If Powertech Antivirus identifies a virus or malware on your system, do the following to address the potential threat:
- Ensure you are using the latest DAT files by running a manual update. To do so, Submit the command: STANDGUARD/AVRUNUPD.
- Isolate the threat:
- Run full scans on other hardware/computers etc. to ensure the malware has not spread any further.
- Run an On-Demand Scan with all Scan Settings enabled.
- Name . . . . . . . '/'
- Heuristic analysis . . . . . . . *YES
- Macro analysis . . . . . . . . . *YES
- Potentially unwanted programs . *YES
- Scan archives . . . . . . . . . *YES
- Files . . . . . . . . . . . . . *ALL
- Force . . . . . . . . . . . . . *ALL
- If you wish to review all the scan details after the scan has run, change the Logging Level to *DETAILED.
- If you want the scan to run in its entirety, ensure the Timeout minutes parameter is set to *NONE.
Be aware that running a full scan may affect performance.
- Determine if the virus or threat was found in a critical folder.
- The Quarantined folder can be found under the AVMENU, option 12 (Work with quarantined files).
- For reference, the path name within the Quarantined folder reflects the actual path name where the infected object was found. By leaving the path name structure in place, even after you delete the infected object, you have a history of folders that have been infected.
- Investigate the threat.
- The McAfee Threat Center, https://www.mcafee.com/enterprise/en-us/threat-center.html, contains detailed information about thousands of viruses such as where they come from, how they infect your system, and how to mitigate or remediate them. On this site, you can search for threats by name or by type. You can even see which DAT version has the virus definition signature for the threat to guarantee you'll be protected from it.
- Investigate to see if the object was legitimate and somehow got infected, or if it was a fraudulent object that was inserted maliciously into the folder. If it was legitimate, and may be needed in the future, you will need to recover it from a valid source. If it was a fraudulent object, you won’t need to recreate it.Investigate how the object was infected and identify possible users who may be at risk.
- Which users have access to this object?
- Are their PCs running up to date anti-virus software?
- Try to work out when it hit the IFS, and therefore, possibly, where it came from.
- In the event of finding a virus, or suspicious file, you can submit a virus sample to McAfee for validation here:
This may present a challenge, as the file is flagged as having a virus and could be difficult to move around. The actual logistics of getting the malware from the IFS varies depending on factors including network configuration and security settings. Consider the possible security risks of moving the malware around your network before proceeding.
- Delete it. Delete the infected object as soon as is possible. As a reminder, you should never save or replicate the /QUARANTINED directory.
- Closely review scans for the next few days or weeks. If a PC or other system that connects to the IBM i system is infected and this is not caught, it is possible for the infected file to get transferred to the system again.