Protecting against computer viruses

This topic provides some tips for protecting against computer viruses and suspicious programs.

Recent trends in computer usage have increased the likelihood that your system has programs from untrusted sources or programs that perform unknown functions. Following are examples:

These trends have led to a problem in computer security that is called a computer virus. A virus is a program that can change other programs to include a copy of itself. The other programs are then said to be infected by the virus. Additionally, the virus can perform other operations that can take up system resources or destroy data.

The architecture of the server provides some protection from the infectious characteristics of a computer virus. “Protect against computer viruses” describes this. A server security administrator needs to be more concerned about programs that perform unauthorized functions. The remaining topics in this chapter describe ways that someone with ill intentions might set up harmful programs to run on your system. The topics provide tips for preventing programs from performing unauthorized functions.

Tip: Object authority is always your first line of defense. If you do not have a good plan for protecting your objects, your system is defenseless. This information discusses ways that an authorized user might try to take advantage of loopholes in your object authority scheme.

A computer that has a virus infection has a program that can change other programs. The object-based architecture of this system makes it more difficult for a mischief-maker to produce and spread this type of virus than it is with other computer architectures. On this system, you use specific commands and instructions to work on each type of object. You cannot use a file instruction to change an operable program object (which is what most virus-creators do). Nor can you easily create a program that changes another program object. To do this requires considerable time, effort, and expertise, and it requires access to tools and documentation that are not generally available.

However, as new server functions become available to participate in the open-systems environment, some of the object-based protection functions of servers no longer apply. For example, with the integrated file system (IFS), users can directly manipulate some objects in directories, such as stream files.

Also, although server architecture makes it difficult for a virus to spread among server programs, its architecture does not prevent the system from being a virus-carrier. As a file server, the server can store programs that many PC users share. Any one of these programs might contain a virus that the server does not detect. To prevent this type of virus from infecting the PCs that are attached to your server, use PC virus-scan software. Several functions exist on the server to prevent someone from using a low-level language with pointer capability to alter an operable object program:

If your system runs at security level 40 or higher, the integrity protection includes protections against changing program objects. For example, you cannot successfully run a program that contains blocked (protected) machine instructions.
The program validation value is also intended to protect you when you restore a program that was saved (and potentially changed) on another system. Chapter 2 in the iSeries™ Security Reference describes the integrity protection functions for security level 40 and higher, including program validation values.

The program validation value is not foolproof, and it is not a replacement for vigilance in evaluating programs that are restored to your system.

Several tools are also available to help you detect the introduction of an altered program into your system:

You can use the Check Object Integrity (CHKOBJITG) command to scan objects (operable objects) that meet your search values to ensure that those objects have not been altered. This is similar to a virus-scan function. You can also use the CHKOBJITG command to request that a scan be done of the integrated file system objects. If a user has an application or business partner that scans for viruses using the integrated file system's scan related exit programs, this will trigger a scan for viruses.
You can use the security auditing function to monitor programs that are changed or restored. The *PGMFAIL, *SAVRST, and *SECURITY values for the authority level system value provide audit records that can help you detect attempts to introduce a virus-type program into your system. Chapter 9 and Appendix F in the Security Reference provide more information about audit values and the audit journal entries.
You can use the force create (FRCCRT) parameter of the Change Program (CHGPGM) command to recreate any program that has been restored to your system. The system uses the program template to recreate the program. If the program object has been changed after it was compiled, the system recreates the changed object and replaces it. If the program template contains blocked (protected) instructions, the system will not recreate the program successfully.
You can use the QFRCCVNRST (force conversion on restore) system value to recreate any program as it restored to your system. The system uses the program template to recreate the program. This system value provides several choices on which programs to recreate.
You can use the QVFYOBJRST (verify objects on restore) system value to prevent the restore of programs that do not have a digital signature or do not have a valid digital signature. When a digital signature is not valid, it means the program has been changed since it was signed by its developer. APIs exist that allow you to sign your own programs, save files, and stream files

Parent topic:

Managing security