Powertech Antivirus For IBM i Audit

Overview

Designed specifically for the file systems used by IBM i, Powertech Antivirus provides native file system scanning allowing you to scan the operating system’s structures not found on other platforms, such as recursive links, in order to uncover viruses and malicious code wherever they may be found. In addition to understanding recursive links, Powertech Antivirus for IBM i allows you to scan IBM i objects for modified digital signatures (a sign of tampering).

Configuration on the IBM i

Powertech Antivirus for IBM i is set up using the Powertech SIEM agent.

Log on to the IBM i for which antivirus events will be received by Event Manager, with a User ID with sufficient authority to be able to create new event sources.

Create a new Event Source

1. Create a new Event Source with the following configuration:

• Name: PTAV
• Description: Powertech Antivirus for IBM i
• Type: *MSGQ
• Facility: 4
• Active: 1
• Default Output: Use F8=Maintain Outputs to open the Work with Attached Outputs display and select the machine on which Event Manager is running and to which the antivirus events will be sent. The format used must be SYSLOG. Use F6 to attach the required machine if it does not already exist in this display.

• Object: AVMSGQ
• Library: STANDGUARD
• ASP Group: *SYSBAS

2. Press Enter to create the new Event Source.

Adding Event Descriptions to the Event Source

1. From the Work With Event Sources display, use option 9=Event Descriptions against the PTAV event source. The Work with Event Descriptions display opens.
2. Add the following five entries using F6=Create for each: 

Name	Description	Active	Event Class ID	Severity	Class	Extension
AVC0202	Virus Definition Update 2	1	AVC0202	1	AUD	None
AVC0204	Virus Definition Update 1	1	AVC0204	1	AUD	None
AVE0131	Virus Detection	1	AVE0131	1	AUD	None
AVE0139	Virus Scan	1	AVE0139	1	AUD	None
AVI0135	File Quarantined	1	AVI0135	1	AUD	None