StandGuard Anti-Virus User's Guide · StandGuardAnti-Virus User'sGuide-2-Troubleshooting 44 Recommendations 44 Samplereport 45 Chapter5- On-AccessScanning 47 Requirements 47 Setup

standguard anti-virusUSER’S GUIDE—VERSION 7.2

July 28th, 2015

Table of Contents

Chapter 1 - Introduction 6

StandGuard Anti-Virus for IBM i Features 6Viruses and IBM i 14How does the McAfee virus scanning engine work? 15Learning More About Viruses 17

Chapter 2 - Installation 18

Important considerations 18About the Installation Process 18Requirements 19Installing from another IBM i server or partition 20Testing the installation 20Recommendations 21

Chapter 3 - StandGuard Anti-Virus Menus 23

Main Menu 23Setup Menu 25Support Menu 27License Keys 29

Chapter 4 - On-Demand Scanning 30

Scheduling an On-Demand Scan 30Configure Scan Task (AVCFGTSK) Command 31Run AV Scan Task (AVRUNTSK) Command 39Scanning Guest Operating System Partitions 40Benefits 41Features 41IBM i Requirements 41Guest Operating System Requirements 42Setup 42Performance Considerations 44

7/28/2015

StandGuard Anti-VirusUser's Guide - 2 -

Troubleshooting 44Recommendations 44Sample report 45

Chapter 5 - On-Access Scanning 47

Requirements 47Setup 47Change AV On-Access Attributes (AVCHGA) command 48System Values 52i5/OS Directory and File Scan Attributes 53Performance Considerations 54Troubleshooting 55Recommendations 55

Chapter 6 - Email Scanning 57

Features 57Setup 58Troubleshooting 59Recommendations 60

Chapter 7 - Object Integrity Scanning 61

Setup 63Examples 67Recommendations 67Sample Report 67Error messages 68

Chapter 8 - Updating Virus Definitions 70

About Virus Definitions 70Setup 70Example 73Sample Report 73Troubleshooting 76

7/28/2015


Recommendations 76Using a PC to download virus definitions 77

Chapter 9 - Downloading Program Temporary Fixes(PTFs) 80

About PTFs 80Setup 80Example 83Sample Report 83Troubleshooting 84Recommendations 84

Chapter 10 - Quarantine 85

Setup 85Managing 85Troubleshooting 85Recommendations 85

Chapter 11 - IBM i Navigator Plug-In (GUI) 86

Starting 87

Chapter 12 - StandGuard Anti-Virus for Domino 89

Requirements 89Installing 89Starting 92Setup 93Reference 111Resources 113Uninstalling 114

Chapter 13 - Monitoring 115

Using Messenger to Monitor the AVSVR job 116Using Messenger to Monitor the AVMSGQ Message Queue 116

7/28/2015


Using Messenger to Monitor the Automatic Update Process 117Technical Support 118Contacting HelpSystems 118Uninstalling 119

Index 120

7/28/2015


Chapter 1 - IntroductionWelcome to StandGuard Anti-Virus— the award-winning native anti-virus solution for IBM i. Developedwith the unique features of IBM i in mind, StandGuard Anti-Virus offers all of the power and protection ofthe industry-leading McAfee scanning engine found on other platforms while meeting the specific needsof IBM i systems.

You'll find StandGuard Anti-Virus easy to use in either graphical or green screen modes and a breeze tokeep current with the latest virus definitions directly from McAfee and software updates fromHelpSystems. With StandGuard Anti-Virus you have the essential tools to ensure that your IBM i systemis protected from the threats of viruses, worms, and malware.

StandGuard Anti-Virus for IBM i FeaturesThe major product features are:

l Supports i5 OS scanning system values exit points and file attributes. See Supports i5/OSscanning features.

l Server-based.

l On-Access scanning. SeeOn-access scanning.

l On-Demand scanning. SeeOn-demand scanning.

l Scans native SMTPmail. See Scans i5/OS mail.

l Scans Domino mail and databases (optional).

l Object Integrity scanning. SeeObject integrity Scanning.

l Scans files on guest operating system partitions1See Scans Files on Guest Operating SystemPartitions.

l Green screen and System i Navigator user interfaces. SeeGreen screen and System iNavigator user interfaces.

l Automatic download of virus definitions. See Automatic download of virus definitions.

1Supported guest operating systems include Linux and AIX using Network File System (NFS).

7/28/2015


l Automatic download of software updates. See Automatic download of fixes.

l Built-in scheduling. See Built-in scheduling.

l Network-enabled. See Network-enabled.

l Logging. See Logging features.

l Powered by McAfee, the leading provider of network security and availability technology. SeePowered by McAfee.

Powered by McAfee

McAfee's preeminent staff backs each new update of the virus-scanning engine and release of virusdefinition .DAT files. Their worldwide virus research team develops weekly updates for the virus definition.DAT files, leaving you confident that your IBM i server is well protected from attack. StandGuard Anti-Virus incorporates the latest generation of McAfee's scanning engine, in turn making StandGuard Anti-Virus a mature product backed by battle-tested technology, advanced heuristic analysis, and genericdetection and cleaning.

l Scans within compressed files

l Decompresses and scans files compressed in packages such as PKZip, .LHA, and .ARJ

l Detects and cleans macro and script viruses

l Detects and cleans encrypted and polymorphic viruses

l Detects and cleans new viruses in executable files and OLE compound documents

l Detects and removes "Trojan horses", worms, and many other types of malicious software(malware)

l Upgrades easily to new scanning technology

l Includes technology to combat the latest and future threats

l Support for many more Packed Executable formats in which known malware is often re-packagedfor obfuscation purposes

l Specific detection and reporting of files compressed or packaged with known suspiciousapplications

l Enhancements to enable scanning of non-standard ZIP archives

7/28/2015


Supports i5/OS scanning features

Starting with V5R3, IBM integrated virus scanning support into the operating system. StandGuard Anti-Virus fully supports these features. The result is better security and substantially lower overhead whencompared to other platforms and file systems. The following table lists some of the ways the operatingsystem has integrated virus scanning:

NetServer(mappeddrives)

Files that are opened and modified from mapped drives arescanned for viruses. The operating system will not allowinfected files to be opened, thus preventing a virus fromspreading to other PC clients.

open() The open() API is used by applications to open stream filesin the IFS. i5/OS can be configured to call standGuard Anti-Virus to scan files before allowing them to be opened (on-access scanning). The operating system will not allowapplications to open stream files that are infected with avirus.

Save (SAV)command

The SAV command is used to backup the files in the IFS.There are new parameters on the SAV command to specifyif you want to scan files before saving to media, and if youwant to save infected files (default is *NO).

Restore (RST)command

Files that are restored to the IFS (including vendorapplication files) will be marked as requiring a scan beforethey can be first used.

Copy (CPY)command

The CPY command is used to copy IFS files. The CPYcommand will not copy files that are infected with a virus.

Check ObjectIntegrity(CHGOBJITG)

The CHKOBJITG command will report on any files in theIFS that have failed a scan.

System auditjournal(QAUDJRN)

The system audit journal records virus scanning andcleaning activity.

System values(QSCANFS andQSCANFSCTL)

QSCANFS controls if virus scanning is enabled (default isON). QSCANFSCTL provides options to tune scanningperformance.

File-level See following discussion

7/28/2015


scanningattributes

About i5/OS File Scanning Attributes

Figure 1 shows the attributes of a file that has never been scanned. This information can be seen usingthe Work with Object Links (WRKLNK) command and then option 8 next to a stream file.

Figure 1. This screen shows attributes of a file that has never been scanned.

Press page down several times to see the scan information. In this example the file is enabled forscanning and the file will be scanned before it is next opened (Scan status = *REQUIRED). All files in theRoot, QOpenSys and User-defined file systems have these default values.

Figure 2 shows the attributes of a file that has been scanned with StandGuard Anti-Virus. This file is notinfected (Scan status = *SUCCESS) and the file will not be scanned again unless it is changed or the virusdefinitions are updated (Scan signatures different = No).

7/28/2015


Figure 2. This screen shows attributes of a file that has been scanned.

When you run On-Access scanning, StandGuard Anti-Virus knows not to scan this file because nothinghas changed that would allow this file to be infected. The result is on most days a full system scan can runin minutes instead of hours or days. Think of it as a "scan changed objects" command.

Figure 3 shows the attributes of a file after a virus has been detected. StandGuard Anti-Virus hasupdated the >Scan status= to *FAILURE. The operating system logs the error in the system audit journaland messages are generated. Finally, i5/OSwill not allow any application to open or copy a file that hasfailed a scan.

7/28/2015


Figure 3. This screen shows attributes of a file after a virus has beendetected

On-Access Scanning

StandGuard Anti-Virus provides realtime protection against virus threats by scanning files dynamically,as they are opened. You can separately enable on-access scanning for file server accesses (NetServermapped drives, FTP) and 5250 environments (host-based applications, like Java, Websphere, etc).

The operating system uses the file scan information to avoid having to scan files that have not changedand have already been scanned (see discussion on the previous page). The result is the first user toopen the file will wait for the scan, while subsequent accesses to that file (by that user or any other user)will not cause the file to be scanned again. Only when the file has changed, or when new virus definitionsare updated, will the file be scanned again.

On-demand Scanning

StandGuard Anti-Virus provides on-demand scanning which allows you to scan all or part of the systemat scheduled times. You can configure the directories to scan and the schedules at which to run the scan.This allows you to configure scanning to run during off-peak times to reduce the CPU impact on otherapplications. Once a file has been scanned using on-demand scanning, the file will not need to be

7/28/2015


scanned when accessed (no on-access overhead for that file) unless the file has changed or the virusdefinitions are updated. This allows you to use off-peak times to "pre-scan" files that rarely change, thusreducing the CPU overhead of on-access scanning and improved balancing of scanning workload.

Scans Native Scanning SMTP Mail

StandGuard Anti-Virus can scan inbound and outbound email messages passing through the IBM iSMTP server. StandGuard Anti-Virus can perform virus scanning on emails before they reach your PCclients (or customers).

Object integrity scanning

StandGuard Anti-Virus scans the IBM i Operating System (and user libraries) for objects that have beentampered with and have the potential to cause serious harm to the operating system or bypass allsecurity entirely. For more information about object integrity scanning, seeObject Integrity Scanning.

Scans Files on Guest Operating System Partitions

StandGuard Anti-Virus for IBM i can scan files on Linux and AIX guest partitions using the Network FileSystem (NFS). By creating scheduled scan tasks to scan NFSmountable volumes on guest partitions,you can reduce the time, effort and costs associated with installing and configuring multiple stand-aloneanti-virus applications on each partition. A single installation of StandGuard Anti-Virus on the hostpartition can be used to ensure all of your Linux and AIX partitions are free of viruses, trojans, worms,malware and spyware.

Green screen and System i Navigator plug-in provided

Whether you use the green screen menu and command interface or the graphical System i Navigatorplug-in, you will find StandGuard Anti-Virus simple and flexible to use. StandGuard Anti-Virus provides CLcommands that you can embed into your applications or nightly procedures. Green screen menus areprovided for using StandGuard Anti-Virus in a 5250 environment. Additionally, the graphical System iNavigator plug-in is provided so you can manage your anti-virus policies directly from within System iNavigator's security administration tasks.

Automatic download of virus definitions

StandGuard Anti-Virus ensures you always have the latest protection against current virus threats byautomatically downloading virus definition files from McAfee. By keeping the virus definition files up-to-

7/28/2015


date automatically, StandGuard Anti-Virus protects you from the new virus threats that occur each day.Automatic updating can be scheduled to run automatically, and CL commands are provided to integratewithin your own nightly batch processes.

Automatic download of software updates and fixes

StandGuard Anti-Virus keeps itself up-to-date by downloading new features, fixes, and enhancementsfrom HelpSystems. PTF processing can be scheduled to run automatically, and CL commands areprovided to integrate within your nightly batch processes. You can use System i Navigator to synchronizePTFs across multiple systems and partitions automatically.

Built-in Scheduling

Built on HelpSystems' proven experience with IBM i administration, security, and automation,StandGuard Anti-Virus was designed from the ground up as a secure, automated anti-virus solution thatprevents headaches, not gives you new ones. StandGuard Anti-Virus provides automatic scheduling andupdating of virus definitions, product enhancements, and scanning tasks that you create. By automatingthese tasks you can rest assured that StandGuard Anti-Virus is providing reliable, around-the-clockprotection.

Network-enabled

StandGuard Anti-Virus can retrieve virus definitions and program updates from either an FTP server or ashared local network path. The path can be located on another IBM i server or partition, a Windows fileserver, or any network path of your choice. This allows you to use one IBM i server or partition todownload the virus definitions (from McAfee's FTP server) and the remaining servers or partitions canretrieve their virus definition files from the shared network folder.

The same networking features can be used to keep the StandGuard Anti-Virus product PTFs up-to-datefor all your servers or partitions. Use one IBM i server or partition to download the upgrades fromHelpSystems' FTP server and the remaining servers or partitions can retrieve their upgrades from theshared network folder. You can use System i Navigator's Management Central to distribute PTFs fromyour central system to all your IBM i servers and partitions.

Logging

StandGuard Anti-Virus provides several logging features that you can use to monitor the application'sactivity:

7/28/2015


l Messages are logged to the message queue AVMSGQ. You can view the message queue manuallyas needed, or use third-party monitoring tools to automate the monitoring of this queue and alertyou to viruses and failed downloads via your email, cell phone, or pager.

l Scan reports provide detailed information about the directories scanned, infections found andcleaning/quarantining activity.

l All changes made to StandGuard Anti-Virus's automation files are recorded in the AVJRN journal,recording all changes made to the product, who made them and when they were altered.

l Virus scanning activity is recorded in the system audit journal, providing a secure audit trail of virusactivity within the system.

Viruses and IBM iViruses stored on the IBM i present a serious risk to your network and your data. In most cases, yourIBM i system can be "seen" by every computer in your network. If an infected file is executed by any ofthese computers, that computer becomes infected, which in turn can launch new attacks against the restof the network and even back to the IBM i itself. These attacks can render computers and the networkinoperable.

A running virus has access to all of the same resources as the user that launched the virus.Consequently, if an administrator-level user becomes infected then the virus has access to all the sameresources as that user (everything). Viruses can alter, copy, delete, and run commands against IBM ifiles, programs and libraries. With respect to IBM i, a virus could spread to other systems and partitionsthrough the use of network shares and the Integrated File System (IFS).

Many DOS and Unix commands will execute against an IBM i system. The DEL command, for example,can be used to delete files on a user's local C drive as well as IBM i files and libraries. Likewise, the COPYcommand can be used to copy files. A running virus can execute these and other dangerous systemcommands against a network drive mapped to the IBM i, causing serious damage. Viruses can alsoexecute commands using FTP scripts, and access IBM i data via ODBC drivers stored on the infectedcomputer.

There are many ways a virus can make its way to an IBM i: Amapped drive, the CD/DVD drive, an FTPscript, sharing files and programs with other computers, vendors and business partners are just a fewexamples. The best policy is to not try and "outguess" all of the possibilities— virus writers are alwaysimproving their code to take advantage of all the latest technologies.

7/28/2015


How does the McAfee virus scanning enginework?The McAfee virus-scanning engine is a complex data analyzer. The exact process of analysis dependson the object (often a file) being scanned and the type of viruses being sought. However, the followingstages describe the general approach that the virus-scanning engine uses.

Identifying the type of the object

This stage determines which type of object is being scanned. Files that contain executable code, forexample, need to be scanned.

Different types of files in Microsoft Windows systems, for example, are distinguished by their fileextensions, such as .EXE and .TXT. However, any file can be renamed to hide its true identity, so thecontents of the file must first be determined.

Each type of object requires its own special processing. If the type cannot be infected with a virus, nofurther scanning needs to be done. For example, a picture stored in a file of bitmap format cannot beinfected.

Decoding the object

This stage decodes the contents of the object, so that the virus scanner "understands" what it is lookingat. For example, a compressed WinZip file cannot be interpreted until it has been expanded back to itsoriginal contents. The same applies to non-compressed files too. For example, the engine must decodea Microsoft Word document (.DOC) file to find any macro viruses.

File decoding can become quite complex when a file contains further encoded files. For example, aWinZip archive file might contain a mixture of other archives and document files. After the enginedecodes the original WinZip file, the engine must also decode and separately scan the files inside.

Looking for the virus

This complex stage of virus scanning is controlled by the virus definition (DAT) files. The scan.dat filecontains thousands of different drivers. Each driver has detailed instructions on how to find a particularvirus or type of virus.

7/28/2015


The engine can find a simple virus by starting from a known place in the file, then searching for its virussignature. Often, the engine needs to search only a small part of a file to determine that the file is freefrom viruses.

A virus signature is a sequence of characters that uniquely identify the virus, such as a message that thevirus may display on the screen, or a fragment of computer code. We take care when choosing thesesignatures to avoid falsely detecting viruses inside clean files. More complex viruses avoid detection withsimple signature scanning by using two popular techniques:

Encryption — The data inside the virus is encrypted so that anti-virus scanners cannot see the messagesor computer code of the virus. When the virus is activated, it converts itself into a working version, thenexecutes.

Polymorphism— This process is similar to encryption, except that when the virus replicates itself, itchanges its appearance.

To counteract such viruses, the engine uses a technique called emulation. If the engine suspects that afile contains such a virus, the engine creates an artificial environment in which the virus can runharmlessly until it has decoded itself and its true form becomes visible. The engine can then identify thevirus by scanning for a virus signature, as usual.

Using heuristic analysis

Using only virus signatures, the engine cannot detect a new virus because its signature is not yet known.Therefore the engine can use an additional technique C heuristic analysis.

Programs, documents, or email messages that carry a virus often have distinctive features. They mightattempt unprompted modification of files, invokemail clients, or use other means to replicate themselves.The engine analyzes the program code to detect these kinds of computer instructions. The engine alsosearches for "legitimate" non-virus-like behavior, such as prompting the user before taking action, andthereby avoids raising false alarms.

By using these techniques, the engine can detect many new viruses.

Calculating the checksum

This stage exactly identifies the virus. The engine performs a mathematical calculation over the virusdata to produce a unique number C the checksum. The engine compares this checksum againstpreviously calculated values in one of the DAT files (scan.dat) to identify the virus exactly.

Cleaning

7/28/2015


This stage cleans the object. Usually, the engine can clean an infected file satisfactorily. However, someviruses can alter or destroy data to an extent where a file cannot be fixed. The engine can easily cleanmacro viruses by erasing the macro from the infected document.

Executable viruses are more complex. The engine must restore the original path of execution throughthe program so that the virus does not become active. For example, a virus might append itself to the endof an executable program file. To run, the virus must divert the path of execution away from the originalcode to itself. After becoming active, the virus redirects the path of execution to the original code to avoidsuspicion. The engine can disable this virus by removing the diversion to the virus code. To clean the file,the engine then erases the virus code.

Learning More About Viruses

Note. Viruses can corrupt or destroy data, they spreadrapidly, and they can make your computers unusable.We strongly recommend that you do not experiment withreal viruses.

The Virus Information Library on theAVERT Anti-Virus Research Sitehttp://vil.nai.com/vil containsdetailed information aboutthousands of viruses.

7/28/2015


http://vil.nai.com/vil

Chapter 2 - InstallationPlease read the following considerations before installing StandGuard Anti-Virus:

Important considerations1. If you are using GO SAVE option 21 (Save Entire System) in an unattended operation, we

recommend you follow the procedures listed in step 10 of IBM's GO SAVE checklist. You can find thechecklist documented on IBM's Infocenter. Search for CPA3708. Or, if one wants to follow links, useSystems management-> Backup and Recovery->Back up your server > Save your server with theGO SAVE command > View entire GO SAVE checklist.

Note. This User's Guide contains other importantnotices in boxes like this one.

2. If you are using Domino, do not scan Domino data directories using the AVSCAN or On-Accessscanning features. See Recommendations in theOn-Access Scanning andOn-DemandScanning chapters for information on how to exclude Domino data directories from theseprocesses. For more information about installing and using the optional Domino feature to scanDomino mail and databases, see Chapter 12.

About the Installation Process

Note. The HelpSystems installation procedure createslibraries, profiles, authorization lists, commands,objects, and, in some cases, exit points on your system.Changing the configuration of any of these installedapplication components may result in product failure.

The following list explains thechanges the installation program willmake to your system.

1. Creates the STANDGUARDlibrary if it does not exist. Thepublic authority on this librarywill be *USE and should notbe changed.

7/28/2015


2. Creates the STANDGUARD user profile for the purpose of owning objects in the STANDGUARDlibrary. The user profile is created with no password and *JOBCTL authority (for the purposes ofscheduling jobs).

3. Grants the STANDGUARD user profile *USE authority to QSECOFR for the purposes of adopting*ALLOBJ authority as needed. There are a few times this level of authority is needed, such asupdating virus definitions, quarantining files and on-access scanning.

Note. Do not change the STANDGUARD profile to have*ALLOBJ authority.

If the product is being installed forthe first time (not an upgrade), thesystem value QSCANFSCTL ischanged to *FSVRONLY (Scan fileserver access only). This turns offon-access virus scanning in a 5250environment. Virus scanning will stilloccur for files opened through the network file servers (mapped drives). For more information about thissetting seeOn-Access Scanning. We recommend you start with *FSVRONLY until you are familiar withthe product, and then consider setting this value back to *NONE at a later time when you want to scan fileaccesses in a 5250 environment. Once you become familiar with the product you can exclude directoriesbefore enabling scanning native file accesses.

4. Restores the licensed program 0AV2000.

5. Adds an autostart job entry to the QSYSWRK subsystem to start the AVSVR job automatically at IPL.The AVSVR job must be active at all times for virus scanning features to function properly.

Note. Do not try to uninstall the product by deleting theSTANDGUARD library. This does not uninstall theproduct. The procedure listed in the Appendix ensuresthe product is removed completely.

If for some reason you need touninstall StandGuard Anti-Virus, seeUninstalling.

Requirementsl IBM i

l 5722SS1 option 30 (QSHELL) **

l 5722SS1 option 33 (PASE) **

l 5722JV1 (Java, any version) **

l You must be signed on as a user profile with *ALLOBJ and *SECADM authority (such as QSECOFR)to install the product.

7/28/2015


l FTP connectivity from at least one IBM i server or partition in your network to McAfee's server fordownloading virus definition files (DATs). Alternatively, you can obtain virus definitions from anetwork path.

l Recommended: FTP connectivity from at least one IBM i server or partition in your network toHelpSystems' server for downloading program fixes and enhancements. Alternatively, you canobtain PTFs from a network path.

l Please ensure you have obtained license keys prior to installing the product.

** QSHELL, PASE and Java are included with i5/OS but can be separately installed. You can determine ifthese options are installed by running command DSPSFWRSC (Display Software Resources). If arequired option is not installed, you can install them using the GO LICPGM command and your i5/OSinstallation media (CDs, DVDs, etc).

Installing from another IBM i server or partition1. Use the following command to save the product to a save file:

SAVLICPGM LICPGM(0AV2000) DEV(*SAVF) SAVF(save-file-name)

2. Copy the save file to the remote servers or partitions using FTP or System i Navigator.

3. Execute the following command on the target system or partition. You can enter the command bysigning on to the target system, or use System i Navigator to send the following command to theremote server(s):

RSTLICPGM LICPGM(0AV2000) DEV(*SAVF) SAVF(save-file-name)

4. Enter the license key(s) using the instructions provided by HelpSystems.

Testing the installationStandGuard Anti-Virus can be tested using a test file called EICAR.com. This file does not contain avirus—it cannot spread or infect other files, or otherwise harm your system. The file is a legitimate DOSprogram and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE").

7/28/2015


The EICAR test file is maintained by the European Institute for Computer Anti-Virus Research(http://www.eicar.org) for the purposes of validating anti-virus software. The following text is an excerptfrom http://www.eicar.org/anti_virus_test_file.htm:

"You are encouraged to make use of the EICAR.COM test file. If you are aware of people who are lookingfor real viruses for test purposes, bring the test file to their attention. If you are aware of people who arediscussing the possibility of an industry-standard test file, tell them about www.eicar.org and point themat this article."

Download the file from the internet and save it to the /Standguard/av directory in theIFS.

At an IBM i command line, type the following command and press Enter:

STANDGUARD/AVSCAN OBJ(>/StandGuard/av/eicar.com=) CLEAN(*NO) CLEANFAIL(*NONE)

You should see a message similar to the following:

VIRUSALERT: /StandGuard/av/EICAR.COM is infected with 'EICAR test file'.

1 virus(es) found, 10 file(s) verified clean in 7 seconds. 0 file(s) not scanned.

Examine the file's scan status using the command WRKLNK '/StandGuard/av/eicar.com', then chooseoption 8. Page down to the last screen. Verify the 'Scan status' is *FAILURE.

Once the file is marked as having failed a scan, the file cannot be opened in any way.

Recommendations1. Update Virus Definitions: Continue with Chapter 8: "Updating Virus Definitions" to configure the

product to schedule automatic downloading of virus definitions (DATs). New virus definitions areposted every day.

2. Update the Product: Continue with Chapter 9: "Downloading Product PTFs" to update theStandGuard Anti-Virus product to the most current level.

3. Schedule a Full System Scan: Continue to Chapter 4: "On-Demand Scanning" to schedule a fullsystem scan. Be sure to schedule your first scan during off-peak hours. The first full system scancan run anywhere from 2 to as many as 12 hours, depending on howmany files need to be scannedand the speed of the processor.

7/28/2015


http://www.eicar.org/

4. Setup Monitoring: Continue with Chapter 13: "Monitoring" for important information you need toknow about monitoring StandGuard Anti-Virus events and activity.

5. Setup Mail Scanning: If you are using the IBM i SMTPmail server, seeMail Scanning.

7/28/2015


Chapter 3 - StandGuard Anti-Virus Menus

Main MenuTo access the StandGuard Anti-Virus Main Menu, type STANDGUARD/AVMENU (or just AVMENU) at acommand line and press Enter:

1. Submit a virus scan task

Select this option to submit a virus scan task. A virus scan task is a list of directories and options thatcontrol scanning parameters. A default task (named *SYS) is provided as a starting point for you to scanthe entire system using recommended values. You can choose to start the scan immediately, orschedule it to run at a later time. For more information about creating, changing and running scan tasks,see Chapter 4 On-Demand Scanning.

2. Submit an object integrity scan task

7/28/2015


Select this option to submit an object integrity scan task. An object integrity scan task is a list of librariesand options that control an object integrity scan. A default task (named *SYS) is provided as a startingpoint for you to scan the entire system using recommended values. You can choose to start the scanimmediately, or schedule it to run at a later time. For more information about creating, changing andrunning object integrity scan tasks, see Chapter 7 Object Integrity scanning.

3. Work with scan jobs

Select this option to work with scan jobs that have been started as a result of options 1 or 2, as well as anyjobs that have started automatically as a result of scheduling a scan task. To schedule a task to runautomatically at recurring intervals, see Scheduling an On-Demand Scan.

4. Work with job schedule entries

Select this option to work with job schedule entries that have been created as a result of configuring scantasks and automatic updates. You can use this option to see a quick display of what jobs are scheduled torun.

10. Work with logs

Select this option to view the log files from StandGuard Anti-Virus activities. Log files are generated fromObject Integrity Scanning, On-demand scanning, Virus Definition Updates, and Program Updates (PTF)activities. You can use this display to see the results of the last automatic update or scan task.

11. Display messages

Select this option to view important messages from StandGuard Anti-Virus activities.

12. Work with quarantined files

Select this option to work with files that have been moved to the quarantine location. For moreinformation about quarantine, seeQuarantine.

20. Download latest virus definitions (DATs)

Select this option to download the latest virus definitions. These definitions will ensure that your virusprotection is constantly updated as cures for new virus threats are published. For more information, seeUpdating Virus Definitions (DATs).

21. Download latest program updates (PTFs)

7/28/2015


Select this option to download the latest program temporary fixes (PTFs). These updates will ensure youhave the latest code fixes. For more information, see Downloading Program Temporary Fixes(PTFs).

50. Setup menu

Select this option to view the Setup menu. The Setup menu provides the options needed to configure theproduct.

51. Support menu

Select this option to view the Support menu. The Support menu provides many useful items formaintaining and supporting the use of the product.

52. License menu

Select this option to view the License Menu. The License menu provides options for maintaining andsupporting the product license.

Setup MenuThe Setup Menu provides options to configure product settings. To access the Setup menu chooseoption 50 from the Main menu, or run the command GO STANDGUARD/AVSETUP.

7/28/2015


1. On-access scanning

Select this option to enable or disable on-access scanning, and change options that affect on-accessscanning performance. On-access scanning allows you to scan files dynamically as they are openedand/or modified. For more information about on-access scanning seeOn-Access Scanning.

2. Automatic virus definition updates (DATs)

Select this option to schedule and configure settings for updating virus definitions. For more informationabout virus definitions see Updating Virus Definitions.

3. Automatic program updates (PTFs)

Select this option to schedule and configure settings for updating program temporary fixes (PTFs). Formore information about PTFs see Downloading PTFs.

4. QMSF Mail scanning

Select this option to configure settings for scanning IBM i mail. For more information, see emailScanning.

5. Object integrity scan tasks

7/28/2015


Select this option to schedule and configure object integrity scan tasks. For more information, seeObject Integrity Scanning.

6. Virus scan tasks

Select this option to schedule and configure virus scan tasks. For more information, seeOn-DemandScanning.


Select this option to work with the jobs that have been scheduled as a result of changes made on thisscreen. Press F11 to see additional information. The jobs that may appear are as follows:

Name Description

AVUPDATE Run virus definition update

AVUPGRADE Run PTF update

AVRUNTSK Run a scan task

Support MenuThe Support Menu provides useful options for maintaining and supporting the product. To access theSupport menu choose option 51 from the Main menu, or run the command GOSTANDGUARD/AVSUPPORT.

7/28/2015


1. Work with AVSVR job(s)

Select this option to view the server job (AVSVR) that is currently running or has completed. The AVSVRjob must be running at all times for virus scanning to function. This option allows you to verify the job iscurrently running, and to access joblogs for AVSVR jobs that have ended.

2. Work with QMSF jobs

Select this option to work with active and completed QMSF mail server jobs. From this display you canview joblogs to diagnose problems with mail.


Select this option to work with scheduled StandGuard Anti-Virus jobs. This Work with Job ScheduleEntries display allows you to change the days and times the jobs are started, start a job to runimmediately, and to view the results from the last submission. For more information, select this optionand press Help.

4. Work with system values

Select this option to work with the operating system values related to virus scanning.

5. Work with output queue

7/28/2015


Select this option to work with the StandGuard Anti-Virus output queue (AVOUTQ). The Work with OutputQueue display allows you to view, print and delete reports. For more information, select this option andpress Help.

6. Work with IFS Files

Select this option to work with files and directories in the Integrated File System (IFS). For moreinformation, select this option and press Help.

7. Work with exit points

Select this option to work with the operating system exit points related to virus scanning.

License KeysWhen you license StandGuard Anti-Virus, you will be provided two license keys. The first license key is forthe use of the StandGuard Anti-Virus product. The second key is for the product support. If you have apartitioned system, you will need to enter these keys into each partition that is licensed for StandGuardAnti-Virus.

Product license key

This license key allows you to run the StandGuard Anti-Virus for i5/OS scanning programs for either atemporary or permanent term limit. For permanent usage, this key will not need to be re-entered unlessyour hardware changes. For temporary usage, this key will allow you to run the scanning programs untilan expiration date is reached.

Domino license key

This license key allows you to run the StandGuard Anti-Virus for Dom ino scanning programs for either atemporary or permanent term limit. For permanent usage, this key will not need to be re-entered unlessyour hardware changes. For temporary usage, this key will allow you to run the scanning programs untilan expiration date is reached.

Support license key

This license key allows you to download the support files needed to keep the scanning product up-to-date with the latest virus definition files, and any program enhancements and fixes to the product. Thiskey is provided for a temporary term, typically one (1) year. A new key will need to be entered before theexpiration date to ensure you are protected against the latest virus threats.

7/28/2015


Chapter 4 - On-Demand ScanningOn-demand scanning refers to the process of explicitly scanning a file or directory for viruses. Typically,an on-demand scan is initiated at a scheduled time to scan all or part of the system. W hen you initiate anon-demand scan, StandGuard Anti-Virus processes all of the files in the specified directories for virusesand provides a report of scanning activities.

On-demand scanning can be initiated by choosing option 1 from the Main menu and through Scan Tasksthat are created using the Setup menu or the iSeries Navigator plug-in.

Note. StandGuard Anti-Virus can only track scan statusfor files in the Root, QOpenSys, and UDFS file systems.Files in other file systems, such as QDLS do not containthis information and consequently w ill be scanned everytime.

On-demand scanning is usually avery long-running process. Tominimize the time required tocomplete a scan, StandGuard Anti-Virus does not have to scan files thathave already been scanned at thecurrent virus definition level, unlessthe file has changed. Then as eachfile is scanned, StandGuard Anti-Virus records the scan informationwith the file. This information can be seen using the WRKLNK command and then option 8 next to the file.For a brief discussion about this see About i5/OS file scanning attributes.

As StandGuard Anti-Virus scans files, the scan status is updated with either *SUCCESS or *FAILURE.Files with *SUCCESS status will not be scanned again until either the file data has changed or the virusdefinitions have been updated. Finally, the operating system will not allow files marked as *FAILURE tobe opened (thus preventing the virus from spreading).

Scheduling an On-Demand ScanOn-demand scanning is initiated using the supplied Configure Scan task (AVCFGTSK) and Run AVScanTask (AVRUNTSK) commands.

7/28/2015


Figure 1 - Configure Scan Task

First, choose option 6 from the Setup menu to access scan tasks. When prompted for task name, pressF4 to see a list of tasks. The product is pre-configured with the *SYS task which will scan the entiresystem with recommended settings. Type *SYS and press enter.

Press PAGE DOWN to see additional parameters.

Configure Scan Task (AVCFGTSK) CommandRestrictions

The user running the command must either have *ALLOBJ authority OR have *RX authority to all filesand directories referenced on the OBJ parameter, and *RWX authority for cleaning of any viruses. Werecommend running the command under a profile with *ALLOBJ authority to ensure complete scanningand cleaning. The Integrated File System does not recognize adopted authorities. Therefore, you cannotuse the command in a CL program that adopts authority. The actual job user must have the requiredauthorities to properly scan files.

7/28/2015


Parameters

Host (HOST)

Specifies the name of the NFS host where the files are stored. Use this option to scan files and directorieson Linux and AIX partitions. To use this option you must export the root directory on the specified hostwith read/write and allow root access (no_root_squash). When you specify a host name, the root filesystem will be mounted using the Network File System (NFS) to a temporary directory, the files anddirectories will be scanned, and the file system unmounted. You can determine the host name using theDSPNWSD command.

*LOCAL

The start path is located on the local file system.

hostname

The start path is located on the specified NFS host. You must have *ALLOBJ authority for this option towork correctly.

Objects (OBJ)

This is the object (starting path or filename) to scan.

Examples:

Note. The following file systems are always excludedfrom scanning (even if they are specified in the startingpath). This may not be a complete list. In general, onlylocal file systems can be scanned (not network files).o QSYS.LIBo QNTCo QfileSvr.400o QTCPTMM

7/28/2015


1. To scan the entire Integrated File System, specify '/'.

2. To scan only the /QIBM directory, specify '/QIBM'.

Directory subtree (SUBTREE)

Specifies if files contained in subfolders relative to the starting path are scanned.

*ALL

Files within subfolders of the starting path will be scanned. If the subfolders also contain subfolders, theywill also be scanned, and so on. If you want to exclude a folder within a subfolder, see the Exclude paths(EXCL) parameter.

*NONE

Note. To exclude directories within the subtree use thefollowing OMIT parameter.

Do not scan subfolders. If thesubfolders contain additional filesand folders, they will not be scanned.

Omit (OMIT)

Specifies the list of directoriesto exclude from scanning.

Heuristic analysis (HEURISTIC)

Include heuristic analysis to find new viruses. When you use heuristic analysis, the scanningengine employs heuristic technology to detect potentially unknown viruses in executable files(programs). Without this option, the engine can only find viruses that are already known andidentified in the current virus definition files.

*YES

Include heuristic analysis to find new viruses. This attribute slows the engine's performance andconsumes additional processor resources.

*NO

Do not use heuristic analysis.

Macro analysis (MACRO)

7/28/2015


Specifies if you want to treat embedded macros that have code resembling a virus as if they wereviruses. This parameter is similar to Heuristic analysis but scans for new viruses in compounddocument formats; for example, Microsoft OLE formats such asWord documents.

You can use both Macro analysis and Heuristic analysis as parameters, and the enginedetermines which heuristics to implement based on the file type.

*YES

Include macro analysis to find new viruses. This attribute slows the engine's performance and consumesadditional processor resources.

*NO

Do not use macro analysis.

Potentially unwanted programs (PROGRAMS)

Specifies if you want scanning activities to include detection of some widely available applications,such as password crackers or remote access utilities that can be used maliciously or pose asecurity threat.

*NO

Do not scan for potentially unwanted programs.

*YES

Scan for potentially unwanted programs.

Scan archives (ARCHIVES)

Specifies if you want scanning activities to include archive files. Archive files contain embeddedfiles and usually end with one of the following extensions: .ZIP, .TAR, .CAB, .LZH, .JAR, and .UUE.This option will also permit scanning of MSCompress files.

*YES

Scan archive files to find new viruses. This attribute slows the engine's performance and consumesadditional processor resources.

*NO

7/28/2015


Do not scan archive files.

Clean infected files (CLEAN)

Specifies if the engine should remove the virus from the file ("clean"). If a file cannot be cleaned,the Clean failure action (CLEANFAIL) parameter provides a secondary choice.

*YES

Clean the infected file(s) by removing the virus.

*NO

Do not clean infected files.

Clean failure action (CLEANFAIL)

Specifies the secondary action if the file cannot be cleaned.

*QRN

Move or create a link in the quarantine folder to the infected file. Whether a link is created or the file ismoved depends on the file system where the virus was found. For more information about quarantiningfiles seeQuarantine.

*DELETE

Delete the file. These files are first overwritten with zeros, made zero length and then deleted using anoperating system call. Therefore, you cannot undelete these files.

*NONE

No action is performed. Use this option with caution as any viruses that are found and cannot be cleanedare left in place and still present a threat.

Files (FILES)

Specifies the types of files to include in scanning activities.

*ALL

7/28/2015


Scan all files. This attribute slows the engine's performance, but offers you the best protection againstinfection.

*DFT

Scan only file types that are most susceptible to virus infection. This option safely narrows the scope ofscan operations to files that are susceptible to virus infection and reduces the amount of time devoted toscanning files.

*ALLMACRO

Expands scanning activities to include an examination of all files to determine if they contain knownmacro viruses. This attribute slows the engine's performance but offers you the best protection againstinfection from macro viruses. This option is faster than the *ALL files option, which examines every file forprogram viruses and macro viruses.

Output (OUTPUT)

Specifies where output from the program should be sent.

*LOGFILE

The output is sent to an IFS stream file in the logs directory.

*PRINT

The output is spooled to an output queue.

Schedule (SCHEDULE)

Specifies when to schedule the task.

*NONE

Do not schedule the command or process to run. Tasks that are configured but not scheduled need to berun manually using the AVRUNTSK command.

*DAILY

Run the command or process every day.

*WEEKLY

7/28/2015


Run the command or process on the same day once per week.

*MONTHLY

Note. When you specify a schedule and press Enter, theproduct schedules the job AVRUNTSK using theADDJOBSCHDE command.

Run the command or process on thesame day each month.

Day (SCHEDDAY)

Specifies the days to performthe task. This parameterappears only whenSCHEDULE is set to *DAILY or *WEEKLY.

*ALL

Schedule the task to run every day.

*SUN

Schedule the task to run every Sunday.

*MON

Schedule the task to run every Monday.

*TUE

Schedule the task to run every Tuesday.

*WED

Schedule the task to run every Wednesday.

*THR

Schedule the task to run every Thursday.

*FRI

Schedule the task to run every Friday.

7/28/2015


*SAT

Schedule the task to run every Saturday.

Time (SCHEDTIME)

Specifies the time to run the task.

Run priority (RUNPTY)

Specifies the job run priority for the task. The value can be in the range of 11 - 99, where 11 is thehighest priority and 99 is the lowest. 99 will have the least impact on other jobs but will take longerto run.

Timeout minutes (TIMEOUT)

Specifies the number of minutes the scan task will run before the operation times out. Use thisoption to limit the time for long-running scan tasks to complete. Incomplete scan tasks willautomatically resume scanning from the last directory on the next run of the task. For example, ifa complete scan requires 8 hours but is configured with a 240 minute timeout (and is scheduled torun daily), then you will get a complete scan every other day.

*NONE

The task will run as long as necessary to completion without timing out.

minutes

The task will time out after the specified number of minutes. Note: The timeout is checked after eachdirectory is scanned and will not timeout in the middle of a directory. Therefore, the task may run longerthan the specified number of minutes as needed to establish a directory boundary.

Additional Parameters

The following parameters appear when you prompt the command and press F10.

Delete (DELETE)

Specifies if you want to delete or change the task.

*NO

7/28/2015


The task will be changed or created.

*YES

The task will be deleted. All other parameters except the task name are ignored.

Logging level (LOGLVL)

Specifies the number of directory levels listed in the scan log.

*DETAILED

Detailed information is logged. Detailed logging contains more information than *SUMMARY but lessthan *FULL.

*SUMMARY

Summary information is logged.

*FULL

All information is logged.

Example

The following command configures the system task to scan the entire IFS for viruses, clean infected files,quarantine files that cannot be cleaned, and excludes scanning of the CD-ROM drive. The task will startevery Saturday at 1am:

AVCFGTSK TASK(*SYS) OBJ(('/' *ALL)) OMIT('/QOPT') CLEAN(*YES) CLEANFAIL(*QRN) RUNPTY(99)SCHEDULE (*WEEKLY) SCHEDDAY(*SAT) SCHEDTIME(010000)

Run AV Scan Task (AVRUNTSK) CommandThe Run AVScan Task (AVRUNTSK) command is used to run a scan task. If you configured the task torun on schedule, then the task will run automatically at the specified time. However if you did not schedulethe task, then the AVRUNTSK command must be used to start the task manually. You can submit a scantask using option 1 on the Main menu.

7/28/2015


Figure 4 - Running a scan task manually

Note. Do not run AVRUNTSK (or AVSCAN) commandsinteractively unless you are running in a restricted state.Virus scanning is very CPU intensive and running thecommand interactively will likely slow down other jobs onthe system.

The results of scan tasks can beseen using Main menu option 11(Display Messages), and option 10(Work with logs).

Scanning Guest Operating System PartitionsStandGuard Anti-Virus for IBM i can scan files on Linux and AIX guest partitions using the IBM i NetworkFile System (NFS) combined with a network file system built into Unix operating systems. A singleinstallation of StandGuard Anti-Virus on the host partition can be used to ensure all of your Linux and AIXpartitions are free of viruses, trojans, worms, malware and spyware.Benefits

7/28/2015


Benefitsl Reduces the time, effort and costs associated with installing, maintaining and monitoring multiplestand-alone anti-virus products on each partition.

l Improved security over PC-based solutions since file data is not transferred over the network(partition data is accessed over the virtual ethernet and not the physical network).

l Reduces the risk of viruses and malware from spreading from guest operating systems to otherpartitions and computers in your network.

Featuresl Scheduled scanning of files on AIX and Linux guest partitions for viruses, trojans, worms, malwareand spyware.

l File cleaning and quarantining.

l Automatic mounting and un-mounting of NFS volumes.

l Automatic swapping to root authority in order to access all files as needed for scanning.

l Utilizes all the regular scan task features, such as logging, alerting, scheduling and timeout.

IBM i Requirementsl *ALLOBJ and *IOSYSCFG authority is required to mount the root ('/') directory of the NFS host. Youmust run your scan tasks using a profile with *ALLOBJ and *IOSYSCFG authority.

l The Network File System daemon server jobs must be started using the command STRNFSSVR*ALL.

l The host name must be in the host table or available via DNS.

l The root ('/') directory of the NFS host must be mountable using the IBM i command MOUNT. Formore information about the MOUNT command, type the command MOUNT and press Help.

For more information about IBM i Network File System, see the IBM publication “iSeries OS/400 NetworkFile System Support”, document number SC41-5714.

7/28/2015


Guest Operating System Requirementsl The root (‘/’) file system must be exported with read/write access and allowing root authority. ForNFS, this is accomplished using the no_root_squash option in the etc/exports file. Refer to youroperating system documentation for information about how to export a directory using a network filesystem such as NFS.

l The necessary server daemon jobs must be started to support the network file system.

Setup1. On the guest operating system, export the root (‘/’) directory with read/write (rw) and allow root

access (no_root_squash).

2. Using the MOUNT command, run a test to verify the root directory can be mounted over a testStandGuard Anti-Virus On-Demand Scanning directory. The following example shows how to mountthe root directory on the NFS host named LINUX:

> md '/test'Directory created.>MOUNT TYPE(*NFS) MFS('LINUX:/') MNTOVRDIR('/test')File system mounted.> wrklnk '/test/*'

3. Unmount the directory using the UNMOUNT command. Example:

> UNMOUNT TYPE(*NFS) MNTOVRDIR('/test')File system or directory unmounted.

4. Using Setup menu option 7, or the command AVCFGTSK, configure a scan task and specify thepartition host name on the HOST parameter.

7/28/2015


Figure 5 - AVCFGTSK display

5. Run the scan task using Main menu option 1 (remember to run the task using a profile that has*ALLOBJ and *IOSYSCFG authority).

Figure 6 - AVRUNTSK joblog

7/28/2015


Performance ConsiderationsOn-demand scanning of the entire Integrated File System can be a very long running CPU-intensiveprocess. The time required to complete a full scan depends upon several factors:

l The speed of the processor

l The contention of CPU resources with other jobs

l The number and types of files to scan

l If any of the files are located in the /QOPT optical file system

l If virus definitions have changed since the last scan. When virus definitions are updated, the scaninformation for all files previously scanned becomes outdated. An update of virus definitions willrequire files to be re-scanned the next time they are accessed (if on-access scanning is enabled)and with the next on-demand scan. If virus definitions have not changed, then only files that havebeen changed will be scanned and the scanning process will be substantially faster.

Troubleshootingl If a virus was not detected in a particular file, verify your virus definitions 'know' about the suspectedvirus. Check the McAfee virus information library at http://vil.nai.com. Be sure to keep the virusdefinitions up to date.

l If for some reason you need to cancel a long-running scan task, restarting the task will pick up whereit left off except for QDLS files. QDLS files do not contain scan information and will be scanned everytime.

Recommendationsl Schedule scan tasks to run during off-peak hours.

l If you are not using on-access scanning, then run a full scan once per day if possible. Virusdefinitions are released daily, so the first full scan after new definitions are downloaded will takesubstantially longer than other days.

l Exclude QOPT from scanning. QOPT is the IBM i CD-ROM/DVD drive(s). Scanning files in QOPT issubstantially slower than local files. You can exclude QOPT by specifying OMIT(>/QOPT=) on theAVCFGTSK command.

