|
|
|
To prevent a viral infection in a z/OS system, identify and protect the critical gateways that let a virus gain supervisor state or the master storage protection key (key 0). Start with the APF library system. Use the APF Library Analysis Functions to review APF. After making certain that your security software package is protecting all of the specified libraries, trace the origin of all APF library modules to a responsible source. Looking at program names might not be enough because clever virus designers probably follow IBM naming conventions. Use the CA Auditor Product Identity Display to help identify program names. Furthermore, do not rely on the load module length to detect infection because many programs contain “patch” areas that can hide a small virus.
Next, use the SVC Analysis Option to analyze all supervisor calls (SVCs) with particular emphasis on type 3 and type 4 SVCs, which are normally executed from one of the virtual storage‑resident link pack areas (LPAs). Because a virus must be executed, it can intercept commonly installed, high‑use SVCs. Carefully review the SVC table entries that point to memory addresses in areas like the common service area (CSA or ECSA) or the modified link pack area (MLPA or EMLPA). Because many program products modify the z/OS SVC table to dynamically install program modules, you must determine which programs are legitimate. An unaccountable SVC table alteration can indicate that a virus has dynamically infected the z/OS system and inserted itself by front‑ending a legitimate SVC, which means that the virus gets control before the SVC.
Examine other z/OS facilities also. Check for unusual program properties table (PPT) entries. Carefully review system exits, appendages, and subsystems. Thoroughly research any irregularities by looking for anything that could indicate the presence of a virus. For example, look for program libraries that have grown inexplicably from the last compile. Use the CA Auditor Program Statistics Display to obtain the size and compilation and link dates.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |