Although the IBM AIX operating system cannot run PC executable files, its files aren’t immune from malicious software (malware and viruses) that can corrupt and infect AIX files. Exposed AIX systems can act as malware storage warehouses, waiting until someone on your network downloads and runs infected AIX files on an attached client.
This blog talks about how malware attacks AIX systems, ways to guard against AIX malware attacks, and what to look for in an AIX-based anti-virus solution.
How Malware infects AIX files
Malware-infected clients can corrupt AIX files by using the Network File System (NFS) protocol. NFS allows remote users to access AIX file systems over the network the same way that they can access files on local storage or on other file servers. Most clients can access AIX files through NFS shares, including Microsoft Windows and Linux systems as well as through cloud storage systems such as Microsoft Azure, Amazon Web Services (AWS), and Google Filestore.
When a malware-infected client uses NFS to access an AIX file system, it can corrupt files in that system. The corruption then can be spread to other machines through NFS downloads, infecting those machines and causing a network-wide virus outbreak. AIX file systems become asymptomatic malware carriers, storing infected files until other systems download them and become infected in turn.
Native AIX Anti-Malware protection
There are several steps organizations can take to natively limit and prevent AIX malware infections, including:
- Limiting NFS access: If NFS isn’t needed, turn it off to reduce the number of potential malware attack vectors.
- Configure NFS servers to export file systems according to the Principle of Least Privilege (PoLP): Only provide NFS users the authorities they need to perform their required duties. Consider making read-only access the default file system access authority and grant write authority only to those users who actually need it.
- Review and strengthen Network File System security: Review IBM guidelines for securing NFS and tighten security to limit file system malware exposure. IBM offers several guidelines and documentation for securing NFS servers on its Network File System security documentation page.
What to Look for in IBM AIX Anti-Malware Solutions
Beyond native AIX anti-malware protection, consider whether you need to provide additional protection by using a third-party AIX anti-malware solution such as iSecurity Antivirus for AIX, or by programming a do-it-yourself (DIY) anti-malware solution.
Third-party solutions are ready to go out of the box for malware protection, have been established and supported over time, free up application resources for line-of-business processing, and provide advanced security reporting.
With a DIY solution, your organization will have to dedicate in-house developer resources to program, maintain, and support your solution. DIY solutions can result in weaker security protections against AIX malware infections versus a third-party product, as well as increased organizational developer needs.
Whatever AIX solution you choose to implement, look for the critical capabilities shown in Table 1 and below for the most effective anti-malware protection.
Table 1: Critical Capabilities for Third-Party AIX Anti-Malware Solutions
- Native AIX anti-malware solutions: AIX Malware scanning solutions are CPU intensive and prone to communication failures and latency issues when running anti-malware processing on remote systems. To improve scanning performance, consider implementing anti-malware solutions that run natively on IBM AIX.
- On–demand, Scheduled, and On-access scanning: Look for solutions that can perform on-demand scanning as well as scheduled scanning for NFS files. On-access scanning performs malware scanning when files are created, opened or modified.
- Only-new scanning: When only-new scanning is activated, recently scanned files will not be rescanned again unless the file has changed. Only-new scanning improves malware detection performance by cutting down on the number of files being scanned during on-demand or scheduled scanning.
- Marking, quarantining, and deleting infected files: Look for solutions that offer a choice of actions and resolutions to take when malware scanning detects an infected file.
- Automated regular database signature updates: Malware signature databases should be downloaded and updated on a regular basis from a trusted signature provider, such as the Cisco ClamAV open-source engine. Updating signatures at least once daily will help detect all new and known malware and viruses.
- Heuristic scanning: Heuristic scanning searches for zero-day malware and virus infections for which no malware signature has yet been released. Heuristic scanning detects AIX infected files based on the behavior and properties of the scanned file versus finding a matching signature in the malware signature database.
- Protection against viruses automatically disabling anti-malware solutions: Many viruses can automatically disable anti-malware software in order to stop malware and virus detection. Look for solutions that cannot be disabled or shut down by malware. Preventing virus-activated shutdowns keeps anti-malware solutions running without interruption.
- Multiple anti-malware console interfaces: Malware scanning should be configured, activated, monitored and controlled from multiple IBM AIX console interfaces, including a Web UI interface and native IBM AIX interfaces.
- Command-line scanning: Malware scanning can be started and controlled from a command line interface as well as through the anti-malware console interface. Command-line scanning allows for greater flexibility and scheduling options for malware detection and response.
- AIX admin and responder notifications: Select software that alerts and notifies admins, IT responders, and management when a malware infestation is found. Notifications are usually delivered via text messages, emails, and other methods.
- AIX malware history logging for review, analysis, and forensics: Look for packages that provide malware history logging and reporting for DevOps analysis, forensic analysis, and audit and compliance reporting.
Because AIX systems aren’t immune to malware infections
Even though malware cannot run on IBM AIX systems, malware can corrupt AIX files and be downloaded to and infect AIX clients. Feel free to Contact SEA if you have any questions about malware cybersecurity on IBM AIX or if you’d like to evaluate and strengthen your own AIX malware cybersecurity.