7/28/2015


http://vil.nai.com/

l Enable on-access scanning to reduce or eliminate the need for on-demand scanning.

l Review the scan reports to understand the length of time to scan specific directories.

l Do not run commands AVCFGTSK , AVRUNTSK or AVSCAN under STANDGUARD profile.STANDGUARD does not have sufficient authority to perform a full system scan.

l If you have multiple processors then each scan task will run on its own processor. You can reducethe time required to scan the entire system by creating 2 tasks and excluding directories from oneanother. The following example will create 2 tasks - the second task will cause QOpenSys to bescanned simultaneously with Scan 1. On a dual processor system this will run twice as fast as asingle scan task.

l Use the Timeout feature of scan tasks to limit the number of minutes a scan task can run. For moreinformation, "Timeout minutes (TIMEOUT)" on page 38.

AVCFGTSK TASK(>Scan 1') OBJ(('/' *ALL)) OMIT('/QOPT' >/QOpenSys=) CLEAN(*YES) CLEANFAIL(*QRN) RUNPTY(99) SCHEDULE (*WEEKLY) SCHEDDAY(*SAT) SCHEDTIME(010000)

AVCFGTSK TASK(>Scan 2') OBJ(('/QOpenSys' *ALL)) CLEAN(*YES) CLEANFAIL(*QRN) RUNPTY(99)SCHEDULE (*WEEKLY) SCHEDDAY(*SAT) SCHEDTIME(010000)

Sample reportThe following report is an example of an On-Demand scan report. Reports can be viewed using Mainmenu option 10.

Saturday, Nov 13 01:37 PM Job . . . . . : QPADEV0001 MIKE 013887 Start path . : /home/mike Quarantine . : /quarantined Files . . . . : *ALL Heuristics . : *YES Macro analysis: *YES Programs . . : *NO Archives . . : *YES Clean . . . . : *YES Clean fail . : *QRN Files . . . . : *ALL Engine version: 4.4.00 DAT version . : 4406 (09-Nov-04)

Time Seconds Directory ======== ======== ======================== 13:40:42 120.8 /home/mike/test 13:40:47 < 0.1 /home/mike/com/HelpSystems/standguard/av

7/28/2015


13:40:47 2.5 /home/mike/com/HelpSystems/standguard 13:40:47 2.5 /home/mike/com/HelpSystems 13:40:47 2.5 /home/mike/com 13:40:48 0.5 /home/mike/resources

ERROR: 3546 Cannot open file /home/mike/viruses/EICAR.zip, Object marked as a scan failure! 13:40:49 0.5 /home/mike/viruses

13:40:49 124.4 /home/mike 0 virus(es) found!

# Files: Processed . : 25 Scanned . . : 24 OK . . . . : 24 Infected . : 0 Cleaned . . : 0 Moved . . . : 0 Deleted . . : 0

Warnings . . : 0 Errors . . . : 1

Completed at Saturday, Nov 13 01:40 PM 25 files processed in 220 seconds (0.11 files/sec)

7/28/2015


Chapter 5 - On-Access ScanningOn-access scanning refers to the process of scanning files as they are accessed and changed. Tominimize the impact on performance, the operating system stores scan information with each file as theyare opened. This process does not increase any storage use and typically requires less than a second formost files. The first user to access the file will cause a scan to occur, but subsequent accesses by thatuser (or any other user) will not trigger a scan unless the file contents have changed.

Note. StandGuard Anti-Virus requires the use of aserver job (AVSVR) running in the QSYSWRKsubsystem to be active at all times. During installation,this job is configured to start automatically every timeyou start your system. If this job is ended for any reasonthen scanning is disabled. We strongly recommend thatyou implement procedures to monitor this job to ensureis it always running and restart the job as necessary. Formonitoring suggestions, seeMonitoring.

As files are scanned, i5/OS updatesthe scan status information with thefile. If the file is marked as infected,the operating system will not allowthe file to be opened.

Requirements1. You must have *ALLOBJ and *SECADM authority to configure on-access scanning.

SetupTo view or modify on-access settings, choose Setup Menu option 1, or type AVCHGA at the commandline and press F4.

Press PAGE DOWN for additional options.

7/28/2015


Change AV On-Access Attributes (AVCHGA)commandOn-Access type (ACCESS)

*OPEN

Scan files during open processing if: 1) The file has never been scanned, or 2) The file has been modifiedsince the last time it was scanned, or 3) The virus definitions have been updated since the last time it wasscanned.

*OPNCLO

Scan files during open processing and during close processing if the file's contents have changed.

*NONE

On-access scanning is disabled.

7/28/2015


Clean infected files (CLEAN)

Specifies if the engine should remove the virus from the file ("clean"). If a file cannot be cleaned,the CLEANFAIL parameter provides a secondary choice.

*YES

Attempt to remove viruses from infected files.

*NO

Do not attempt to clean infected files.

Action if not cleaned (CLEANFAIL)

*QRN

Quarantine infected files. For more information seeQuarantine.

*DELETE

Delete infected files.

*NONE

No action is performed.

Heuristic analysis (HEURISTIC)

Include heuristic analysis to find new viruses. When you use heuristic analysis, the scanningengine employs heuristic technology to detect potentially unknown viruses in executable files(programs). Without this option, the engine can only find viruses that are already known andidentified in the current virus definition files.

*YES

Include heuristic analysis to find new viruses. This attribute slows the engine's performance andconsumes additional processor resources.

*NO

Do not use heuristic analysis.

7/28/2015


Macro analysis (MACRO)

Specifies if you want to treat embedded macros that have code resembling a virus as if they wereviruses. This parameter is similar to Heuristic analysis but scans for new viruses in compounddocument formats; for example, Microsoft OLE formats such asWord documents.

You can use both Macro Analysis and Heuristic Analysis as parameters, and the enginedetermines which heuristics to implement based on the file type.

*YES

Include macro analysis to find new viruses. This attribute slows the engine's performance and consumesadditional processor resources.

*NO

Do not use macro analysis.

Potentially unwanted programs (PROGRAMS)

Specifies if you want scanning activities to include detection of some widely available applications,such as password crackers or remote access utilities that can be used maliciously or pose asecurity threat.

*NO

Do not scan for potentially unwanted programs.

*YES

Scan for potentially unwanted programs.

Scan archives (ARCHIVES)

Specifies if you want scanning activities to include archive files. Archive files contain embeddedfiles and usually end with one of the following extensions: .ZIP, .TAR, .CAB, .LZH, .JAR and .UUE.This option will also permit scanning of MSCompress files.

*YES

7/28/2015


Scan archive files to find new viruses. This attribute slows the engine's performance and consumesadditional processor resources.

*NO

Do not scan archive files.

Files (FILES)

Specifies the types of files to include in scanning activities.

*DFT

Scan only file types that are most susceptible to virus infection. This option safely narrows the scope ofscan operations to files that are susceptible to virus infection and reduces the amount of time devoted toscanning files.

*ALL

Scan all files. This attribute slows the engine's performance, but offers you the best protection againstinfection.

*ALLMACRO

Expands scanning activities to include an examination of all files to determine if they contain knownmacro viruses. This attribute slows the engine's performance but offers you the best protection againstinfection from macro viruses. This option is faster than the *ALL files option, which examines every file forprogram viruses and macro viruses.

Exclude directories (EXCL)

Note. Even if a directory is omitted from on-accessscanning, StandGuard Anti-Virus will still scan thedirectory if it is included in an on-demand scan task.

Specifies the list of directoriesto exclude from on-accessscanning. Domino datadirectories are a good choicehere, since Domino is knownto have problems when itcannot open infected files.

Timeout (TIMEOUT)

7/28/2015


Specifies the maximum number of seconds the product will spend scanning any one particular file duringan on-access scan. After the specified number of seconds, the file is allowed to be opened and the file’sscan status remains unchanged. The default setting is 30 (seconds).

Logging level (LOGLVL)

Specifies the amount of information logged to the avsvr.log file. Settings 2 and 3 can be used fortroubleshooting but are not recommended for long term use as the log file can grow very large, andreduces scanning performance.

*NONE

No information is logged.

1

Infections and actions about file cleaning and quarantine.

2

Everything from level 1 and file names.

3

Everything from level 2 and job names.

System ValuesThere are two system values that control when the operating system calls upon StandGuard Anti-Virus toscan a file: QSCANFS and QSCANFSCTL. You can access these settings by choosing option 4 from theStandGuard Anti-Virus Support Menu.

Scan file systems (QSCANFS)

Note. Do not set this value to *NONE unless you want todisable all on-access and on-demand virus scanning.

QSCANFS identifies which filesystems will be scanned using on-access scanning. The onlysupported value is *ROOTOPNUD.Only files in the Root, QopenSys and

7/28/2015


UDFS file systems support on-access scanning. Other file systems, such as QDLS, do not support on-access scanning and must be scanned using on-demand scanning.

Scan file systems control (QSCANFSCTL)

QSCANFSCTL provides several options to balance security and performance. One or more of thefollowing values may be specified. The default value is *NONE, however when StandGuard Anti-Virus isinstalled we change this setting to *FSVRONLY.

*FSVRONLY—Only accesses through the file servers will be scanned. For example, accesses throughNetwork File System will be scanned as well as other file server methods. If this is not specified, allaccesses will be scanned (5250 access will be scanned).

*USEOCOATR—The system will use the specification of the "object change only" attribute to only scanthe object if it has been modified. If this is not specified, this "object change only" attribute will not be used,and the object will be scanned after it is modified and when virus definitions have changed. Using*USEOCOATR can make on-demand scans run considerably faster by not scanning files that have notchanged. However, be aware this value may allow a virus to hide in a file indefinitely. Use with caution.

Note. Be careful using *ERRFAIL B if the file can not bescanned for any reason (if the AVSVR job is not running,for example) the operating system will not allow anystream files to be opened.

*ERRFAIL — If there are errors whenattempting to scan a file (the AVSVRjob is not running, for example), theoperating system will not allow thefile to be opened. If this value is notspecified, the system will allow thefile to be opened and treat it as if theobject was not scanned.

*NOPOSTRST —After objects are restored, they will not be scanned just because they were restored. Ingeneral, it may be dangerous to restore objects without scanning them at least once. It is best to use thisoption only when you know that the objects were scanned before they were saved or they came from atrusted source.

i5/OS Directory and File Scan AttributesEach directory in the supported file systems has a value to control the scanning attribute for files createdin that directory. As new files are created, they inherit the setting on their parent directory. You can view

7/28/2015


the directory settings using WRKLNK and System i Navigator. By default, all directories and files areconfigured to be scanned.

To change all files in a directory to not be scanned using On-Access scanning, run the commandCHGATROBJ('/path/*') ATR(*SCAN) VALUE(*NO) SUBTREE(*ALL) , where path is the name of thedirectory you want to change.

When you use the AVCHGA command the scan attributes are updated automatically so normally you donot need to perform the CHGATR command. This information is provided in case you want to modifyscan attributes outside the product (when you create a new directory, for example).

Performance ConsiderationsWhen applications open files that require scanning, there will be a delay while the system completes thescan. For most files, the scanning can take only a fraction of a second. However, large files, archive filesand compressed .exe files can take several seconds or minutes.

As with on-demand scanning, once a file has been scanned by any job, that file is not re-scanned byother jobs unless the file is modified, or if the virus definitions have been updated. Only the first time thefile is accessed will the file be scanned and subsequent accesses will not require scanning.

The options listed below (in no particular order) are suggestions on ways to reduce the overheadassociated with on-access scanning.

Note. Turning off archive scanning offers no protectionagainst .zip viruses.

1. Turn off scanning of archives. Archive scanning takes additional CPU resources. Please note manyviruses com e in the form of .zip files.

2. Use on-demand scanning during off-peak hours to pre-scan directories. Files that have beenprescanned using on-demand scanning will not be scanned on open unless they have changed.

7/28/2015


Troubleshootingl On-access scanning requires a server job (AVSVR running in the QSYSWRK subsystem) to beactive at all times. Use the command WRKJOBAVSVR and verify the job is active and there are noerror messages in the joblog. If the job is ended, use the AVSTRSVR command to restart it. Use theWRKJOBAVSVR command to locate the joblog for the failing job and contact Technical Support ifnecessary.

l View the file’s scan attribute using WRKLNK and then option 8. Verify the ‘Object scanning’ is set to*YES.

l If it appears files are not being scanned, look in the joblog of the job for potential messages. Use theWRKOBJLCKUSER1 *USRPRF command to locate all the active jobs for the user (replace USER1with the actual user). The job may be QZLSFILE if using mapped drives. Use the WRKLNKcommand to locate the file and use option 8 to view the file’s scan settings. Verify QSCANFSCTLdoes not include *USEOCOATR.

l If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspectedvirus. Check the McAfee virus information library at http://vil.nai.com.

l If it appears files are not being scanned in a 5250 environment (WRKLNK option 5, for example),verify the System value QSCANFSCTL does not include *FSVRONLY. This is the default settingafter installation and must be removed to enable scanning in a 5250 environment. On-demandscanning overrides this setting so *FSVRONLY does not have any influence upon on-demandscanning.

Recommendationsl On-access scanning requires a server job (AVSVR running in the QSYSWRK subsystem) to beactive at all times. If this job is ended for any reason then on-access scanning is disabled butapplications will still try to connect with the AVSVR job. If you want to disable on-access scanning,use the AVCHGA command to set the access type to *NONE.

l HelpSystems strongly recommends that you implement procedures to monitor the AVSVR job toensure is it always running and restart the job as necessary. For more information "Chapter 13 - Monitoring" on page 115.

l i5/OS provides exit points to enable scanning of files on close without requiring scanning on open.StandGuard Anti-Virus does not support or provide options to configure this combination.

7/28/2015


http://vil.nai.com/

l However it is possible to manually configure this outside the product– do not do this. Scanning fileson close only does not provide adequate virus protection.

l Be sure to keep the virus definitions up to date.

l The IBM i Java Runtime contains many .jar files that can take a long time to scan. This can cause anoticeable delay when starting Java applications. This delay occurs only when all of the followingconditions are true:

1. The system value QSCANFSCTL does not contain *FSVRONLY

2. The files have never been scanned or the virus definitions have been updated since they were lastscanned.

l If the Java startup time is unacceptable then run an on-demand scan of the ‘/QIBM/ProdData’directory after a virus definition update. This will cause the files to be pre-scanned during off-peaktimes. Then, when normal Java applications are started during production hours these files will notrequire scanning.

l Exclude Domino data directories from on-access scanning. Domino servers are known to crashwhenever they encounter an infected file that has been marked as *FAILURE. This is not a problemwith StandGuard Anti-Virus or the operating system - this is a problem with the Domino application.

7/28/2015


Chapter 6 - Email ScanningStandGuard Anti-Virus includes the ability to scan electronic mail messages passing through the IBM iMail Server Framework (MSF) for viruses and malicious programs. If you are using the IBM i SMTPserver, StandGuard Anti-Virus can perform virus scanning on emails before they reach your PC clients.

Featuresl Scans IBM i SMTP email at the server

l Scans inside archive files such as .ZIP, .JAR, etc.

l Detects header exploits and malformed MIME

l Redirects infected or suspicious email to an Administrator

Scans SMTP Email at the server

StandGuard Anti-Virus scans email messages passing through the IBM i Mail Server Framework lookingfor known viruses as well as code that could be malicious. This means it can protect against knownviruses, but most im portantly, potentially against unknown viruses and/or malicious code. This is crucialas an unknown virus could be a one-off piece of code, developed specifically to break into your network.

Scans compressed and encoded messages

StandGuard Anti-Virus scans deep inside attachments to detect viruses buried in multiple levels ofencoding and compression. StandGuard Anti-Virus decodes BINHEX, UUENCODE and XXENCODE,MIME (BASE64 and quoted-printable), TNEF, and IMC attachments. Files compressed withPKZIP,ZIP2EXE, ARJ, ARJ2EXE, JAR, LHA, LHA2EXE, TAR, GZIP, UNIX PACK, and MSCompressionmethods are also effectively scanned. StandGuard Anti-Virus even scans files with multiple compressionlevels; for example, a ZIP file that has also been compressed with LZEXE and ARJ, then zipped again,and so on.

