Security system values: Scan control
The Scan control system value is also known as QSCANFSCTL. You can use this system value to specify whether to use the default scan control options or to specify specific scan control options.
| Quick reference | |
|---|---|
| Location | From IBM® Navigator for i, select . Right-click on Security and click Properties, then select the Scan tab. |
| Special authority | All object (*ALLOBJ) and security administrator (*SECADM). |
| Default value | Use default scan control options. |
| Changes take effect | Immediately. |
| Lockable | Yes. |
What can I do with this system value?
You can specify scanning options for the Use registered exit programs to scan the root (/), QOpenSys, and user-defined file systems (QSCANFS) system value. These options control the integrated file system scanning on the system when exit programs are registered with any of the integrated file system scan-related exit points.
This system value has the following options:
- Use default scan control options (*NONE specified)
- The system uses the following scanning options
when calling the registered exit programs:
- Perform write access upgrades
- Fail close request if scan fails during close
- Scan on next access after object has been restored
- Use specified scan control options
- Select which scanning options the system should use when calling
the registered exit programs. Select from the following options:
- Scan accesses through file servers only (*FSVRONLY specified)
- By selecting this option, only accesses from a file server to the iSeries server are scanned. Accesses through the Network File System (NFS) are scanned as well as other file server methods. However, native or direct connections to the iSeries server are not scanned. If this option is not selected, all accesses will be scanned no matter if you connect directly to the iSeries or through a file server.
- Fail request if exit program fails (*ERRFAIL specified)
- By selecting this option, you are specifying to fail the request or operation which triggered the call to the exit program, if there are errors when the exit program is called. Possible errors may be that the program is not found or the program is not coded requiredly to handle the exit program request. If this happens, the requested operation receives an indication that the object failed a scan. If this option is not selected, the system will skip the failing exit program and treat the object as if it was not scanned by this exit program.
- Perform write access upgrades (*NOWRTUPG not specified)
- By selecting this option (*NOWRTUPG not specified), you are specifying to allow the iSeries system to upgrade the access for the scan descriptor passed to the exit program to include write access, if possible. Use this option if you want the exit program to be able to fix or modify objects even though they were originally opened with read-only access. If this option is not selected, the system will not upgrade the access to include write access.
- Use 'only when objects have changed' attribute to control scan (*USEOCOATR specified)
- By selecting this option, the system will use the specification of the 'object change only' attribute to only scan the object if it has been modified (not also because scan software has indicated an update). If this is not specified, this 'object change only' attribute will not be used, and the object will be scanned after it is modified and when scan software indicates an update.
- Fail close request if scan fails during close (*NOFAILCLO not specified)
When this option is selected (*NOFAILCLO not specified), the system will fail the close request if an object failed a scan during close processing. This option only applies to close requests.
If this option is not selected (*NOFAILCLO specified), the system will not fail the close request if an object failed a scan even if the Fail request if exit program fails option is selected.
For example, if the Fail request if exit program fails option is selected and this option is not selected, the system will not send a failure indication even though an object failed a scan during close processing. But, the object will be marked as failing a scan.
- Scan on next access after object has been restored (*NOPOSTRST not specified)
By selecting this option (*NOPOSTRST not specified), objects will be scanned at least once after being restored no matter what its object scan attribute is. If the object scan attribute is that 'the object will not be scanned,' the object will be scanned once after being restored. If the object scan attribute is that 'the object will only be scanned if it has been modified since the last time it was scanned,' the object will be scanned after being restored because the restore will be treated as a modification to the object.
If this option is not selected (*NOPOSTRST specified), objects will not be scanned just because they are restored. Scanning depends on the object's scanning attribute.
In general, it is good practice to scan restored objects at least once. However, you may not select this option if you know that the objects being restored were scanned before they were saved or they came from a trusted source.
Only stream file objects that are in Type 2 directories are scanned.