. The other piece of it is that all of your stream files on your system actually have a scan attribute: if the file should be scanned and then the scan status. Those attributes are what we look at, so if the file is infected, it's going to be marked as a failure, and it's going to be in that quarantined directory. So, in order to actually proactively and efficiently manage the process, using that native virus scanning is where you need to be.
 

>>Start Your Free Trial of Powertech Antivirus for IBM i

Avoid Scanning an IBM i Mapped Drive from a Remote Windows Server


Now, one of the questions I asked at the beginning, one of those polls, was if you're using your Windows antivirus. I was really happy that there was nobody who said that they were using their windows antivirus. I was happy to hear that because there are a whole host of problems that come with that. Scanning a mapped drive from a remote Windows server creates some huge issues: 

  • You have opened the door even wider than you were to start with. You’re creating a read/write share to the root directory. One of the things I told you not to do. 
  • You have to have a persistent connection with an all object (*ALLOBJ) profile. Another big problem. 
  • You don't have any real time scanning either, so users who are in fact using those mapped drives, PC software is not going to be able to scan as a user opens and closes off of the IFS. 
  • And, of course, because it can't actually connect to those scan attributes on the files, it doesn't know what it's supposed to scan. Has this file already been scanned? Is it clean or do I need to scan it? It's going to scan every file every time, so it's going to take a lot longer every time it runs. 
  • You have to monitor it and make sure it's working correctly. I don't know about you guys, but I have a tendency to see blue screens on my Windows PC and so, you know, you get an error, things stop, and nothing's happening. 
  • Another issue is you have all those IFS files moving across the network to that Windows server to be scanned, and then they're moving back. Between the network bandwidth and the fact that all of your files are now being moved in the clear readable can compromise that Network. 

There are a lot of issues with that. I was glad to see that nobody is, but for the benefit of anyone watching the recording, don't do this. This is not a good plan. 

Levering Exit Programs for Controlling User Access on IBM i

The last layer that you can leverage to help with the malware on IBM i issue is to leverage exit programs to control access because we have acknowledged in fact that we do need to allow some users to connect.

This is a valuable system that needs to be accessible, so you can create exit program rules to restrict who can access the system through those mapped drives. Not every user needs to have access to the file server. If it's not in the scope of their job, then don't let them. Don't actually allow them to use that PC interface. 

Use those exit program rules to restrict who can access this system through FTP. We talked about FTP is another way files can be injected into the system, so we need to control that. There is really not a good reason for most users to need FTP, but as administrators, you may be using FTP, so it is started, and it is active. You need to be able to restrict who is actually able to use it with those exit program rules.

Once you're actually controlling who can access these services, start creating rules to control what the users can do. The ability to rename and delete files through mapped drives. Now, the cool thing here is that even though a user may technically at the OS level have the authority to rename or delete a file because of their object level authority, you can actually control that with an exit program, and all object users can be stopped, as well, with those exit programs. Because the exit program looks at the rules before you see the OS level authority or the user’s special authorities, you can actually stop those all object users. 

Even if you have a whole slew of all object authority users, and they’re mapping drives to the root directory, you can have an exit program rule there that is going to be able to mitigate that and prevent them from deleting those files. Or, for the users who do have the ability to FTP to the system, control where they can upload files to and if they're able to replace existing files. If your administrators are uploading files to the system, you've given them access, but you can force them to put things into a temporary or working directory or working or temporary Library. Being able to control where those things go, even though technically at the system level they still have it authority to it, we have put a perimeter control there that it's going to allow us to restrict it.

The last thing here is to review the exit program audit logs for suspicious or unusual activity. You put all these rules in place, and you've prevented the access, you still need to look to see who's trying because that could indicate that you have some compromised PCs out there right? We need to make sure that we're watching that. The fact that they didn't get in is good, but you need to know that they were trying.

As far as exit programs and creating rules, our Powertech Exit Point Manager for IBM i allows you to create that perimeter access control and restrict what users are going to be able to do. By that design, you have an additional layer that is going to prevent unauthorized activities by authorized users. All right, three layers there that you can implement.

IBM i Virus Scan

I have another poll for you guys. Now that we've gone through and talked about this, I want to know if you're interested in actually doing an IBM i virus scan. It is something that can actually be done in the middle of the day. You can install the software, schedule a scan to run, so you can see what exactly is on the system.

We can show you what the software looks like, and we can have conversations with your team. I've actually had an unprecedented amount of conversations with people in the last couple of months. I've had many companies that have in fact been hit by ransomware. They are struggling with it but also just being concerned because there is such an increase in activity around this, and we're in such a different time right now that we're trying to think of other solutions and to make sure that we are addressing as much as we can from our side of it. We can obviously get you some more details, get you some more information on it, happy to have conversations about it and get your teams together. It looks like most of you have voted here. I'm going to go ahead and close that poll, unless anybody else has a quick vote they want to put in there. 

It looks like we have a good handful that are interested in doing that. Some are not, so I'm hoping that those are the people that are already scanning their IBM i and they already have that implemented. Of course, we will get you guys more details. I'm going to go ahead and close that poll, somebody else just voted, so thank you for that.

In Conclusion


I want to see if you have any questions. I have obviously thrown a bunch of information at you. You have the handouts available, and we will have the recording available, as well, so we'll have information to share with you guys.

Let’s see here, there is a question. If IBM i net servers service is not started, is the IFS accessible from outside of the IBM i? 

Yes, FTP. That is one way. The IFS is in fact available through FTP. If you are using Access Client Solutions (ACS) *Yes, there is a connection. I'm pretty sure you can actually get to it without net server. Ending the TCP service is, of course, something that can help but what we find is you have a lot of users with *IOSYSCFG special authority, and those users can restart it. While it does help to not have services actively available if they're not being used, the ability for users to start those services can in fact be a problem.

We have another question. How many companies make antivirus products for the iSeries? 

That's actually really good question. There are two that actually have native antivirus software solution. We talked about our Powertech Antivirus for IBM i. There is another one, and it is based on open-source software. It is based off of a ClamAV, so most companies are not comfortable putting their security of their system in the hands of Open-Source. We encourage people to do their homework and do some digging and find out for themselves, but it's definitely a niche industry. This is something that when I started working with it back in 2000 late 2003 people thought we were crazy. They're looking at us going, “What? You created what kind of software?” This is definitely something that really is not on most of our radars.

It looks like we have another question, and I think that's about all we're going to have time for. If you did have any other questions, of course, our contact information is available there, but David's asking, what's the performance impact for native virus scan to users moving files to and from the IFS?
Through mapped drives in my experience over the last 16 years, there's minimal impact, so that on-access scanning is actually pretty efficient. Most users never notice that there's any change. If you have some major network latency issues and you already have a slow network, your users might see something, but that process is extremely efficient. 

I really appreciate everybody joining us today. Hopefully, this was helpful. It's definitely a conversation that a lot of us never thought we'd be having, but it's unfortunately our reality right now. So, please stay safe, stay home, wear your masks, use your hand sanitizer, whatever you can do to contribute to getting us all back to our new normal really appreciate that. We'd be happy to have conversations with you guys about any of the information we have shared today.

Once again, thank you on behalf of the entire HelpSystems team for joining us, and we'll be having conversations with you soon.

Take care.

Try Powertech Antivirus for Free

Find and remove infected files on your IBM i with a free trial of Powertech Antivirus for IBM i.

Stay up to date on what matters.