Detects header exploits and malformed MIME

MIME headers specify things such as the subject line, date, or filename. By specifying a well-craftedstring, a skilled hacker could execute arbitrary code on the target machines. Such vulnerabilities areprone to exploitation for penetrating rem ote networks or for delivery of viruses and worms. Thisvulnerability allows attached executable files to be run when a message is simply viewed. Several

7/28/2015


common viruses make use of this exploit, including W32/Badtrans@MM,W32/Nimda.gen@MM, andW32/Klez.gen@MM. StandGuard Anti-Virus detects these header exploit tactics and blocks thesemessages from reaching your desktop clients such as O utlook Express where the virus is able toexecute.

Redirects infected or suspicious email to an Administrator

When a known virus, potentially malicious program, or an e-m ail using a MIME header exploit isdetected, StandGuard Anti-Virus can either redirect themail to an administrator or simply delete themailwithout forwarding. In either case, a message is logged to the AVMSGQ for real-time monitoringpurposes and the AVLOG file for a m ore permanent audit trail.

SetupTo activate StandGuard Anti-Virus scanning of SMTPmessages passing through the IBM i Mail ServerFramework, choose option 5 from the Setup menu or type the command STANDGUARD/AVCHGSMTPAand press F4.

Scan SMTP mail (SCANSMPT)

*YES activates scanning of mail. *NO deactivates mail scanning. Note: *IOSYSCFG authority is requiredto change this setting.

How to handle infected mail

The Action (ACTION) specifies how you want the infected mail to be handled. *FORWARDwill forwardinfected mail to the specified forward address. Provide the address in the Forward address field. Theinfected mail will forwarded and not be delivered to the intended recipients. *DELETEwill simply deletethemail without forwarding. In either case a message is logged to STANDGUARD/AVMSGQ withinformation about the infection and the action taken.

7/28/2015


Figure 1 shows an example of an infected mail item that StandGuard Anti-Virus forwarded to theadministrator. The original email is attached so it can be examined in its original form if necessary.

Note. Be very careful opening these attachments. Theemail from StandGuard Anti-Virus can be opened safely,but the attachment is the original message and is avirus.

Figure 1

Troubleshootingl Use the Support Menu option 2, and locate the job that processed th email item. There may be manyjobs to choose from or the job may have completed. Look in the joblogs for any error messages.

l If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspectedvirus. Check the McAfee virus information library at http://vil.nai.com.

l If you do not want mail scanned, turn off mail scanning (using Setup Menu option 4, or theAVCHGSMTPA command).

l The exit point used to scan mail is QIBM_QZMFMSF_SEC_AUT. Under rare circumstances shouldyou not be able to disable mail scanning using the recommended procedures, then useWRKREGINF QIBM_QZMF_SEC_AUT and remove exit program AVSMTPX. Then restart MSF(ENDMSF, STRMSF). That will end the connection between the mail server and StandGuard Anti-Virus.

l Restart MSF using ENDMSF and STRMSF commands.

7/28/2015


Recommendationsl Consider using SMTP filters to filter out messages with certain types of harmful attachments. Formore information about SMTP filters, see

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Frzair%2Frzairfilter.htm

l Keep virus definitions up to date. See Updating virus definitions.

7/28/2015




Chapter 7 - Object Integrity ScanningStandGuard Anti-Virus can detect potentially dangerous changes to the operating system, and for userprograms that have the potential to cause serious harm to the operating system and bypass security.StandGuard Anti-Virus Object Integrity scanning can:

l Detect changes to IBM provided operating system objects

l Detect if libraries or commands have been tampered with

l Detect user programs that have been patched into fooling the operating system to allow it to bypasssecurity and system integrity

l Optionally retranslate patched program s, reinstating the operating system’s ability to enforce itssecurity and object integrity protection with these programs

We recommend you run an object integrity scan:

l After someone has restored programs to your system

l After someone has used dedicated service tools (DST)

l After you install a product from a new ISV and at least periodically after updates from establishedISVs

l Periodically to check if anyone has changed any system objects

Digital Signature Checking

Beginning in V5R1, IBM started signing the operating system as a way of officially marking objects asoriginating from IBM and as a means of detecting when unauthorized changes occur to system objects. Adigital signature can be used to show proof of origin and detect tampering.

Figure 1 shows an example of digital signatures. There are tens of thousands of digital signatures on thesystem. A digital signature does not prevent an object from being modified or tampered with – but it canbe used to determine if an object has been changed.

7/28/2015


Figure 1 - i5/OS Digital Signatures

Whenever an object is changed, the digital signature is invalidated. The object may continue to run, butnot in a way that was intended by the signer (IBM, in this case). StandGuard Anti-Virus uses architectedprogram interfaces (APIs) provided by IBM to verify the signature of these objects that have been digitallysigned.

Patched programs

A potentially, and very serious, security risk is user programs that have been patched to fool theoperating system into allowing them to bypass all system security levels. Allowing system state programsprovided by someone other than IBM represents a potential integrity risk to your system. At best theseprograms may be using interfaces or directly manipulating the internals of the objects that IBM is free tochange at any time. The results of such a change could be a failed application, an unstable system, oreven a damaged system that needs to be reinstalled. At worst, they could be rogue programs that arebypassing the auditing and integrity of your system to steal information or intentionally damage it.

7/28/2015


StandGuard Anti-Virus can detect patched programs, and optionally retranslate them to remove thepatch. Retranslating will in most cases cause the program to fail. We recommend running the objectintegrity scan with the translate option set to *NO, then review the output of the command to see whatprograms were detected. Contact the owner and/or administrator of the programs to obtain properversions of the programs. If proper versions cannot be obtained, you can add the program(s) to anexclusions list. Exclude the program only when you trust the vendor/owner of the program at the expenseof bypassing operating system integrity and security.

SetupTo setup object integrity scanning, choose option 5 from the Setup Menu, or type AVCFGITGT at thecommand line and press F4.

Task name

Specifies the name or description of the task. The task name is used to configure and run tasks. Tocreate a new task, type the name you want to use. To see a list of existing tasks, press F4.

Type

The type of the task. Once a task is created, the type cannot be changed.

*LIB

The task is a library scan task. Objects in a library (libraries) will be scanned.

*USER

The task is a user scan task. Objects owned by a user (users) will be scanned.

Libraries

The list of libraries to scan. Applies only when TYPE(*LIB) specified.

*IBM

All libraries in the auxiliary storage pools (ASPs) defined by the ASP device (ASPDEV) parameter whichare saved and restored using the SAVLIB and RSTLIB CL commands with *IBM specified for the Library(LIB) parameter are selected.

7/28/2015


*ALLUSR

All libraries with names that do not begin with the letter Q except for the following:

#CGULIB #DSULIB #SEULIB

#COBLIB #RPGLIB

#DFULIB #SDALIB

Although the following libraries with names that begin with the letter Q are provided by IBM, theytypically contain user data that changes frequently. Therefore, these libraries are also considereduser libraries:

QDSNXQRCLxxxxx QUSRIJS QUSRVxRxMx

QGPL QSRVAGT QUSRINFSKR

QGPL38 QSYS2 QUSRNOTES

QMGTC QSYS2xxxxx QUSROND

QMGTC2 QS36F QUSRPOSGS

generic-name

Specify the generic name of the objects to be shown. A generic name is specified as a character stringthat contains one or more characters followed by an asterisk (*). A generic name specifies objects thathave names with the same prefix as the generic object name for which you have some authority (except*EXCLUDE authority).

library name

The name of the library to be scanned.

Users

The list of users whose owned objects will be scanned.

generic-name

Specify the generic name of the objects to be shown. A generic name is specified as a character stringthat contains one or more characters followed by an asterisk (*). A generic name specifies objects that

7/28/2015


have names with the same prefix as the generic name for which you have some authority (except*EXCLUDE authority).

user name

Specify the name of the user to be scanned.

Omit

The list of objects to exclude from scanning. If you are working with library scan tasks, specify the libraryname you want to exclude. For example, ABCLIBwill exclude library ABCLIB. ABC*will exclude alllibraries starting with ABC.

If you are working with user scan tasks, specify the user name you want to exclude. For example, USER1will exclude user USER1. USER*will exclude all users starting with USER. To exclude an object fromchecking, specify the QSYS.LIB path name of the object. For example, to exclude PGM1 from LIBA,specify /QSYS.LIB/LIBA.LIB/PGM1.PGM.

Check signatures

Determines whether the digital signatures of objects that can be signed will be checked. Most objects inuser libraries are not signed. Using CHKSIG(*ALL) on user libraries will log an error for every object in thelibrary - probably not what you want. All IBM objects are signed, so use CHKSIG(*ALL) on all IBMlibraries, and CHKSIG(*SIGNED) on user libraries that are not signed.

*SIGNED

Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.Use this option with LIB(*ALLUSER) to check objects in user libraries that have digital signatures.

*ALL

All objects that can be digitally signed are checked. Any object that can be signed but has no signaturewill be logged. Any object with a signature that is not valid will be logged. Use this option with LIB(*IBM) toensure there are no unsigned objects in IBM libraries.

Force program recreation

Specifies if programs that have been patched using unsupported system interfaces are to beretranslated (removes the patch). These types of programs have the ability to compromise operatingsystem integrity and bypass security.

7/28/2015


*NO

Log the violation but do not retranslate the offending program. The program will continue to work asbefore (operating system integrity and security can still be bypassed).

*YES

Log the violation and retranslate the offending program. In most cases this will cause the program to failat security levels 40 and 50, but reinstates operating system integrity and security.

Schedule

Specifies the type of scheduling for the command or process.

*NONE

The task is not scheduled.

*DAILY

The task will be scheduled to run once per day.

*WEEKLY

The task will be scheduled to run once per week.

Note. When you specify a schedule and press Enter, theproduct schedules the job AVRUNTSK using theADDJOBSCDE command.

*MONTHLY

The task will be scheduled to run onthe same day each month.

Day, Days, Time

Specifies the specific time periodsobject integrity scanning will run, depending on the choice selected forSchedule. For more information onthe values allowed for these parameters, press Help.

7/28/2015


Examples1. Check all operating system libraries, ensure all objects are signed and have valid signatures,

schedule the task to run automatically on Fridays at 1:00AM:

AVCFGITGT TASK(*SYS) TYPE(*LIB) LIB(*IBM) CHKSIG(*ALL) FRCCRT(*NO) SCHEDULE(*WEEKLY)SCHEDDAY(*FRI) SCHEDTIME(010000)

2. Check all user libraries for patched programs, verify digital signatures of objects that have beensigned, schedule the task to run automatically on Mondays, Wednesdays and Fridays at 11:00PM.

AVCFGITGT TASK(*ALLUSR) TYPE(*LIB) LIB(*ALLUSR) CHKSIG(*SIGNED) FRCCRT(*NO) SCHEDULE(*DAILY) SCHEDDAYS(*MON *WED *FRI) SCHEDTIME(230000)

Recommendationsl Most IBM commands duplicated from a release prior to V5R2 will be logged as violations. Thesecommands should be deleted and re-created using the CRTDUPOBJ (Create duplicate object)command each time a new release is loaded.

l Running an Object Integrity Scan requires *AUDIT special authority. Sign on as QSECOFRwhenchanging the object integrity scanning schedule.

l The command may take a long time to run because of the scans and calculations it performs. Youshould run it at a tim e when your system is not busy.

l Most objects in user libraries are not signed. Using CHKSIG(*ALL) on user libraries will log an errorfor every object in the library – probably not what you want. All IBM objects are signed, so useCHKSIG(*ALL) on all IBM libraries, and CHKSIG(*SIGNED) on user libraries that are not signed.

Sample ReportThe following lists a sample Object Integrity scanning report. The sample shows a scan of libraries forQSYS and QIWA* libraries for illustration purposes only.

Time . . . . . . . . . . : Wednesday, Nov 10 01:02 PM Job. . . . . . . . . . . : AVRUNITG MIKE 013640Task name. . . . . . . . : *SYSTask type. . . . . . . . : *LIBLibraries. . . . . . . . : QSYS

QIWA*

7/28/2015


Check signatures . . . . : *ALLForce program creation . : *NOExclusions . . . . . . . : *NONE

Time Library======== ==========13:02:58 * (System integrity)QVFYOBJRST system value does not verify object signatures during restore at its

current setting.

13:07:30 QSYS The runnable object QEZAST type *PGM has been tampered with.The object QWSACCDS type *PGM has a digital signature that is not valid.

13:16:25 QIWA2 The object CFGACCWEB2 type *CMD can be signed but does not have a

digital signature. The object ENDACCWEB2 type *CMD can be signed but does not have a

digital signature. The object RMVACCWEB2 type *CMD can be signed but does not have a

digital signature. The object STRACCWEB2 type *CMD can be signed but does not have a

digital signature.

6 violation(s) found!

Error messagesThe following list shows the most common error messages that may appear on the report:

Message ID Error message text

CPF9EA7 QVFYOBJRST system value does not verify object signaturesduring restore at its current setting.

The object has a digital signature that is not valid.

The domain is not correct for the object type.

The runnable object has been tampered with.

The library protection attribute is set incorrectly.

7/28/2015


CPFB722 The object can be signed but does not have a digital signature

The object cannot be checked, it is in debug mode, saved withstorage freed, or compressed.

The object has not been converted to RISC format.

CPFB749 Object signature operation ended abnormally. &1 objectsattempted, &2 objects successfully processed.

7/28/2015


Chapter 8 - Updating Virus Definitions

About Virus DefinitionsAnti-virus products are only as effective as their last update. McAfee releases virus definition updatesevery day. To ensure your system is protected against the latest virus threats, you must implementautomatic updating of virus definition files at a minimum.

SetupTo ensure your system is always protected against the latest virus threats, you need to perform thefollowing tasks. The remainder of this chapter covers each step in more detail.

1. Configure automatic update settings.

2. Run the update process to ensure automatic update is working.

3. Troubleshoot any problems as necessary.

4. Schedule the automatic update process to run daily.

5. Monitor the process for potential problems.

Note. You must run the command as a user with*ALLOBJ and *SECADM authority (such as QSECOFR).

To configure automatic updatesettings, choose option 2 from theSetup menu or type the commandSTANDGUARD/AVCHGUPDA andpress F4.

Change automaticupdate Attributes (AVCHGUPDA)

Transfer method (FROM)

Specifies the transfer method that will be used to retrieve the new virus definition files.

*FTP

The data will be downloaded from an FTP server using the File Transfer Protocol (FTP).

7/28/2015


*PATH

The data will be retrieved from a network path. The path option is typically used in a network environmentwhere you have one or more IBM i servers downloading from an FTP site and saving to a local path. Thisimproves performance and security by using one IBM i server or partition to download the files to asecured share. The remaining servers or partitions can use this option to access the files over the localnetwork.

Path (PATH)

Specifies the network path name that will be used to retrieve the virus definition files. This optionapplies only if the FROM keyword is *PATH. Use this option when you have another server orpartition saving the files to a network path.

FTP location (FTP)

Specifies the host name and path that will be used to obtain the information. This option appliesonly when the FROM keyword is *FTP

Note: The system must be able to access the FTP site through any firewalls.

*DFT

The data will be downloaded from the default FTP location: ftp://ftp.nai.com/CommonUpdater/

location-name

Specify the host name and path in the format domain/path.

FTP User (FTPUSR)

Specifies the remote user name to use when logging into the FTP server.

*ANONYMOUS

The user 'anonymous' will be used.

user-name

Specify the user name to use for the FTP login.

FTP Password (FTPPWD)

7/28/2015


Note. The password is stored unencrypted in fileAVUPDATE, which has public *EXCLUDE authority.However, the password is sent to the FTP serverunencrypted.

Specifies the password forthe remote user name whenlogging into the FTP server.This parameter applies onlywhen the FTPUser(FTPUSER) is not*ANONYMOUS.

Schedule (SCHEDULE)

Specifies the type of scheduling for the command or process.

*DAILY

Run the update every day (recommended).

*WEEKLY

Run the update once per week.

*MONTHLY

Run the update once per month.

