Virus Scan Provider: describes the access to a virus scanner
Virus Scan Adapter: extends the SAP kernel functionality and enables the SAP kernel to access the malware scanner directly. The virus scan adapter is loaded as a dynamic library (DLL on Woindows). It is executed within the address space of the the J2EE or ABAP engine and is, therefore, the variant offering the highest performance.
Virus Scan Server: defines a (logical or physical) server that gets scan-objects via SAP RFC. This variant delivers significantly lower scan throughput and might fail when scanning large files. Its use is discouraged.
Virus Scan Group: A Virus Scan Group may contain several Virus Scan Providers with identical configurations
Virus Scan Profile: allows administrators to combine the unique functionalities of multiple Virus Scan Groups and combine them using logical AND/OR relationships. Creating configurations where files will be checked by multiple virus scan engines is possible. Also, Virus Scan Profiles may be created to maintain granular, application-specific scanning configurations.
2.Configuration in SAP AS ABAP
Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying
alternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.
Setting up virus protection for ABAP-based SAP applications requires the following major steps:
1. Definition of Virus Scanner Groups
2. Definition of Virus Scan Providers
3. Definition and activation of Virus Scan Profiles
4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.
2.1.Maintaining Virus Scanner Groups
A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.
We recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.
To set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters for every group.
Upon completing the OS-level installation, the bowbridge-installation-summary.txt file contains the required parameters and their values.
NOTE:
Not all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required/supported by bowbridge Anti-Virus 4.
The options supported by bowbridge Anti-Virus 4 are:
Parameter Name
Required?
Notes
INITDIRECTORY
Yes
bowbridge program base-path
INITDRIVERS
Yes
URL of the message broker
INITDEXTRADRIVERS
No
Encryption key for events (optional)
INITENGINES
Yes
List and order of scan workers to use
INITLICENSE_PATH
Yes
API key and authentication to the broker
INITSERVERS
Only for ICAP and ClamAV
ICAP-URLs or ClamAV connection URL
INITTIMEOUT
No
Initialization timeout for the Virus Scan Provider
INITTEMP_PATH
No
Temporary directory to use. If not specified, the OS-level default is used
Because the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If SID-specific paths have to be used, using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded/resolved to respective values on each system.
2.2.Maintaining Virus Scan Providers
To set up and maintain Scanner Groups, access transaction VSCANGROUP.
NOTE:
SAP VSI supports two types of Virus Scan Providers:
Virus Scan Adapter
Virus Scan Server
While both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See SAP Note 782963 for details.
If you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.
Upon creating/maintaining a Virus Scan Provider, the following parameters must be provided:
Parameter Name
Notes
Provider Type
Use “Adapter” whenever possible
Provider Name
Must begin with “VSA_”. Using the default works fine.
Scanner Group
The scanner group this provider is part of
Status
Controls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring/restore it to the defined status. In most cases, this should be “Active Application-Server”
Server
The application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.
Interval Reinit
Specifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button
Adapter Path
Fully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand/resolve to the local value on each instance.
2.3.Maintaining Virus Scan Profiles
Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.
Since SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0) in the SAP Security Audit Log.
For example, if the SCET/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.
SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”
There are, therefore, two ways to manage Virus Scan Profiles effectively:
Maintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.
In this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile
Create one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.
For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile
In either case, the profiles contain the following parameters:
Dialog Structure Folder “Virus Scan Profile”
Parameter Name
Type
Required?
Notes
Scan Profile Name
Text
Yes
Custom profiles must be in Y or Z namespaces
Profile Text
Text
No
A free-form descriptive text
Active
Checkbox
No
Marks the profile as active
Default Profile
Checkbox
No
Marks this profile as Default. Note only ONE profile can be marked as Default
Evaluate Profile Configuration Parameters
Checkbox
No
Activates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.
Not relevant for Security Audit Log
Checkbox
No
Sincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.
Use reference
Checkbox
No
If checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.
Dialog Structure Folder “Steps”
Parameter Name
Type
Required?
