WIXLIB

7/28/2015scanned when accessed (no on-access overhead for that file) unless the file has changed or the virusdefinitions are updated. This allows you to use off-peak times to "pre-scan" files that rarely change, thusreducing the CPU overhead of on-access scanning and improved balancing of scanning workload.Scans Native Scanning SMTP MailStandGuard Anti-Virus can scan inbound and outbound email messages passing through the IBM iSMTP server. StandGuard Anti-Virus can perform virus scanning on emails before they reach your PCclients (or customers).Object integrity scanningStandGuard Anti-Virus scans the IBM i Operating System (and user libraries) for objects that have beentampered with and have the potential to cause serious harm to the operating system or bypass allsecurity entirely. For more information about object integrity scanning, see Object Integrity Scanning.Scans Files on Guest Operating System PartitionsStandGuard Anti-Virus for IBM i can scan files on Linux and AIX guest partitions using the Network FileSystem (NFS). By creating scheduled scan tasks to scan NFS mountable volumes on guest partitions,you can reduce the time, effort and costs associated with installing and configuring multiple stand-aloneanti-virus applications on each partition. A single installation of StandGuard Anti-Virus on the hostpartition can be used to ensure all of your Linux and AIX partitions are free of viruses, trojans, worms,malware and spyware.Green screen and System i Navigator plug-in providedWhether you use the green screen menu and command interface or the graphical System i Navigatorplug-in, you will find StandGuard Anti-Virus simple and flexible to use. StandGuard Anti-Virus provides CLcommands that you can embed into your applications or nightly procedures. Green screen menus areprovided for using StandGuard Anti-Virus in a 5250 environment. Additionally, the graphical System iNavigator plug-in is provided so you can manage your anti-virus policies directly from within System iNavigator's security administration tasks.Automatic download of virus definitionsStandGuard Anti-Virus ensures you always have the latest protection against current virus threats byautomatically downloading virus definition files from McAfee. By keeping the virus definition files up-to-StandGuard Anti-VirusUser's Guide- 12 -

7/28/2015date automatically, StandGuard Anti-Virus protects you from the new virus threats that occur each day.Automatic updating can be scheduled to run automatically, and CL commands are provided to integratewithin your own nightly batch processes.Automatic download of software updates and fixesStandGuard Anti-Virus keeps itself up-to-date by downloading new features, fixes, and enhancementsfrom HelpSystems. PTF processing can be scheduled to run automatically, and CL commands areprovided to integrate within your nightly batch processes. You can use System i Navigator to synchronizePTFs across multiple systems and partitions automatically.Built-in SchedulingBuilt on HelpSystems' proven experience with IBM i administration, security, and automation,StandGuard Anti-Virus was designed from the ground up as a secure, automated anti-virus solution thatprevents headaches, not gives you new ones. StandGuard Anti-Virus provides automatic scheduling andupdating of virus definitions, product enhancements, and scanning tasks that you create. By automatingthese tasks you can rest assured that StandGuard Anti-Virus is providing reliable, rd Anti-Virus can retrieve virus definitions and program updates from either an FTP server or ashared local network path. The path can be located on another IBM i server or partition, a Windows fileserver, or any network path of your choice. This allows you to use one IBM i server or partition todownload the virus definitions (from McAfee's FTP server) and the remaining servers or partitions canretrieve their virus definition files from the shared network folder.The same networking features can be used to keep the StandGuard Anti-Virus product PTFs up-to-datefor all your servers or partitions. Use one IBM i server or partition to download the upgrades fromHelpSystems' FTP server and the remaining servers or partitions can retrieve their upgrades from theshared network folder. You can use System i Navigator's Management Central to distribute PTFs fromyour central system to all your IBM i servers and partitions.LoggingStandGuard Anti-Virus provides several logging features that you can use to monitor the application'sactivity:StandGuard Anti-VirusUser's Guide- 13 -