*NONE

Note. When you specify a schedule and press Enter, theproduct adds the job schedule entry AVUPDATE usingthe ADDJOBSCDE command. The job runs as userSTANDGUARD.

Automatic update is disabled. Thissetting is not recommended unlessyou choose to handle automaticupdating outside the product.

Day, Days, Time

Specifies the specific timeperiod for the automaticupdate process to run, depending on the choice selected for Schedule. For more information onthe values allowed for these parameters, press Help.

7/28/2015


ExampleTo schedule an automatic upgrade to run once per week:

AVCHGUPGA FROM(*FTP) FTP(*DFT) SCHEDULE(*DAILY) SCHEDDAYS(*WED) SCHEDTIME(083000)

To manually run an upgrade, choose option 21 from the Main Menu or type the command AVRUNUPGand press Enter.

AVRUNUPG OUTPUT(*)

Sample Report************************************************************* DAT Update Log *************************************************************

Tue Dec 29 10:01:48 2009

Current version is 0000

************************************************************* Getting INI files *************************************************************

Output redirected to a file.Input read from specified override file.Connecting to host FTP.NAI.COM at address 198.63.231.45 using port 21.220 spftp/1.0.0000 Server [198.63.231.45]Enter login ID (user):331 Password required for USER.230-230----------------------------------------------------------------------------

230- WARNING: This is a restricted access system. If you do not have explicit230- permission to access this system, please disconnect immediately!230----------------------------------------------------------------------------

UNIXEnter an FTP subcommand.> sendpasvSENDPASV is off.Enter an FTP subcommand.> namefmt 1500 Command not supported.

7/28/2015


Client NAMEFMT is 1.Enter an FTP subcommand.> lcd /StandGuard/AV/tempLocal working directory is /StandGuard/AV/tempEnter an FTP subcommand.> ASCII200 TYPE set to A.Enter an FTP subcommand.> get /CommonUpdater/oem.ini ./oem.ini (replace200 PORT command successful.150 Opening ASCII mode data connection for /CommonUpdater/oem.ini (2031 bytes).226 Transfer Complete

2031 bytes transferred in 0.020 seconds. Transfer rate 103.987 KB/sec.Enter an FTP subcommand.> get /CommonUpdater/gdeltaavv.ini ./gdeltaavv.ini (replace200 PORT command successful.150 Opening ASCII mode data connection for /CommonUpdater/gdeltaavv.ini (2314bytes).

226 Transfer Complete2314 bytes transferred in 0.019 seconds. Transfer rate 124.712 KB/sec.

Enter an FTP subcommand.> QUIT221 Goodbye.

Remote version is 5846

************************************************************* Getting full DAT files *************************************************************

Output redirected to a file.Input read from specified override file.Connecting to host FTP.NAI.COM at address 198.63.231.98 using port 21.220 spftp/1.0.0000 Server [198.63.231.98]Enter login ID (user):331 Password required for USER.230-230----------------------------------------------------------------------------

230- WARNING: This is a restricted access system. If you do not have explicit230- permission to access this system, please disconnect immediately!230----------------------------------------------------------------------------

UNIXEnter an FTP subcommand.> sendpasvSENDPASV is off.Enter an FTP subcommand.> namefmt 1500 Command not supported.Client NAMEFMT is 1.

7/28/2015


Enter an FTP subcommand.> lcd /StandGuard/AV/tempLocal working directory is /StandGuard/AV/tempEnter an FTP subcommand.> bin200 TYPE set to I.Enter an FTP subcommand.> get /CommonUpdater/avvdat-5846.zip ./avvdat-5846.zip (replace200 PORT command successful.150 Opening BINARY mode data connection for /CommonUpdater/avvdat-5846.zip(57884357 bytes).

226 Transfer Complete57884357 bytes transferred in 323.073 seconds. Transfer rate 179.168 KB/sec.Enter an FTP subcommand.> QUIT221 Goodbye.

************************************************************* Extracting DAT files *************************************************************

Copying 'output' to '/StandGuard/AV/logs/$dat update.log'extracted: legal.txtinflated: avvclean.datinflated: avvnames.datinflated: avvscan.dat

avvnames.dat - OKavvscan.dat - OKavvclean.dat - OK

Backing up datfiles

************************************************************* Replacing datfiles *************************************************************

Copying 'avvnames.dat' to '/StandGuard/AV/dat/avvnames.dat'Copying 'avvclean.dat' to '/StandGuard/AV/dat/avvclean.dat'Copying 'avvscan.dat' to '/StandGuard/AV/dat/avvscan.dat'

DAT files successfully updated to 5846

************************************************************* DAT Update - Success *************************************************************

7/28/2015


Troubleshootingl Run the command FTP FTP.NAI.COM from a command line. Verify you are able to connect and login with user anonymous. Run a dir command to verify passive ftp is working. Get assistance fromyour network administrator if possible.

l If the connection message is similar to "Cannot connect to host FTP.NAI.COM at address205.227.137.53. Try again later.", you either have a firewall blocking FTP traffic from your IBM i IPaddress to McAfee's FTP server, or no default route configured. You can check your default routeusing the command CFGTCP, option 2. Typically the default route is the IP address of your firewallor router. Consult with your security or system administrator.

l If the connection message is similar to "Cannot find host FTP.NAI.COM", then most likely DNS is notconfigured or misconfigured. Use CFGTCP, option 12 and verify your Domain Name Serversettings. Consult with your network administrator. You may be able to use the same value as yourPC's - For Windows PCs go to a dos window and type ipconfig /all. Cross reference the DNS serverIP address with the values specified in CFGTCP option 12.

l Use Menu option 10 to work with logs. Review the log for error messages. Contact HelpSystemsTechnical support if necessary.

Recommendationsl Schedule the update process to run daily. The job doesn't consume much CPU resources and couldbe run during the day if necessary. Approximate run time should be less than 10 minutes, providingthere are no network problems or delays.

l The automatic update job AVUPDATE runs under the STANDGUARD profile. If you decide toschedule the command outside the product, you will need to ensure either the STANDGUARDprofile is used or a profile with *ALLOBJ authority. STANDGUARD does not have *ALLOBJ authoritybut works because it is the owner of the virus definition files. Public has only read authority, so if youdo not use STANDGUARD you will need *ALLOBJ authority.

l Monitor the messages in the AVMSGQ to ensure an ongoing problem is noticed and remedied assoon as possible. Do not allow a connectivity problem to go unresolved or the virus definition files willbecome quickly outdated and will not provide adequate protection against new viruses.

l Do not hardcode the IP address of FTP.NAI.COM in any scripts or firewalls. The IP address ofFTP.NAI.COM changes frequently.

l If you have multiple iSeries servers or partitions, with StandGuard Anti-Virus installed on all systemsor partitions, we suggest configuring one system or partition to retrieve virus definitions from the

7/28/2015


default path and save the files to a shared path on the local network. On the remaining systems andpartitions, use the PATH options to retrieve virus definitions over the local network.

Using a PC to download virus definitionsStandGuard Anti-Virus provides everything you need to reliably download virus definitions automaticallyfrom McAfee's FTP server. StandGuard utilizes "micro-updates" to minimize the size and time required todownload the full virus definition files. However if you would rather implement you own procedures forsupplying the virus definition files then you will need to do the following:

1. Download the required files from McAfee's FTP server.

2. Make the files available to StandGuard Anti-Virus. StandGuard can retrieve the files from an FTPserver, a local path or a network path.

3. Some method of monitoring the process to ensure it is always working (recommended).

Download DAT files using A Windows PC and FTP script

The following information discusses a possible solution using a Windows PC and an FTP script. Theinformation provided here are not step-by-step instructions but rather a general description what youneed to do B relatively simple tasks for a Windows or network administrator. If you cannot accomplishthese procedures for some reason then we recommend purchasing a third-party FTP product (such asWSFTPPro) and contacting the vendor for assistance.

The following commands can be used in a PC FTP batch file. Place the commands in a text file and namethe file ftp.scr.

a. anonymous

b. anonymous

c. ascii

d. get /CommonUpdater/oem.ini

e. get /CommonUpdater/gdeltaavv.ini

f. bin

g. mget /CommonUpdater/avvdat-*.zip

7/28/2015


h. mget /CommonUpdater/*.gem

i. quit

Please note the above process downloads substantially more data than StandGuard would normallydownload if it were running the update. This is because StandGuard analyzes the contents of the oem.iniand gdeltaavv.ini files before determining what needs to be downloaded, then downloads only thenecessary files. A less sophisticated process like the one above doesn=t interpret the contents of the inifiles, it merely downloads all the files. The difference could be as much as 100MB.

Then to implement the script, create the following DOS batch file. Place the following commands in a textfile and name the file getdats.bat:

1. md \datfiles

2. cd \datfiles

3. FTP -I -s:ftp.scr ftp.nai.com

Then to schedule the task, use Window's Scheduled Tasks. Schedule the task to run every day. For moreinformation about scheduling a Windows task, click Start->Help, go to the Index and look for "Schedulingtasks".

For more information about using FTP, click Start->Help, go to the Index and look for FTP. You can alsosee Microsoft's Support site and search for KB 240727.

Making DAT files available to StandGuard Anti-Virus

Now that you have the virus definition files listed on the previous page in a directory on your network, thenext step is to configure StandGuard Anti-Virus to retrieve the files from an alternate source. Theconfiguration changes you make depends on where the files are located.

1. If the files are on another (internal) FTP server, simply configure StandGuard Anti-Virus to get theDAT files from your server. Use the AVCHGUPDA command to specify your server name (and path),and a user ID and password that is provided to you by your administrator. For example:AVCHGUPDAFROM(*FTP) FTP(>IP-address/directory=) FTPUSER(user) FTPPWD(password).Be sure to add the path to the end of the server's address. If the dat files are located in the user'shome or root directory, then specify >/= after the address.

2. If the files are on a [Windows] network share, use a QNTC file system path name. Example:AVCHGUPDAFROM(*PATH) PATH(>/QNTC/server-name/share-name=)

7/28/2015


http://ftp.nai.com/

3. You could copy the files to the IFS from within the batch file using a mapped drive. First use System iNavigator to create the directory and share it. Then add the following commands to the end of theDOS batch file:

a. NET USEZ: \\computer-name\sharename password /USER:username

b. copy \datfiles Z:

For more information about Window's NETUSE command and to map a drive, see Windows Start->Help, Index, mapping a drive.

Finally, configure StandGuard Anti-Virus to obtain updates from the local IFS path:

AVCHGUPDA FROM(*PATH) PATH(>/directory=)

4. You could upload the files to the IBM i using FTP. Much in the same way an FTP script was used todownload files, the following script will upload the files to the IBM i. Then configure StandGuard Anti-Virus to obtain updates from a path:

AVCHGUPDA FROM(*PATH) PATH(>/directory=)

a. username

b. password

c. quote site namefmt 1

d. lcd /directory

e. ascii

f. put oem.ini

g. put gdeltaavv.ini

h. bin

i. mput *.gem

j. mput avvdat-*.zip

k. quit

7/28/2015


Chapter 9 - Downloading Program TemporaryFixes (PTFs)

About PTFsHelpSystems releases Program Temporary Fixes (PTFs) and/or enhancements to the StandGuard Anti-Virus product from time to time. To ensure you have the latest fixes and enhancements, you shouldupdate the product right after installing for the first time, and thereafter, we recommend that youautomate program upgrades to take advantage of the latest program features as they become available.

StandGuard Anti-Virus PTFs are implemented the same as IBM PTFs. The StandGuard Anti-Virusproduct ID is 0AV2000, and you can DSPPTF LICPGM(0AV2000) to see what PTFs are applied to theproduct. You can configure the product to download PTFs and apply them automatically, or you cansimply download them manually on an as-needed basis. If you have multiple IBM i servers or partitions,you can configure each system to automatically download PTFs individually, or use System i NavigatorManagement Central to automatically distribute PTFs throughout your network (not discussed in thisguide).

StandGuard Anti-Virus is pre-configured to download PTFs directly from HelpSystems' FTP server usinganonymous FTP. If you are able to download virus definitions without difficulty then most likely you will beable to download PTFs OK. The setup of PTF updates is almost identical to the setup of DAT updates.

If you had to use a PC to download virus definitions, then most likely all of the steps and procedures youimplemented for virus definitions will need to be implemented for PTFs. Essentially you need to use thesame procedures as before but this time mirror ftp://standguard.helpsystems.com/i5/V7R2M0/ to aninternal FTP server or network path.

Setup

Note. You must run the command as a user with*ALLOBJ authority (such as QSECOFR).

The Change Upgrade Attributes(AVCHGUPGA) and Run Upgrade(AVRUNUPG) commands are usedto configure and run PTFprocessing. To configure settings,use Setup menu option 3 or type

7/28/2015


ftp://standguard.helpsystems.com/i5/V7R2M0/

STANDGUARD/AVCHGUPGA and press F4.

Transfer method (FROM)

Specifies the transfer method that will be used to retrieve the files.

*FTP

The data will be downloaded from an FTP server using the File Transfer Protocol (FTP).

*PATH

The data will be retrieved from a network path. The path option is typically used in a network environmentwhere you have one or more IBM i servers downloading from an FTP site and saving to a local path. Thisimproves performance and security by using one IBM i server or partition to download the files to asecured share. The remaining servers or partitions can use this option to access the files over the localnetwork.

Path (PATH)

Specifies the network path name that will be used to retrieve the files. This option applies only ifthe FROM keyword is *PATH. Use this option when you have another server or partition savingthe files to a network path.

FTP location (FTP)

Note. The system must be able to access the FTP sitethrough any firewalls.

Specifies the host name andpath that will be used toretrieve the files. This optionapplies only when the FROMkeyword is *FTP

*DFT

The data will be downloaded from the default FTP location STANDGUARD.HELPSYSTEMS.COM.

location name

Specify the host name and path in the format domain/path.

FTP User (FTPUSR)

7/28/2015


Specifies the remote user name to use when logging into the FTP server.

*ANONYMOUS

The user 'anonymous' will be used.

user name

Specify the user name to use for the FTP login.

FTP Password (FTPPWD)

Specifies the password for the remote user name when logging into the FTP server. Thisparameter applies only when the FTPUser (FTPUSER) is not *ANONYMOUS.

Note. The password is stored unencrypted in fileAVUPDATE, which has public *EXCLUDE authority. Thepassword is sent to the FTP server unencrypted.

Schedule (SCHEDULE)

Specifies the type ofscheduling for the commandor process.

*DAILY

Run automatic upgrade every day(recommended).

*WEEKLY

Run automatic upgrade once per week.

*MONTHLY

Run automatic upgrade once per month.

*NONE

Note. When you specify a schedule and press Enter, theproduct adds the job schedule entry AVRUNUPG usingthe ADDJOBSCDE command.

Automatic upgrade is disabled. Thissetting is not recommended unlessyou choose to handle automaticupgrading outside the product.

Day, Days, Time

7/28/2015


Specifies the specific time period for the automatic upgrade process to run, depending on thechoice selected for Schedule. For more information on the values allowed for these parameters,press Help.

ExampleTo schedule an automatic upgrade to run once per week:

AVCHGUPGA FROM(*FTP) FTP(*DFT) SCHEDULE(*DAILY) SCHEDDAYS(*WED) SCHEDTIME(083000)

To manually run an upgrade, choose option 21 from the Main Menu or type the command AVRUNUPGand press Enter.

AVRUNUPG OUTPUT(*)

Sample ReportOutput redirected to a file.Input read from specified override file.Connecting to host FTP.STANDGUARD.HELPSYSTEMS.COM at address 74.63.199.213 usingport 21.220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.Enter login ID (sandi):230 Anonymous user logged inNo password required.UNIX Type: L8Enter an FTP subcommand.> SENDEPSV *Subcommand 'SENDEPSV' not valid.For a list of available FTP subcommands, enter subcommand HELP.Enter an FTP subcommand.> SENDPASV 0SENDPASV is off.Enter an FTP subcommand.> SENDEPRT *Subcommand 'SENDEPRT' not valid.Enter an FTP subcommand.> SENDPORT 1SENDPORT is on. (PORT subcommand is sent with PUT(MPUT) subcommands.)

7/28/2015


Enter an FTP subcommand.> namefmt 1500 SITE NAMEFMT is an unknown extensionClient NAMEFMT is 1.Enter an FTP subcommand.> get /pub/secure/sgav/i5/v6r1m1/0AV2000V6R1M1.txt/StandGuard/AV/temp/0AV2000V6R1M1.txt (replace200 PORT command successful150 Connecting to port 1861226-File successfully transferred226 0.000 seconds (measured here), 24.19 Mbytes per second1345 bytes transferred in 0.682 seconds. Transfer rate 1.973 KB/sec.Enter an FTP subcommand.> close221-Goodbye. You uploaded 0 and downloaded 2 kbytes.221 Logout.Enter an FTP subcommand.> QUIT

TroubleshootingTry the troubleshooting suggestions for the automatic update process in the previous chapter, replacingFTP.NAI.COM with STANDGUARD.HELPSYSTEMS.COM instead.

You can check the status of upgrade that have been installed and applied using Support menu option 32.

Recommendationsl Do not hardcode the IP address of HELPSYSTEMS.COM in any scripts or firewalls. The IP addressof HELPSYSTEMS.COM could change at any time.

l If you have multiple IBM i servers or partitions with StandGuard Anti-Virus installed, we suggestconfiguring one system or partition to retrieve program upgrades from the default path and save thefiles to a shared path on the local network. On the remaining systems and partitions, use the PATHoptions to retrieve the upgrades over the local network.

l You can use System i Navigator's Management Central to distribute PTFs throughout your network.For more information, got to the IBM i Information Center athttp://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/index.htm and search for"management central manage fixes". This should take you tohttp://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/info/rzam8/rzam8fixinfoinventory.htm.

7/28/2015


Chapter 10 - QuarantineStandGuard Anti-Virus provides a secured area where infected files are moved to and out of harm's way.When a file has been quarantined, the file has not been deleted but access to the file is prevented. Theinfected file is moved to the '/Quarantined' directory.

SetupStandGuard Anti-Virus automatically builds the path for the infected file inside the '/Quarantined'directory. For example, if an infected file is found in '/home/docs/mydoc.doc', then the infected file ismoved to '/quarantined/home/docs/mydoc.doc'. No setup is necessary.

ManagingYou can view the files in the quarantine directory using the command WRKLNK '/Quarantined/*', orOption 12 from the Main Menu.

Using the StandGuard Anti-Virus IBM i Navigator plug-in, you can use the Quarantined File Managerapplication to completely erase any files located in the '/Quarantined' directory.

TroubleshootingIf for some reason (rare) you need to unlock an infected file, disable on-access scanning using thecommand AVCHGAACCESS(*NONE), then run CHGATROBJ('/home/mike/myfile.exe') ATR(*SCAN)VALUE(*NO). That will turn off scanning of the file and allow the file to be opened.

RecommendationsIf you want to delete a folder in 'Quarantined', use 2 to change, then 9 to 'Recursive delete'

7/28/2015


Chapter 11 - IBM i Navigator Plug-In (GUI)Installing

1. Launch System i Navigator

2. Click File->Install Options->Install Plug-ins:

3. Follow the Selective Setup instructions until the following screen appears.

7/28/2015


4. Click the checkbox next to 'StandGuard Anti-Virus Plug-In' and click Next. Follow the on-screeninstructions as necessary to complete the installation.

Starting1. Launch System i Navigator.

2. Open the system where StandGuard Anti-Virus is installed.

3. Open the Security folder.

4. Click on the StandGuard Anti-Virus icon on the left to open StandGuard Anti-Virus’s options on theright side of the display:

7/28/2015


Open the application by double-clicking its icon. For more information, open the desired application andclick Help.

7/28/2015


Chapter 12 - StandGuard Anti-Virus forDominoStandGuard Anti-Virus for Domino is an optional licensed feature that provides the ability to scan Dominomail and databases for viruses and malicious code. The following instructions explain how to install thisoptional product feature.

Requirements1. Domino 6.5.6 or later

2. You must have previously completed installing the StandGuard Anti-Virus base feature. For theseinstructions, "About the Installation Process" on page 18

3. You will need to end and restart the Domino server during the installation process.

Installing1. Restore the code to the IBM i server. Instructions are provided on the website.

2. Enter the product license key. Enter the product license key provided by your HelpSystems salesor support representative:

3. Install the code to the Domino server.

In the following instructions, replace server-name with the name of the Domino server youwant to install the code to. You can see a list of Domino server names using the commandWRKDOMSVR.

The Domino server must be ended for the product to be installed. Run the following commandto end the server, then wait for the server to end before continuing with the next step.

ENDDOMSVR SERVER(server-name)

Run the following command to install the code to the server:

STANDGUARD/AVDOINS SERVER(server-name) OPTION(*INSTALL)

Finally, start the Domino server:

STRDOMSVR SERVER(server-name)

7/28/2015


4. Sign the StandGuard Anti-Virus databases.Open the Domino Administrator client and go to theFiles Tab.

Choose Templates Only from the Show Me: Drop down list.

Highlight the SGAV Template databases in the list of templates shown.

Once highlighted open the Databases section on the right side of the Administration pane andchoose Sign. Make sure to uncheck Update existing signatures only and choose to sign with theActive User's ID (if a trusted Administrator ID, and the ID going to be used for installation) orwith the Active Server's ID. Choose OK after selecting the options to sign the databases with atrusted ID in your Domino environment.

5. Verify Agent authority.

Since the SGAV Databases have many agents that run, the ID you used for signing, Server orAdministrator ID, should also have the rights to Run unrestricted methods and operations. Thisis found in the Security Tab of the Current Server Document.

7/28/2015


Click on the Security tab. Verify LocalDomainAdmins is specified for "Run unrestricted methodsand operations" as shown below.

6. Completing the installation.

A. Open the Notes client, and choose File->Database->Open.

B. In the 'Server' field, type or choose your server name. In the 'Filename' field, type SGAVINST.NTF,click Open.

C. When the Installation form appears, choose Install.

7/28/2015


D. When the installation process is completed, choose Exit.

StartingTo start the application:

1. Open the Notes client and choose File->Database->Open.

2. In the 'Server' field, type or choose your server name.

3. Scroll to the directory SGAV and open it.

4. Select database StandGuard Anti-Virus Configuration and click Open.

The main application screen will appear as shown below.

7/28/2015


SetupServer Configuration

The first step that must be performed is to create a server configuration document. The serverconfiguration document specifies configuration information for each Domino server that is protected byStandGuard Anti-Virus. In the navigator, click on Servers, then click New (in the toolbar).

7/28/2015


Server name (required)Specifies the name of the server protected by StandGuard Anti Virus. Choose the Server name using thedrop down list to the right of the server name field.

Address bookSpecifies the address book used to lookup the server name (typically names.nsf)

DescriptionThe optional description for the server.

IBM i data source nameThe name of the IBM i data source used to access the server (typically *LOCAL). When working withmultiple servers, the data source name is used to access remote servers, and can be viewed using theWRKRDBDIRE command. After changing the data source name, press the Test Connection button toverify the connection.

Number of days to keep log entries

Specifies the number of days log entries are retained before being purged (automatically).

7/28/2015


DAT Information

These values cannot be edited directly, and are updated by the product whenever the DAT updateprocess retrieves updated files (typically once per day).

Version

Specifies the version of the DAT files.

Last result

Specifies the last result of the DAT Update process for the server.

Last run

Specifies the time the DAT Update process was last run.

When you have finished entering information, click Save, then Close.

Mail Configuration

The Mail configuration document specifies configuration settings the product uses to scan mailattachments on a particular server. There is one configuration document for each server.

To access the Mail configuration documents, go to the main application display, then click on Mail, thenNew or Edit (in the toolbar).

7/28/2015


Server (required)Specifies the name of the server for which mail scanning is being configured. Choose the Server nameusing the drop down list to the right of the server name field.

StatusSpecifies the status of themail scanning server task AVDOMSVR.

Status date/timeSpecifies the time the status was last updated. Typically this is the time the AVDOMSVR last started. TheAVDOMSVR server task usually restarts every day, whenever DAT files are updated.

7/28/2015


Mail scanning statusThe active status of themail scanning. Choose one of the following:

Active (recommended)

Mail scanning is currently active for the server. All mail with attachments will be scanned for viruses andmalicious code, using the scan options below.

Not active

Mail scanning is currently not active for the server. Use this setting to turn off mail scanning.

Scan optionsSpecifies the options that will be used to scan mail.

Scan compressed files (recommended)

Decompress executable files before scanning. Many programs use executable compressors to make thedistribution file smaller, for example, PKLite. Unfortunately, packaged files can contain viruses that arecompressed. You can use this parameter to decompress these files (in memory) and scan the internalimage for viruses.

Enable file heuristics (recommended)

Use heuristic scanning to detect executable files that have code resembling malware.

Enable macro heuristics (recommended)

Use heuristic scanning to detect unknown macro viruses.

Scan archive files (recommended)

Decompress multi file archives before scanning. This parameter tells the product to scan inside archiveformats. The list of formats includes ARJ, LHA, PKARC, PKZIP, RAR, TAR and WinACE files, and alsoBZIP and Zcompress single file compression. The list is frequently updated. Archive formats store anumber of files within a single file. For example, a scan of a single .ZIP file results in many files beingscanned.

Find suspicious programs (recommended)

7/28/2015


Scan for potentially unwanted programs. Some widely available applications, such as password crackersor remote access utilities can be used maliciously or can pose a security threat. If you set this parameter,the product scans for such files.

Treat password proteced files as infected (recommended)

The product can scan password protected files by employing password cracking techniques. Thetechniques can crack most passwords, but if the password cannot be cracked, the product can treat thefile as if it was infected. Many infected mail messages contain password protected files.

Treat unscannable files as infected

If a file cannot be scanned for some other reason, whether to treat the file as infected.

File types to scanSpecifies the types of file attachments that will be scanned.

Scan all files (recommended)

All file types, regardless of extension, will be scanned.

Scan commonly infected files only

Only file types that are known to contain viruses and/or malicious code are scanned.

ActionSpecifies the action to perform whenever an infection is detected.

None (log only)

Amessage is logged in the log database, but no further action is taken.

Quarantine

Themail item is left in themail.box as dead mail and not routed to the recipient. Amessage is logged in thelog database.

Delete

7/28/2015


Themail item is deleted and not routed to the recipient. Amessage is logged in the log database.

Footer textSpecifies the text to append to the bottom of mail that has been scanned and verified successfully.


Alert Configuration

Being notified when a potential threat is detected is an important part of protecting your environment.Alert documents specify who will be notified by email when important events occur. Alert documents arerequired if you want to receive alerts about various product activities and events.

To access the Alert configuration documents, go to the main application display, then click on Alerts, thenNew or Edit (in the toolbar).

7/28/2015


Server (required)Specifies the name of the server for which the alert monitor is being configured.

Notify the following addresses (required)Specifies the email addresses of the recipient(s) to receive the alert.

MailMail scanning started

Choose this option to be notified when mail scanning is activated for the server.

7/28/2015


Mail scanning ended

Choose this option to be notified when mail scanning is ended for the server.

Mail infected

Choose this option to be notified when mail scanning detects an infected attachment.

Mail quarantined

Choose this option to be notified when mail scanning quarantines an infected mail document.

Mail deleted

Choose this option to be notified when mail scanning deletes an infected mail document.

Scan tasksScan task started

Choose this option to be notified when a scan task has started.

Scan task completed

Choose this option to be notified when a scan task has completed.

Virus detected

Choose this option to be notified when a scan task detects an infected document attachment.

Attachment cleaned

Choose this option to be notified when a scan task cleans an infected document attachment.

Attachment deleted

Choose this option to be notified when a scan task deletes an infected document attachment.

Attachment quarantined

Choose this option to be notified when a scan task quarantines an infected document attachment.

7/28/2015


DAT UpdateUpdate success

Choose this option to be notified when the DAT update process retrieves new virus definition filessuccessfully.

Update error

Choose this option to be notified when the DAT update process fails to retrieve new virus definition files.

ProductWarnings

Choose this option to be notified when warning events occur.

Errors

Choose this option to be notified when error events occur.

Informational

Choose this option to be notified when informational events occur.


DAT Update Configuration

DAT Update is where you specify how and when the product will download new virus definitions. Inaddition, you can specify scheduling options to choose when the files will be downloaded at regular,recurring intervals. It is recommended that you download new DAT files every day.

To access the DAT Update configuration documents, go to the main application display, then click onDAT Update, then Edit (in the toolbar).

7/28/2015


Server (required)Specifies the name of the server for which the DAT Update is being configured.

DAT VersionSpecifies the version and date of the virus definitions that are currently installed.

Transfer methodFTP (using defaults)

7/28/2015


Choose this option to retrieve the virus definitions using FTP and the default FTP server (ftp.nai.com).

FTP (Custom)

Choose this option to retrieve the virus definitions using your own FTP server.

Path

Choose this option to retrieve the virus definitions using a path on your local network.

FTP OptionsIf you chose FTP as the transfer method, the following options allow you to further define the FTPparameters.

FTP Passive

Choose this option to use passive FTP, or select No to use active FTP. Turn this on if you want yourserver to establish the data connection to the FTP site instead of the site establishing the data connectionto your server. This is recommended for most FTP sites, and it is absolutely necessary for some firewalland gateway configurations and when you get failed data channel errors. Note, however, that not all FTPsites support passive mode.

FTP Path

If you chose FTP (Custom) as the transfer method, specify the server and path name in the format//server name/path. If the files are located in the root path, you must end the server name with the rootpath name. For example: //192.168.1.1/.

FTP User and Password

If you chose FTP (Custom) as the transfer method, specify the FTP user name and password that will beused to log into the FTP server and retrieve the files.

Path OptionsDirectory

If you chose Path as the transfer method, specify the network path name where the dat files arelocated.

7/28/2015


Schedule OptionsSpecifies the time when automatic updates will run.

None

Do not schedule the DAT Update process to run.

Daily

Run the DAT Update process every day. Choose the desired days and time you want to run the process.

Weekly

Run the DAT Update process once per week. Choose the desired day and time you want to run theprocess.

Monthly

Run the DAT Update process once per month (not recommended).

Retrieve onlySpecifies if the new files will be retrieved but not installed.

Save extra copySpecifies the additional path where the new files will be saved. Use this option if you have one system orpartition downloading the files and want to copy the files to an additional location where the remainingsystems can access them over the local network.

Run command after updateSpecifies a system command to run after a successful download of new files. You could run a systemcommand to save the information to tape, or notify an administrator, for example.


7/28/2015


On-Demand Scanning - Configuration

On-Demand scanning documents specify how and when the product will scan Domino databases forinfected attachments and malicious code. This scanning process is referred to as a scan task. Youshould create On-Demand scan tasks to perform scanning and cleaning activities on a recurringscheduled basis.

Server (required)Specifies the name of the server for which the scan task is being configured.

Task name (required)Specifies the short name of the task (8 characters or less). This name is used to create the job scheduleentry, and to submit the scan task process to the system (job name).

DescriptionSpecifies the optional descriptive name for the task.

Last resultThe result from the last time the scan task was run is shown for your information. More detailedinformation can be seen using Log application.

7/28/2015


Starting directory or database name (required)Specifies the directory or database name where scanning will start. To specify the server's data directory,type and asterisk '*'. Directory or database names must be relative to the Domino server directory path.

Databases to omit from scanSpecifies the directory and database names to omit from scanning. Separate multiple values usingcomma's ",".

Skip files larger thanSpecifies the maximum size of databases to scan. Databases larger than this size will not be scanned, forperformance reasons. Specify 0 to scan all databases regardless of size.

Scan OptionsSpecifies the option that will be used to scan databases.

7/28/2015


Scan compressed files (recommended)

Decompress executable files before scanning. Many programs use executable compressors to make thedistribution file smaller, for example, PKLite. Unfortunately, packaged files can contain viruses that arecompressed. You can use this parameter to decompress these files (in memory) and scan the internalimage for viruses.

