Monitoring

Fortra strongly recommends that you monitor the Powertech Antivirus for IBM i messages logged to the Powertech Antivirus for IBM i message queue (STANDGUARD/AVMSGQ) and the system operator message queue (QSYSOPR) to ensure an ongoing problem is noticed and remedied as soon as possible.

You can monitor these message queues manually, or to insure timely notification, automate the monitoring with one of Fortra's products such as Robot Console or Powertech SIEM Agent for IBM i.

As important as it is to install antivirus protection on your server, it is equally important to know when problems occur. Important events that you need to monitor are:

When Powertech Antivirus for IBM i detected and removed a virus,
If virus definition files could not be retrieved; and
If the AVSVR job is ended or not running.

In addition, you could monitor other events, such as if a scan ended abnormally or did not run at all, virus definitions being updated or licensing issues.

Manually monitoring the STANDGUARD/AVMSGQ message queue

To monitor the STANDGUARD/AVMSGQ manually, run the following command:

CHGMSGQ MSGQ(STANDGUARD/AVMSGQ) DLVRY(*BREAK) SEV(90)

IMPORTANT: You will need to run this command each time you sign on, or automate the command into an initial sign-on program.

Automated monitoring of the STANDGUARD/AVMSGQ message queue

If you are using a monitor product, we recommend you monitor the STANDGUARD/AVMSGQ message queue for messages of severity 90 and higher. Add an action to page you or send emails to a list of operators or administrators.

In a multiple-system/partition environment, distribute the monitor to each system running Powertech Antivirus for IBM i.

We recommend that you create an additional monitor to check for the absence of the completion message by a specific time. This will alert you to conditions where the automatic process is not starting, possibly due to a problem with the job schedule entry or job queue. In a multiple-system/partition environment, a monitor product can ensure all systems/partitions have reported the update process started and completed successfully, and notify an administrator with exceptions.

Messages Indicating an Issue

We recommend monitoring STANDGUARD/AVMSGQ for the following messages :

Message ID	Message Type
AVE0105	Error(s)occurred running task '*SYS'. See messages in job 440926/A_USER/AVFULLSCN
AVE0106	Task 'System virus scan task' completed with errors
AVE0131	FILE /tmp/eicar.com IS INFECTED WITH 'EICAR test file'
AVE0137	AVSVR process not running or not ready
AVE0139	1 virus(es) fond. 0 file(s) not scanned sue to errors
AVE0207	Error(s) occurred updating virus definitions.
AVE0208	Error(s occurred during PTF processing. See joblog for details
AVE3001	User A_USER has been blocked by the anti-ransomware software
AVE3002	User A_USER has been detected bu the anti-ransomware
AVI0135	File /tmp/Eicar.com quarantined
AVI0136	File /tmp/Eicar.com deleted
AVI0601	WARNING: Virus definitions are older than 7 days
CPF1240	Job 457911/STANDGUARD/AVUPDATE ended abnormally
CPI1146	Job not submitted for job schedule entry AVUPGRADE number 000027

Messages that may Indicate an Issue, depending on Message Values

The following messages only indicate an error if the value of one of the message variables exceeds a threshold.

Message ID	Message Type
AVE0107	Task '&23' completed with warnings. 0 viruses found, &4 file(s) scanned OK but &6 file(s) were not scanned due to errors

IMPORTANT: This message only indicates an issue if the number of files "not scanned due to errors" (message variable &6) is high. It is normal that some files are not scanned because they are locked at the time of the scan. No fixed threshold can be specified, but on production systems, it is normal that more than 100 files are locked at any point in time and therefore unavailable for scanning.

Message ID	Message Type
AVC1003	Object integrity scan task '&2' completed normally. &1 violations found.

IMPORTANT: This message only indicates an issue if the number of violations (message variable &1) is larger than zero.

Positive Messages

The following messages indicate normal operations.

Message ID	Message Type
AVC0103	Scan Task 'ALLSYS' completed normally. 7 file(s) OK, 0 file(s) skipped due to settings. No viruses found
AVC0202	No update required, local and remote versions are 8424
AVC0204	Virus definitions successfully updated to version 8077
AVE0138	No viruses found. 3 file(s) not scanned due to errors
CPC1236	Job 424208/STANDGUARD/AVUPDATE submitted for job schedule entry ...
CPF1241	Job 466364/STANDGUARD/AVUPDATE completed normally on...

NOTE: Most of these messages occur regularly, such as update-related messages that occur daily if the DAT updates have been configured to be executed daily. If your message management, scheduling software or SIEM supports checking for "missed" messages/events, we recommend configuring it to check if any of the above messages is not sent during the expected time windows.

TIP: Messages whose message IDs start with "AV" are based on message descriptions in message file STANDGUARD/AVMSGF. Some message management solutions may require this information.

Licensing Messages

The following, important licensing-related messages may be sent to the system operator message queue (QSYSOPR) and we recommend that you monitor the QSYSOPR message queue for their potential arrival.

Message ID	Message Type
LI00003	Your &1 license code is invalid
LI00004	Your &1 license code has expired
LI00005	Your &1 license code will expire at noon &2
LI00006	Your &1 license code will expire in &2 days, on &3
LI00007	Your &1 license code is invalid
L280215	License will expire if number of processors remains above license limits

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
8.12 | 202502030833 | February 2025