7/28/2015llllMessages are logged to the message queue AVMSGQ. You can view the message queue manuallyas needed, or use third-party monitoring tools to automate the monitoring of this queue and alertyou to viruses and failed downloads via your email, cell phone, or pager.Scan reports provide detailed information about the directories scanned, infections found andcleaning/quarantining activity.All changes made to StandGuard Anti-Virus's automation files are recorded in the AVJRN journal,recording all changes made to the product, who made them and when they were altered.Virus scanning activity is recorded in the system audit journal, providing a secure audit trail of virusactivity within the system.Viruses and IBM iViruses stored on the IBM i present a serious risk to your network and your data. In most cases, yourIBM i system can be "seen" by every computer in your network. If an infected file is executed by any ofthese computers, that computer becomes infected, which in turn can launch new attacks against the restof the network and even back to the IBM i itself. These attacks can render computers and the networkinoperable.A running virus has access to all of the same resources as the user that launched the virus.Consequently, if an administrator-level user becomes infected then the virus has access to all the sameresources as that user (everything). Viruses can alter, copy, delete, and run commands against IBM ifiles, programs and libraries. With respect to IBM i, a virus could spread to other systems and partitionsthrough the use of network shares and the Integrated File System (IFS).Many DOS and Unix commands will execute against an IBM i system. The DEL command, for example,can be used to delete files on a user's local C drive as well as IBM i files and libraries. Likewise, the COPYcommand can be used to copy files. A running virus can execute these and other dangerous systemcommands against a network drive mapped to the IBM i, causing serious damage. Viruses can alsoexecute commands using FTP scripts, and access IBM i data via ODBC drivers stored on the infectedcomputer.There are many ways a virus can make its way to an IBM i: A mapped drive, the CD/DVD drive, an FTPscript, sharing files and programs with other computers, vendors and business partners are just a fewexamples. The best policy is to not try and "outguess" all of the possibilities — virus writers are alwaysimproving their code to take advantage of all the latest technologies.StandGuard Anti-VirusUser's Guide- 14 -

7/28/2015How does the McAfee virus scanning enginework?The McAfee virus-scanning engine is a complex data analyzer. The exact process of analysis dependson the object (often a file) being scanned and the type of viruses being sought. However, the followingstages describe the general approach that the virus-scanning engine uses.Identifying the type of the objectThis stage determines which type of object is being scanned. Files that contain executable code, forexample, need to be scanned.Different types of files in Microsoft Windows systems, for example, are distinguished by their fileextensions, such as .EXE and .TXT. However, any file can be renamed to hide its true identity, so thecontents of the file must first be determined.Each type of object requires its own special processing. If the type cannot be infected with a virus, nofurther scanning needs to be done. For example, a picture stored in a file of bitmap format cannot beinfected.Decoding the objectThis stage decodes the contents of the object, so that the virus scanner "understands" what it is lookingat. For example, a compressed WinZip file cannot be interpreted until it has been expanded back to itsoriginal contents. The same applies to non-compressed files too. For example, the engine must decodea Microsoft Word document (.DOC) file to find any macro viruses.File decoding can become quite complex when a file contains further encoded files. For example, aWinZip archive file might contain a mixture of other archives and document files. After the enginedecodes the original WinZip file, the engine must also decode and separately scan the files inside.Looking for the virusThis complex stage of virus scanning is controlled by the virus definition (DAT) files. The scan.dat filecontains thousands of different drivers. Each driver has detailed instructions on how to find a particularvirus or type of virus.StandGuard Anti-VirusUser's Guide- 15 -

7/28/2015The engine can find a simple virus by starting from a known place in the file, then searching for its virussignature. Often, the engine needs to search only a small part of a file to determine that the file is freefrom viruses.A virus signature is a sequence of characters that uniquely identify the virus, such as a message that thevirus may display on the screen, or a fragment of computer code. We take care when choosing thesesignatures to avoid falsely detecting viruses inside clean files. More complex viruses avoid detection withsimple signature scanning by using two popular techniques:Encryption — The data inside the virus is encrypted so that anti-virus scanners cannot see the messagesor computer code of the virus. When the virus is activated, it converts itself into a working version, thenexecutes.Polymorphism — This process is similar to encryption, except that when the virus replicates itself, itchanges its appearance.To counteract such viruses, the engine uses a technique called emulation. If the engine suspects that afile contains such a virus, the engine creates an artificial environment in which the virus can runharmlessly until it has decoded itself and its true form becomes visible. The engine can then identify thevirus by scanning for a virus signature, as usual.Using heuristic analysisUsing only virus signatures, the engine cannot detect a new virus because its signature is not yet known.Therefore the engine can use an additional technique C heuristic analysis.Programs, documents, or email messages that carry a virus often have distinctive features. They mightattempt unprompted modification of files, invokemail clients, or use other means to replicate themselves.The engine analyzes the program code to detect these kinds of computer instructions. The engine alsosearches for "legitimate" non-virus-like behavior, such as prompting the user before taking action, andthereby avoids raising false alarms.By using these techniques, the engine can detect many new viruses.Calculating the checksumThis stage exactly identifies the virus. The engine performs a mathematical calculation over the virusdata to produce a unique number C the checksum. The engine compares this checksum againstpreviously calculated values in one of the DAT files (scan.dat) to identify the virus exactly.CleaningStandGuard Anti-VirusUser's Guide- 16 -

7/28/2015This stage cleans the object. Usually, the engine can clean an infected file satisfactorily. However, someviruses can alter or destroy data to an extent where a file cannot be fixed. The engine can easily cleanmacro viruses by erasing the macro from the infected document.Executable viruses are more complex. The engine must restore the original path of execution throughthe program so that the virus does not become active. For example, a virus might append itself to the endof an executable program file. To run, the virus must divert the path of execution away from the originalcode to itself. After becoming active, the virus redirects the path of execution to the original code to avoidsuspicion. The engine can disable this virus by removing the diversion to the virus code. To clean the file,the engine then erases the virus code.Learning More About VirusesThe Virus Information Library on theAVERT Anti-Virus Research Sitehttp://vil.nai.com/vil containsdetailed information aboutthousands of viruses.StandGuard Anti-VirusUser's GuideNote. Viruses can corrupt or destroy data, they spreadrapidly, and they can make your computers unusable.We strongly recommend that you do not experiment withreal viruses.- 17 -

7/28/2015Chapter 2 - InstallationPlease read the following considerations before installing StandGuard Anti-Virus:Important considerations1. If you are using GO SAVE option 21 (Save Entire System) in an unattended operation, werecommend you follow the procedures listed in step 10 of IBM's GO SAVE checklist. You can find thechecklist documented on IBM's Infocenter. Search for CPA3708. Or, if one wants to follow links, useSystems management- Backup and Recovery- Back up your server Save your server with theGO SAVE command View entire GO SAVE checklist.Note. This User's Guide contains other importantnotices in boxes like this one.2. If you are using Domino, do not scan Domino data directories using the AVSCAN or On-Accessscanning features. See Recommendations in the On-Access Scanning and On-DemandScanning chapters for information on how to exclude Domino data directories from theseprocesses. For more information about installing and using the optional Domino feature to scanDomino mail and databases, see Chapter 12.About the Installation ProcessThe following list explains thechanges the installation program willmake to your system.1. Creates the STANDGUARDlibrary if it does not exist. Thepublic authority on this librarywill be *USE and should notbe changed.StandGuard Anti-VirusUser's GuideNote. The HelpSystems installation procedure createslibraries, profiles, authorization lists, commands,objects, and, in some cases, exit points on your system.Changing the configuration of any of these installedapplication components may result in product failure.- 18 -