Notes
Position
Text
Yes
Numerical value. Only used to order the steps
Type
Selector
Yes
The type of the reference, Group, or Profile.
Scanner Group
Selector
Yes
Scanner Group to use in this step (if “Group” is selected for Type)
Virus Scan Profile
Selector
Yes
Virus Scan Profile to use in this step (if “Profile” is selected for Type)
Step Configuration Parameters apply only to the selected step of the Virus Scan Profile.
A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES
A semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST
CLEANQUARANTINE
Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED
1
Recursively scan embedded items, like base64, uuencoded, data-URLs
SCANALLFILES
1
Scan all files, regardless of their type
SCANBESTEFFORT
1
Apply all available scan techniques
SCANEXTENSIONS
A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT
1
Extract Archives and compressed data files and scan the content (recursively)
SCANEXTRACT_DEPTH
20
Maximum nesting depth for archives
SCANLOGPATH
Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES
A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.
Profile Configuration Parameters apply to any step of the profile.
Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.
CUST_ALL_SCANERR_AS_WARNING
0
Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!
CUST_CHECK_MIME_TYPE
0
Activate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.
CUST_CLEAN
0
Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!
CUST_MIME_TYPES_ARE_BLACKLIST
0
Toggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”
CUST_NO_SCANINFO
0
Instruct the VSA only to return the blocking verdict, but no details on the scan.
CUST_NOT_SCANNED_AS_WARNING
0
In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.
2.4.ODATA Virus Scan
When file transfers are embedded in ODATA, AS ABAP can scan these at the gateway level.
Access transaction /n/IWFND/VIRUS_SCAN to maintain virus scan at the gateway level:
To enable virus scanning at the gateway, ensure the “Disable Virus Scanning” checkbox is not checked.
In the Virus Scan Profile field, specify a Virus Scan Profile explicitly or leave the field empty (remove any “-” that may be there by default), then execute the transaction.
3.Configuration in AS Java
Once installed, the bowbridge Anti-Virus basic configuration is performed entirely in NetWeaver Administrator (NWA). Additional options, such as activating debug tracing and
alternative update sources or granular deactivation of active-content types can be configured via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.
Setting up virus protection for Java-based SAP applications requires the following major steps:
1. Definition of Virus Scanner Groups
2. Definition of Virus Scan Providers
3. Definition and activation of Virus Scan Profiles
3.1.Maintaining Virus Scanner Groups
Virus Scan Providers with identical configurations are grouped in a Virus Scanner Group. However, even with only one Virus Scan Provider, a Scanner Group containing just this element must be created.
Virus Scanner Groups are maintained from the Virus Scan Provider section in the Netweaver Administrator’s Configuration Tab.
In the Group Tab of the Virus Scan Provider management, Edit, then add/change a Virus Scan Group.
When creating a new group, administrators may decide to mark it as the default group.
Specifying INIT Parameters, as with an ABAP stack, is not required on a Java Stack.
3.2.Maintaining Virus Scan Adapters
Virus Scan Adapters are the preferred option to set up a Virus Scan Provider on SAP AS JAVA. The Virus Scan Server option is also supported, but its use is discouraged.
Virus Scan Adapters are configured in the “Adapters” Tab of the Virus Scan Provider setup.
All Virus Scan Adapter Names must be prefixed with VSA_
Virus Scan Adapter parameter details:
“Settings” Tab
Parameter Name
Type
Required?
Notes
Default Scan Provider
Checkbox
No
Marks this provider as the default
Adapter Name
Text
Yes
Name of the Provider. Must be prefixed with “VSA_”
Adapter Description
Text
No
Free-form descriptive text
Scan Group
Selector
Yes
Maps the provider to a Scan Group
Init Interval (Hours)
Text
Yes
Interval in hours after which the J2EE Kernel re-initializes the Virus Scan Adapter
Maximum Instances
Text
Yes
Maximum number of VSA instances. IMPORTANT: This number must be equal or higher than the number of threads in the start server. The default number of threads is 140. Hence the value of this parameter should be 140 or higher.
