Scan file system control

The scan file systems control system value controls the integrated file system scanning that is enabled when exit programs are registered with any of the integrated file system scan-related exit points.

This system value works with the scan file systems system value to provide granular controls on how and what is scanned in the integrated file system. You can choose the different scanning options and you can select to use default scan options which provide the following scan controls:

Perform write access upgrades
Fail close request if scan fails during close
Scan on next access after object has been restored

See Table 2 for details on this system value.

Optionally you can select several scan options which control how and what the registered exit programs will scan. These options are described in following table:

Table 1. Possible values for the scan file system control system value
iSeries™ Navigator	Character-based interface	Description
No selections	*NONE	No controls are being specified for the integrated file system scan-related exit points.
Scan accesses through file servers only	*FSVRONLY	Only accesses through the file servers to the system will be scanned. However, native or direct connections to the system are not scanned. If this option is not selected, all accesses will be scanned no matter if you connect directly to the system or through a file server.
Fail request if exit program fails	*ERRFAIL	This option specifies the request or operation that started the exit program will fail if there are errors when the exit program is called. If this happens, the requested operation receives an indication that the scan fail on that object. If you do not select this option, the system will skip the failing exit program and treat the object as if it was not scanned by this exit program.
Perform write access upgrades (selected) ¹	NA	This option allows the system to upgrade the access for the scan descriptor passed to the exit program to include write access, if possible. Use this option if you want the exit program to be able to fix or modify objects even though they were originally opened with read-only access.
Perform write access upgrades (deselected)	*NOWRTUPG	This option specifies that the system will not upgrade the access to include write access.
Use only when objects have changed attribute to control scan	*USEOCOATR	With this option, the system specifies the 'object change only' attribute to scan the object if it has been changed.
Fail close request if scan fails during close	*NOFAILCLO	This option specifies that the system will fail the close request if an object failed a scan during close processing. This option only applies to close requests. If the Fail request if exit program fails option is selected and this option is not selected, the system will not send a failure indication even though an object failed a scan during close processing. But, the object will be marked as failing a scan.
Scan on next access after object has been restored	*NOPOSTRST	This option indicates that regardless of how an object is defined with its scan attribute, the object will be scanned after it is restored. If the object scan attribute indicates that the object will not be scanned, this option forces a scan after the object is restored. If the object scan attribute indicates that the object will be scanned if it has been changed since the last scan, then the object will be scanned after a restore since the restore operation is considered a change to the object.

Relationship to security policy

Scanning control options provide granular control to using scan-related exit programs for the integrated file system. For security purposes, you can use these options to enhance detection of computer viruses and suspicious programs that may be in your integrated file system when the exit programs are designed to detect viruses.

Table 2. Quick reference. Provides details for the scan file system control system value.
iSeries Navigator name	Scan control
Character-based interface name	QSCANFSCTL
Authority	ALLOBJ SECADM Note: The QSECOFR user profile is shipped with these authorities.
How to access	iSeries Navigator Expand Security > Policies. Right click Security Policy and select Properties. On the Scan page, you will find the options for scan control. Character-based interface In the character-based interface, type `WRKSYSVAL QSCANFSCTL`.
Changes take effect	Immediately
Default value	Use default scan control options
Recommended values	For strict security environments Select the Fail request if exit program fails option and ensure that the Perform write access upgrades is deselected. These options provide that any failures from the scan exit programs will prevent associated operations or the scan exit program from gaining additional access levels. For less strict security environments For most environments, you can choose not to select these options or simply use the default options.
Lockable	Yes
Special considerations	When installing code that is shipped from a trusted source, it is recommended that you specify Scan on next access after object has been restored during the installation.

For more detailed information about this security value, see Chapter 3, "Security System Values" in Security Reference.