7/28/20152. Creates the STANDGUARD user profile for the purpose of owning objects in the STANDGUARDlibrary. The user profile is created with no password and *JOBCTL authority (for the purposes ofscheduling jobs).3. Grants the STANDGUARD user profile *USE authority to QSECOFR for the purposes of adopting*ALLOBJ authority as needed. There are a few times this level of authority is needed, such asupdating virus definitions, quarantining files and on-access scanning.If the product is being installed forthe first time (not an upgrade), theNote. Do not change the STANDGUARD profile to havesystem value QSCANFSCTL is*ALLOBJ authority.changed to *FSVRONLY (Scan fileserver access only). This turns offon-access virus scanning in a 5250environment. Virus scanning will stilloccur for files opened through the network file servers (mapped drives). For more information about thissetting see On-Access Scanning. We recommend you start with *FSVRONLY until you are familiar withthe product, and then consider setting this value back to *NONE at a later time when you want to scan fileaccesses in a 5250 environment. Once you become familiar with the product you can exclude directoriesbefore enabling scanning native file accesses.4. Restores the licensed program 0AV2000.5. Adds an autostart job entry to the QSYSWRK subsystem to start the AVSVR job automatically at IPL.The AVSVR job must be active at all times for virus scanning features to function properly.If for some reason you need touninstall StandGuard Anti-Virus, seeUninstalling.RequirementslIBM il5722SS1 option 30 (QSHELL) **l5722SS1 option 33 (PASE) **l5722JV1 (Java, any version) **lNote. Do not try to uninstall the product by deleting theSTANDGUARD library. This does not uninstall theproduct. The procedure listed in the Appendix ensuresthe product is removed completely.You must be signed on as a user profile with *ALLOBJ and *SECADM authority (such as QSECOFR)to install the product.StandGuard Anti-VirusUser's Guide- 19 -

7/28/2015lllFTP connectivity from at least one IBM i server or partition in your network to McAfee's server fordownloading virus definition files (DATs). Alternatively, you can obtain virus definitions from anetwork path.Recommended: FTP connectivity from at least one IBM i server or partition in your network toHelpSystems' server for downloading program fixes and enhancements. Alternatively, you canobtain PTFs from a network path.Please ensure you have obtained license keys prior to installing the product.** QSHELL, PASE and Java are included with i5/OS but can be separately installed. You can determine ifthese options are installed by running command DSPSFWRSC (Display Software Resources). If arequired option is not installed, you can install them using the GO LICPGM command and your i5/OSinstallation media (CDs, DVDs, etc).Installing from another IBM i server or partition1. Use the following command to save the product to a save file:SAVLICPGM LICPGM(0AV2000) DEV(*SAVF) SAVF(save-file-name)2. Copy the save file to the remote servers or partitions using FTP or System i Navigator.3. Execute the following command on the target system or partition. You can enter the command bysigning on to the target system, or use System i Navigator to send the following command to theremote server(s):RSTLICPGM LICPGM(0AV2000) DEV(*SAVF) SAVF(save-file-name)4. Enter the license key(s) using the instructions provided by HelpSystems.Testing the installationStandGuard Anti-Virus can be tested using a test file called EICAR.com. This file does not contain avirus—it cannot spread or infect other files, or otherwise harm your system. The file is a legitimate DOSprogram and produces sensible results when run (it prints the message "EICAR-STANDARDANTIVIRUS-TEST-FILE").StandGuard Anti-VirusUser's Guide- 20 -

7/28/2015The EICAR test file is maintained by the European Institute for Computer Anti-Virus Research(http://www.eicar.org) for the purposes of validating anti-virus software. The following text is an excerptfrom http://www.eicar.org/anti virus test file.htm:"You are encouraged to make use of the EICAR.COM test file. If you are aware of people who are lookingfor real viruses for test purposes, bring the test file to their attention. If you are aware of people who arediscussing the possibility of an industry-standard test file, tell them about www.eicar.org and point themat this article."Download the file from the internet and save it to the /Standguard/av directory in theIFS.At an IBM i command line, type the following command and press Enter:STANDGUARD/AVSCAN OBJ( /StandGuard/av/eicar.com ) CLEAN(*NO) CLEANFAIL(*NONE)You should see a message similar to the following:VIRUS ALERT: /StandGuard/av/EICAR.COM is infected with 'EICAR test file'.1 virus(es) found, 10 file(s) verified clean in 7 seconds. 0 file(s) not scanned.Examine the file's scan status using the command WRKLNK '/StandGuard/av/eicar.com', then chooseoption 8. Page down to the last screen. Verify the 'Scan status' is *FAILURE.Once the file is marked as having failed a scan, the file cannot be opened in any way.Recommendations1. Update Virus Definitions: Continue with Chapter 8: "Updating Virus Definitions" to configure theproduct to schedule automatic downloading of virus definitions (DATs). New virus definitions areposted every day.2. Update the Pro

Supportsi5/OSscanningfeatures StartingwithV5R3,IBM em.StandGuardAnti-Virusfullysupportsthesefeatures .