VSA Library Path
Text
Yes
Full path to the libbbAV.so.4 library. Please note that due to a GUI error, the path can only be entered when clicking on the left end of the field, and is not displayed properly.
3.3.Maintaining Virus Scan Profiles
Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference Java methods in which the Virus Scan Profile name is hard-coded. During the execution of such methods, scans are automatically performed with the profile settings if the profile is marked as active. The profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.
For example, if the htmlb_FileUpload profile is active, then any file upload via HTTP will be scanned with the settings of the htmlb_FileUploadprofile profile. This is fully transparent to the application using the function module and works without any application changes.
SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”
There are, therefore, two ways to manage Virus Scan Profiles effectively:
Maintain the Scan Settings in each relevant profile individually. This approach makes sense if you maintain specific scan settings that vary by function module. For example, if you want HTTP uploads to be scanned with different settings than pi_Messaging uploads.
In this case, uncheck the “Use Reference” checkbox in the virus scan profile and maintain steps, MIME-types, and profile configuration parameters in the virus scan profile
Create one or few “reference profiles” with common scan settings and use those as references in the other profiles you need to activate.
For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default profile and perform scans with the settings of the Default Profile
In either case, the profiles contain the following parameters:
Virus Scan Profile Settings – Settings Tab
Parameter Name
Type
Required?
Notes
Default Scan Profile
Checkbox
No
Marks this profile as Default. Note only ONE profile can be marked as Default
Scan Profile Name
Text
Yes
Custom profiles must be in Y or Z namespaces
Profile Description
Text
No
A free-form descriptive text
Reference Profile
Selector
No
Points to the profile to reference.
Profile Steps
List
Yes (unless using a reference)
Ordered list of Groups or Profiles to run through.
Use the Parameters tab to fine-tune the scan settings of the virus scan profile:
Virus Scan Profile Settings – Parameters Tab
Parameter Name
Type
Notes
BLOCKEXTENSIONS
CHAR
A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES
CHAR
A semicolon-separated list of MIME-types to block (aka “Blocklist”).
CLEANQUARANTINE
CHAR
Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED
BOOL
Recursively scan embedded items, like base64, uuencoded, data-URLs (default: 1)
SCANALLFILES
BOOL
Scan all files, regardless of their type (default: 1)
SCANBESTEFFORT
BOOL
Apply all available scan techniques (default: 1)
SCANEXTENSIONS
CHAR
A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT
BOOL
Extract Archives and compressed data files and scan the content (recursively) (default: 1)
SCANEXTRACT_DEPTH
INT
Maximum nesting depth for archives (default: 20)
SCANLOGPATH
CHAR
Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES
CHAR
A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”).
CUST_ACTIVE_CONTENT
BOOL
Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content. (default: 0)
CUST_ALL_SCANERR_AS_WARNING
BOOL
Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Basically, this is switching the Virus Scan Profile to a “fail-open” configuration. Use with caution! (default: 0)
CUST_CHECK_MIME_TYPE
BOOL
Activate the filtering of files based on MIME-types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layer scan configurations. (default: 0)
CUST_CLEAN
BOOL
Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution! (default: 0)
CUST_NO_SCANINFO
BOOL
Instruct the VSA only to return the blocking verdict, but no details on the scan. (default: 0)
CUST_NOT_SCANNED_AS_WARNING
BOOL
In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it. (default: 0)
4.Parameters Reference
4.1.INIT parameters
INIT parameters are defined in the Virus Scan Group.
These parameters are used to initialize the VSA. Hence, for changes to any INIT parameter to go into effect, the virus scan adapter must be re-initialized.
