MyDoom Puts iSeries IFS in the Virus Spotlight
by Alex Woodie
As the tidal wave of e-mails infected with the MyDoom virus continued to circulate across the Internet last
week, OS/400 security software vendors emphasized the importance of checking the iSeries Integrated File
System (IFS) for Windows viruses. <a target="new" href="http://www.bytware.com">Bytware</a>, which
launched the first native OS/400 virus scanner last year, reported that some of its customers found
MyDoom on their IFS systems, while <a target="new" href="http://www.kisco.com">Kisco</a>
announced a new deal with <a target="new" href="http://www.symantec.com">Symantec</a> to distribute
Norton AntiVirus 2004 with Kisco's OS/400 security software, for PC-based IFS scanning.
By some experts' estimates, MyDoom became the most prolific Windows virus to date when it hit the
Internet two weeks ago. The virus, which travels by e-mail attachment, installs a stealth program when
activated that turns the victim's computer into a node used by the virus writers to launch denial-of-service
attacks. The first MyDoom variant spawned a DoS attack that crashed the Web site of the <a target="new"
href="http://www.sco.com">The SCO Group</a>, while a second variant was less successful in its attempt
to bring down <a target="new" href="http://www.microsoft.com">Microsoft</a>'s robust Web site.
MyDoom can enter the iSeries IFS in two ways, according to Bytware, which is based in Reno, Nevada. It
can get there through an e-mail that has passed through OS/400, or the worm can copy itself to the iSeries
IFS from an infected client PC, without the user's knowledge. Either way, once MyDoom, or any other
virus, has entered the IFS, the only feasible way to remove it is to scan the IFS with antivirus software and
delete the little bugger.
For years, mapping the IFS to a PC equipped with standard antivirus software was the only way to treat an
infected IFS. While such a process can get the job done, it requires a bit of manual work to configure, and it
can create security holes of its own if not done correctly. (Check <a target="new" href="http://www-
site</a> for tips on proper PC-based IFS scanning techniques.
PC-based IFS antivirus scanning can also be extremely slow when there are many files in the IFS that need
scanning, because it must move the files over the local area network. Also, PC-based scanning will not
always clean all viruses from the IFS, Bytware says. For these and other reasons, a native OS/400 antivirus
scanner provides a more elegant and secure solution, which is why it was on the iSeries' Large User Group
list of requirements for years.
Last June the LUG's wishes were answered when Bytware launched StandGuard Anti-Virus, which
provides a native OS/400 implementation of <a target="new" href="http://www.nai.com">Network
Associates</a>' <a target="new" href="http://www.mcafee.com">McAfee</a> antivirus software (see <a
target="new" href="http://www.midrangeserver.com/tfh/tfh062303-story01.html">"Bytware Launches
OS/400 Antivirus Software to Treat IFS Infections"</a> for more product information). Bytware officials
report that the product, which costs between $750 and $10,000 (depending on the processor size) per
OS/400 logical partition to license, has been well-received in the marketplace.
One company that uses Bytware's StandGuardAV, Saint-Gobain Containers, in Muncie, Indiana, installed
the software to cut IFS scan times, as well as to provide a second layer of antivirus protection. Saint-
Gobain has two iSeries servers that used quite a bit of IFS space for WebSphere, Domino, and Netserver
workloads, says Mike Crump, an employee in the company's IT department. "Using our existing product
[from antivirus software provider <a target="new" href="http://www.sophos.com">Sophos</a>] with
mapped drives worked fine, but we were getting huge run times," he says. "In one case I cut my run time
from six hours to one hour" with StandGuardAV.
Like most shops that follow good security practices, Saint-Gobain also runs antivirus software on its front-
end PCs, which provides real-time virus scanning of infected e-mails as they hit the company's network. As
a result, Crump has not discovered MyDoom, let alone any other virus, on his company's OS/400 servers.
"I do like the product," Crump says of StandGuardAV. "The product is easy to install and implement.
Processing product updates and definition updates is very nice. . . . It is a bit pricey, in some perspectives,
but in our case it was worthwhile."
Another OS/400 shop found MyDoom on its iSeries IFS. The company's IT administrator, who asked to
remain anonymous, said MyDoom made its way into the IFS when infected e-mails sent to generic e-mail
addresses, such as <i>email@example.com</i>, actually corresponded with valid e-mail addresses at the
company, even though those employees didn't use OS/400's e-mail facilities. (OS/400 gave them SMTP e-
mail addresses by default.)
The administrator had downloaded a trial version of Bytware's StandGuardAV just as the MyDoom virus
storm hit in late January. The administrator noted that StandGuardAV's e-mail scanning capabilities picked
up most of the viruses that bypassed their PC-based Norton AntiVirus defense and made it to the OS/400
SMTP server. However, a patch for the software the administrator installed caused StandGuardAV's e-mail
scanning capability to stop working, which is when StandGuardAV's IFS scanning kicked in and found
MyDoom. The administrator says that overall he was very pleased with the way StandGuardAV worked,
and is considering licensing the software, provided the patch is fixed. Bytware is working with IBM to fix
For those customers who can't justify the native OS/400 antivirus solution, mapping a PC to the iSeries IFS
for remains their only option for detecting viruses and worms on the IFS. OS/400 shops have been doing
this for years, but recent publicity of the IFS's penchant for serving as an unwitting Typhoid Mary-esque
virus repository has stepped up vendors' attention to the problem.
Kisco Information Systems last week announced its antivirus solution for the IFS: an agreement with
Symantec to distribute copies of Norton AntiVirus 2004 that are good for 90 days with the Advanced and
Enterprise editions of its SafeNet/400 OS/400 network security and exit point software. Along with the
copy of the Norton software, Kisco is providing a set of suggestions and procedures on how best to use
Norton AntiVirus for periodic scanning of the iSeries IFS from a PC.
Rich Loeber, president of the Saranac Lake, New York, software company, says his company's approach to
IFS scanning provides a "compromise" between a native OS/400 scanning solution and doing nothing.
"There are areas of the IFS that probably need to be scanned only infrequently, and others more
frequently," he says. "If customers aggressively use any antivirus software at the various entry points where
viruses originate, that is always going to be their best protection. Using the Norton AntiVirus will let them
periodically check the vulnerable areas of the IFS just in case viruses get past the initial point of checking."
In December, Kisco launched new editions of its SafeNet/400 software that featured a new GUI
management console (see <a target="new" href="http://www.midrangeserver.com/mso/mso121603-
story04.html">the recent Kisco story</a>.) SafeNet/400 Advanced includes the GUI and can manage a
single OS/400 server, starting at $2,495 per server. SafeNet/400 Enterprise is similar to the advanced
edition and adds the capability to manage multiple OS/400 servers; it starts at $4,495. Go to <a
target="new" href="http://www.kisco.com">www.kisco.com</a> for more information.