Enable file heuristics (recommended)

Use heuristic scanning to detect executable files that have code resembling malware.

Find suspicious programs

Scan for potentially unwanted programs. Some widely available applications, such as password crackersor remote access utilities can be used maliciously or can pose a security threat. If you set this parameter,the product scans for such files.

Scan archive files (recommended)

Decompress multi file archives before scanning. This parameter tells the product to scan inside archiveformats. The list of formats includes ARJ, LHA, PKARC, PKZIP, RAR, TAR and WinACE files, and alsoBZIP and Zcompress single file compression. The list is frequently updated. Archive formats store anumber of files within a single file. For example, a scan of a single .ZIP file results in many files beingscanned.

Incremental scan

Select this option to scan only documents that have been created or changed since the last time the scantask was ran.

Macro analysis

Use heuristic scanning to detect unknown macro viruses.

File types to scanSpecifies the types of file attachments that will be scanned.

Scan all files (recommended)

All file types, regardless of extension, will be scanned.

7/28/2015


Scan commonly infected files only (faster)

Only file types that are known to contain viruses and/or malicious code are scanned.

Run prioritySpecifies the run priority for the job. Run priority is a value, ranging from 21 (highest priority) through 99(lowest priority), that represents the priority at which the job competes for the processing unit relative toother jobs that are active at the same time. This value represents the relative (not the absolute)importance of the job. For example, a job with a run priority of 25 is not twice as important as one with arun priority of 50.

TimeoutSpecifies the number of minutes before the operation will timeout. Use this option to limit the number ofminutes the task wil run. The task will scan as many databases and attachments as possible within thetime period before ending. The next time the task starts it will resume where it previously left off. If thetask completes all files before timing out, it will start at the specified starting directory the next time it runs.

When an infection is foundSpecifies the action the product will take when an infection is found.

Log and continue

An entry is logged to the log database, and no other actions are performed.

7/28/2015


Clean attachment

An entry is logged to the log database, and the product will attempt to remove the infection from theattachment. If the infection cannot be removed, the 'If clean fails' action is performed.

Quarantine attachment

An entry is logged to the log database, and the product will move the infected attachment to theQuarantine database.

Delete attachment

An entry is logged to the log database, and the product will remove the infected attachment from thedocument.

If clean failsIf the above action is Clean attachment, this option specifies what action to perform if the attachmentcannot be cleaned.

Quarantine attachment

An entry is logged to the log database, and the product will move the infected attachment to theQuarantine database.

Delete attachment

An entry is logged to the log database, and the product will remove the infected attachment from thedocument.

ScheduleSpecifies the time when the task will run. When you specify a schedule, the product schedules the taskusing the ADDJOBSCDE command.

7/28/2015


Once

Run the task once.

Daily

Run the task on the specified week days. Choose the desired days and time you want to run the process.

Monthly

Run the task once per month. Choose the desired day and time you want to run the process.

LoggingSpecifies the type of information to record to the scan log. If you select >All files=, detailed informationabout each file attachment in each database is recorded to the scan log.


ReferenceQuarantine

StandGuard Anti-Virus provides a secured area where infected files are moved to and out of harm's way.When a file has been quarantined, the file has not been deleted but access to the file is prevented. TheQuarantine application lists the files that have been moved to the Quarantine database. Double click anentry to see the details about the quarantine document.

The file attached to the document is the infected file. It is recommended you do not attempt to open thisfile. In the Resources navigation entry are options to submit the file to McAfee for further analysis. You

7/28/2015


can also click the 'Check Virus on McAfee' button to search the virus information database for moreinformation.

Clicking the 'Go to infected document' button will take you to the document that originally contained theinfected attachment. You may still see the icon in the document that represents where the file waslocated, however the file has been removed from the document and the icon will not open it.

TimeThe date and time the quarantine entry was created.

ServerThe name of the server where the activity occurred.

DatabaseThe name of the database where the infection was found.

ReasonThe reason the attachment was quarantined (virus, trojan, etc.)

Virus name (if applicable)The name of the virus or malware.

Quarantined fileThe infected file. It is recommended you do not attempt to open this file. In the Resources navigationentry are options to submit the file to McAfee for further analysis. You can also click the 'Check Virus onMcAfee' button to search the virus information database for more information

Log

The Log database provides information about the product's activities, such as when scans start, finish,and any infections that were found.

You can use the Alert application to specify what types of log entries you want to be notified about.

7/28/2015


Using the Server application, you can specify the number of days the Log database will retaininformation.

TimeThe date and time the log entry was created.

ServerThe name of the server where the activity occurred.

TypeThe type of log entry.

ProcessThe name of the process or job that created the log entry.

MessageThe detailed message about the log entry.

ResourcesMcAfee Threat Library

Choose this option to go to the McAfee Avert Threat Library. This library has detailed information onviruses, Trojans, hoaxes, vulnerabilities and Potentially Unwanted Programs, where they come from,how they infect your system, and how to mitigate or remediate them.

Submit a sample

Choose this option to go to Avert(r) LabsWebImmune. Here you can submit potentially infected files toWebImmune for analysis. You will receive information about your files, including solutions and real timefixes, if required.

7/28/2015


Technical Support

Choose this option to go to the HelpSystems Support page where you can get online technicalassistance, product updates, tips, advice, and support requests. You can speak directly withHelpSystems technical support specialists and most questions can be answered online.

UninstallingShould you need to remove the StandGuard Anti-Virus application from a Domino server, perform thefollowing:

1. Using the WRKDOMSVR command, end all Domino servers that the application is installed. If youare not sure which servers the application is installed, use option 13 to view the Notes.INI file, andlook for the entry SGAV_INSTALLED=YES.

2. Wait for the server status to be *ENDED before continuing.

3. Run the command: STANDGUARD/AVDOINSSERVER(server-name) OPTION(*UNINSTALL)

4. Use the WRKDOMSVR command to start the servers as needed.

7/28/2015


Chapter 13 - MonitoringHelpSystems strongly recommends that you monitor the StandGuard Anti-Virus messages logged to theAVMSGQ to ensure an ongoing problem is noticed and remedied as soon as possible.

You can monitor the AVMSGQmessage queue manually, or to insure timely notification, automate themonitoring with one of HelpSystems' products.

As important as it is to install anti-virus protection on your server, it is equally important to know whenproblems occur. Important events that you need to monitor are:

1. When StandGuard Anti-Virus detected and removed a virus,

2. If virus definition files could not be retrieved; and

3. If the AVSVR job is ended or not running.

In addition, you could monitor other events, such as if a scan ended abnormally or did not run at all.

Manually monitoring the AVMSGQ message queue

To monitor the AVMSGQmanually, run the following command:

CHGMSGQ MSGQ(STANDGUARD/AVMSGQ) DLVRY(*BREAK) SEV(90)

Note: You will need to run this command each time you sign on, or automate the command into an initialsign-on program.

Automated monitoring of the AVMSGQ message queue

If you are using Bytware's Messenger suite of products, we recommend you monitor the AVMSGQmessage queue for messages of severity 90 and higher. Add an action to page you or send emails to alist of operators or administrators.

In a multiple-system/partition environment, distribute the monitor to each system running StandGuardAnti-Virus.

We recommend you create an additional monitor to check for the absence of the completion message bya specific time. This will alert you to conditions where the automatic process is not starting, possibly dueto a problem with the job schedule entry or job queue. In a multiple-system/partition environment,

7/28/2015


MessengerConsole can ensure all systems/partitions have reported the update process started andcompleted successfully, and notify an administrator with exceptions.

Using Messenger to Monitor the AVSVR jobWe strongly recommend monitoring the AVSVR job to ensure it is always running. If you are using theMessenger suite of products, you can use the JOBRUNmonitor to automatically notify you via emailmessage, cell phone or pager if the job is not running. To setup a job monitor, please perform thefollowing:

1. Go to the Messenger menu by typing MPLUS at a command line and pressing enter.

2. Select Setup Menu option 5: Work with Monitoring, press Enter and type a 9 next to JOBRUN thenpress Enter.

3. On the Work with Event Monitors display, press F6 to add a new Event Monitor.

4. Specify Sequence Number, enter Description (AVSVR job that should be running) and press Enter.

5. On the Job Filters display, press F6. Specify Sequence Number, I to include, AVSVR as job name,QSYSWRK as subsystem name, and leave all other parameters as defaulted, and press Enter.

6. Press Enter to return to the Work with Event Monitors display.

7. Release the Event Monitor using Option 6.

8. To attach a page Action, type a 7 next to the Event Monitor and press Enter. Create action asneeded and press Enter to return to the Work with Event Monitors display.

9. Press Enter to return to the Work with Monitors display.

10. Release the JOBRUNMonitor using Option 6.

Using Messenger to Monitor the AVMSGQMessage QueueIf you are using Bytware's Messenger suite of products, we recommend you monitor the AVMSGQmessage queue for messages of severity 90 and higher and add an action to page you or send emails toa list of operators or administrators. To do so, please perform the following:

7/28/2015



2. Select Setup Menu option 5: Work with Monitoring and press F6.

3. Specify AVMSGQ as the Monitor Name and press Enter.

4. Enter Description (Anti-Virus Message Monitor) and press Enter.

5. Specify AVMSGQ as Message Queue Name and Library STANDGUARD and press Enter.


7. Specify Sequence Number, enter Description (Messages Severity 90 and higher) and press Enter.

8. On the Message Filters display, press F6. Specify Sequence number, I to include, and specify 90 asSeverity, leaving all other parameters as defaulted, then press Enter.





13. Release the AVMSGMonitor using Option 6.

Using Messenger to Monitor the AutomaticUpdate ProcessThe automatic update process logs completion messages to the AVMSGQmessage queue. If you areusing Bytware's Messenger suite of products, we recommend you create an additional monitor to checkfor the absence of the completion message by a specified time. This will alert you to conditions where theautomatic process is not completing, possibly due to a problem with the job schedule entry or job queue.To create the monitor, please do the following:

**If you already have the AVMSGmonitor created, proceed to Step 6**


2. Select Setup Menu option 5: Work with Monitoring and press F6.

3. Specify AVMSG as the Monitor Name and press Enter.

7/28/2015


4. Enter Description (Anti-Virus Message Monitor) and press Enter.

5. Specify AVMSGQ as Message Queue Name and Library STANDGUARD and press Enter.


7. Specify Sequence Number, enter Description (AVUPDATE not completed on time) and press F15 tochange the Expected Time as needed (leave increment set to 24H), press Enter. If you want toschedule the monitor for specific days of the week only, press F11 to add schedule and press Enter.Press Enter until the Message Filters screen appears.

8. On the Message Filters display, press F6. Specify Sequence number, I to include, specify Messageid AVC0204 and Message File AVMSGF in Library STANDGUARD, leaving all other parameters asdefaulted, then press Enter.

9. Press F6 again to add an additional Filter. Specify Sequence number, I to include, specify Messageid AVC0202 and Message File AVMSGF in Library STANDGUARD, leaving all other parameters asdefaulted, then press Enter.





14. Release the AVMSGMonitor using Option 6.

Technical SupportTechnical support, product updates, and .DAT File updates are only available to customers with currentand active Annual Support.

Contacting HelpSystemsPhone: 1-775-851-2900

Internet: [email protected]

7/28/2015


Uninstalling

Note. Do not delete the STANDGUARD library touninstall the product, use DLTLICPGM instead. Deletingthe library does not remove the exit points, autostart jobentries or reset system values.

To uninstall StandGuard Anti-Virus,run the following command:

DLTLICPGM LICPGM(0AV2000)

7/28/2015


IndexA

Automatic program updates (PTFs) 26

Automatic virus definition updates (DATs)26

AVCFGTSK command 31

AVCHGA command 48

AVCHGUPDA command 70

AVRUNTSK command 39

B

Built-in Scheduling 13

C

Change automatic update Attributes(AVCHGUPDA) 70

Commands

AVCFGTSK 31

AVRUNTSK 39

Configure Scan Task (AVCFGTSK)Command 31

Contacting PowerTech 118

D

DAT files

Making available to StandGuard 78

DATs 24

Display messages 24

Download latest program updates (PTFs)24

Download latest virus definitions (DATs) 24

Download virus definitions

Using a PC 77

Downloading Program Temporary Fixes(PTFs) 80

Example 83

Recommendations 84

Sample Report 83

Setup 80

Troubleshooting 84

E

Email Scanning 57

Features 57

Recommendations 60

Setup 58

7/28/2015


Troubleshooting 59

Error messages

Object Integrity Scanning 68

Example


Updating Virus Definitions 73

Examples


F

Features (overview) 6

G

Guest Operating System Partitions

Scanning 40

I

i5/OS (scanning) 9

Installation 18

About 18

Recommendations 21

Testing 20

Installing

from another iSeries server orpartition 20

StandGuard Anti-Virus for Domino 89

Introduction 6

iSeries Navigator Plug-In (GUI) 86

Starting 87

L

License Keys 29

License menu 25

Logging 13

M

Main Menu 23

Managing

Quarantine 85

McAfee 7

McAfee virus scanning engine 15

Monitoring 115

Using Messenger to Monitor theAVMSGQmessage queue 116-117

Using Messenger to Monitor the AVSVRjob 116

7/28/2015


N

Network-enabled 13

O

Object integrity scan tasks 26

Object integrity scanning 12


Error messages 68

Examples 67

Recommendations 67

Sample Report 67

Setup 63

On-access scanning 11, 26

On-Access Scanning 47

Change AVOn-Access Attributes(AVCHGA)Command 48

Performance Considerations 54

Recommendations 55

Requirements 47

Setup 47

Troubleshooting 55

On-demand scanning

Performance considerations 44

On-demand Scanning 11

On-Demand Scanning 30

ConfigureAVCFGTSK 31

Guest OSPartitions 40

Recommendations 44

Run AVRUNTSK 39

Sample report 45

Scheduling 30

Troubleshooting 44

P

Plug-ins

Green screen 12

iSeries Navigator 12

PTFs 13

About 80

Q

QMSF Mail scanning 26

Quarantine 85

Managing 85

7/28/2015


Recommendations 85

Setup 85

Troubleshooting 85

R

Recommendations


Email Scanning 60




Quarantine 85


Reference


Requirements 19

Resources


Run AVScan Task (AVRUNTSK)Command 39

S

Sample report


Sample Report




Scanning 8

Object integrity 12

On-access 11

On-demand 11, 30

on Guest Operating SystemPartitions 12

Scanning Guest Operating SystemPartitions 40

Scheduling 13

Setup


Menu 25



7/28/2015


Quarantine 85



Setup menu 25

SMTPMail

Scanning 12


Installing 89

Reference 111

Requirements 89

Resources 113

Setup 93

Starting 92

Uninstalling 114

Starting

iSeries Navigator Plug-In (GUI) 87


Submit a virus scan task 23

Submit an object integrity scan task 23

Support menu 25

Support Menu 27

System Requirements 19

T

Technical Support 118

Testing the installation 20

Troubleshooting


Email Scanning 59



Quarantine 85


U

Uninstalling 119


Updates and fixes

automatic download 13


Example 73

Recommendations 76

Sample Report 73

7/28/2015


Setup 70

Troubleshooting 76

V

Virus definitions

Automatic download 12

Virus Definitions

About 70

Virus scan tasks 27

virus scanning engine 15

Viruses (learning more about) 17

Viruses and the iSeries 14

W

Work with AVSVR job(s) 28

Work with exit points 29

Work with IFS Files 29

Work with job schedule entries 24, 27-28

Work with logs 24

Work with output queue 28

Work with QMSF jobs 28

Work with quarantined files 24

Work with scan jobs 24

Work with system values 28

7/28/2015


Documents

StandGuard Anti-Virus User's Guide · StandGuardAnti-Virus User'sGuide-2-Troubleshooting 44 Recommendations 44 Samplereport 45 Chapter5- On-AccessScanning 47 Requirements 47 Setup