On-Access Scanning

On-Access scanning refers to the process of scanning files as they are accessed and changed. To minimize the impact on performance, the operating system stores scan information with each file as they are opened. This process does not increase any storage use and typically requires less than a second for most files. The first user to access the file will cause a scan to occur, but subsequent accesses by that user (or any other user) will not trigger a scan unless the file contents have changed.

Powertech Antivirus for IBM i requires the use of a server job (AVSVR) running in the QSYSWRK subsystem to be active at all times. During installation, this job is configured to start automatically every time you start your system. If this job is ended for any reason then scanning is disabled. We strongly recommend that you implement procedures to monitor this job to ensure is it always running and restart the job as necessary. For monitoring suggestions, see Monitoring.

As files are scanned, IBM i updates the scan status information with the file. If the file is marked as infected, the operating system will not allow the file to be opened.

Requirements

You must have *ALLOBJ, *JOBCTL, and *SECADM authority to configure on-access scanning.

Setup

To view or modify on-access settings, choose Setup Menu option 1, or type AVCHGA at the command line and press F4.
Press PAGE DOWN for additional options.
Configure scanning attributes as needed for your security policy. See Change AV On-Access Attributes (AVCHGA) command for details.

System Values

There are two system values that control when the operating system calls upon Powertech Antivirus for IBM i to scan a file: QSCANFS and QSCANFSCTL. You can access these settings by choosing option 4 from the Powertech Antivirus for IBM i Support Menu.

Scan file systems (QSCANFS)

Do not set this value to *NONE unless you want to disable all on-access and on-demand virus scanning.

QSCANFS identifies which file systems will be scanned using on-access scanning. The only supported value is *ROOTOPNUD. Only files in the Root, QopenSys and UDFS file systems support on-access scanning. Other file systems, such as QDLS, do not support on-access scanning and must be scanned using on-demand scanning.

Scan file systems control (QSCANFSCTL)

QSCANFSCTL provides several options to balance security and performance. One or more of the following values may be specified. The default value is *NONE, however when Powertech Antivirus for IBM i is installed we change this setting to *FSVRONLY.

*FSVRONLY — Only accesses through the file servers will be scanned. For example, accesses through Network File System will be scanned as well as other file server methods. If this is not specified, all accesses will be scanned (5250 access will be scanned).

*USEOCOATR — The system will use the specification of the "object change only" attribute to only scan the object if it has been modified. If this is not specified, this "object change only" attribute will not be used, and the object will be scanned after it is modified and when virus definitions have changed. Using *USEOCOATR can make on-demand scans run considerably faster by not scanning files that have not changed. However, be aware this value may allow a virus to hide in a file indefinitely. Use with caution.

*ERRFAIL — If there are errors when attempting to scan a file (the AVSVR job is not running, for example), the operating system will not allow the file to be opened. If this value is not specified, the system will allow the file to be opened and treat it as if the object was not scanned.

Be careful using *ERRFAIL if the file can not be scanned for any reason (if the AVSVR job is not running, for example) the operating system will not allow any stream files to be opened.

*NOPOSTRST — After objects are restored, they will not be scanned just because they were restored. In general, it may be dangerous to restore objects without scanning them at least once. It is best to use this option only when you know that the objects were scanned before they were saved or they came from a trusted source.

IBM i Directory and File Scan Attributes

Each directory in the supported file systems has a value to control the scanning attribute for files created in that directory. As new files are created, they inherit the setting on their parent directory. You can view the directory settings using WRKLNK and IBM i Navigator. By default, all directories and files are configured to be scanned.

To change all files in a directory to not be scanned using on-access scanning, run the command CHGATR OBJ('/path/*') ATR(*SCAN) VALUE(*NO) SUBTREE(*ALL) , where path is the name of the directory you want to change.

When you use the AVCHGA command the scan attributes are updated automatically so normally you do not need to perform the CHGATR command. This information is provided in case you want to modify scan attributes outside the product (when you create a new directory, for example).

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
8.12 | 202502030833 | February 2025