This may happen automatically, if a Re-Init Interval is defined, or it can be triggered manually by clicking the “Load” button in transaction VSCAN (on ABAP-stacks only)
Parameter
Description
Mandatory
INITEXTRADRIVERS
Encryption key for events (optional)
No
INITEXTRADRIVERDIRECTORY
Set the VSA client trace file and trace level. Format: <trace file [path/] name>;<trace level [0-6]>
No
INITTEMP_PATH
Temporary directory to use. If not specified, the OS-level default is used
No
INITTIMEOUT
Initialization timeout for the Virus Scan Provider
No
INITSERVERS
ICAP-URLs or ClamAV connection URL
Only for ICAP and ClamAV
INITDIRECTORY
bowbridge program base-path
Yes
INITDRIVERS
URL of the message broker
Yes
INITENGINES
List and order of scan workers to use
Yes
INITLICENSE_PATH
API key and authentication to the broker
Yes
4.2.SCAN parameters
Scan parameters are passed to the VSA with every scan request. They are typically set in the virus scan profile, allowing for fine-tuning of scanning policies by file transfer vector.
bowbridge Anti-Virus adds numerous “overlay” parameters that can enrich the limited configuration options provided by the virus scan profiles. These parameters may be configured at the realm-level or at the SID level.
Parameter
Description
Default value
Set in virus scan profile
BLOCKENCRYPTED
Blocks files that are encrypted or password-protected (i.e., password-protected ZIP archives or PDF files)
0
No
BLOCKEXTENSIONS
Semi-colon-separated list of forbidden filename extensions
Overwritten if a list of extensions is passed via the BLOCKEXTENSIONS parameter in the virus scan profile.
Yes
BLOCKHTML_IN_PDF
Blocks PDF files containing dictionary elements that may be interpreted as HTML
0
No
BLOCKMIMETYPES
Semi-colon-separated list of MIME types to block from being processed.
Overwritten if set in the virus scan profile and the profile configuration
Parameter CUST_MIMETYPES_ARE_BLACKLIST is active
yes
CLEANQUARANTINE
Specifies the authentication and transfer encryption settings for files sent to quarantine
Yes
CUST_CHECK_MIME_TYPE
Activates the MIME-type related checks (Whitelist, blacklist, MIME-extension match)
0
Yes
CUST_CLEAN
Attempt to clean infected files
0
Yes
ENFORCE_ACTIVECONTENT_POLICY_IN_ARCHIVES
Enforce the detection of active content in files inside archives or compressed files
1
No
ENFORCE_MIME_POLICY_IN_ARCHIVES
Enforce MIME-type to extension mappings and MIME filters on files inside archives and compressed files
1
No
EVENT_ID_DELIMITER
Delimiter to set apart the bowbridge EventID included in messages to users and stored in the SAP security audit log for easier correlation
No
HTMLDETECTION
specifies what HTML tags to look for when determining whether a file is HTML
options are:
SAFE: flag the file only if HTML elements are present that may be used for XSS (default)
RESTRICTIVE: flag the file if ANY valid HTML element is present
OFF: No detection of HTML elements
SAFE
No
INCLUDE_EVENT_ID_IN_MESSAGE
Toggles whether the unique ID of every log message should be included in VSA error/blocking messages and logs for easier correlation
0
No
LONGMIMETYPES
Return the original long mime types rather than shortened versions.
Long mime-types may be too long to enter in the MIME table in transaction VSCANPROFILE as the length of each element in the list is limited (by SAP) to 64/128 characters
0
No
SCANALLEMBEDDED
Scan all files embedded in a document. Activates SCANBASE64 and SCANUUENCODED, unless deactivated specifically
1
Yes
SCANALLFILES
Virus scan engines may skip certain files (e.g. plain text) from scans in order to improve performance.
This setting instructs the scan engine to scan all files, regardless of the file type
1
Yes
SCANBANDWIDTH
Minimum connection bandwidth between the SAP system and the virus scan server in Mbps (Megabits per second).
This setting is used in combination with the file size and type to add an additional timeout to the scan requests
10000
No
SCANBASE64
attempt to base64-decode and scan any text that may be base64-encoded data
0
No
SCANBESTEFFORT
Instructs the scan engine to use all available options for the scan.
Overwritten if set in the virus scan profile
1
Yes
SCANEXTENSIONS
Semi-colon-separated list of allowed filename extensions allowed, meaning the file will continue to be processed and not blocked at that stage
Overwritten if a list of extensions is passed via the SCANEXTENSIONS parameter in the virus scan profile.
Yes
SCANEXTRACT
Extract archives and scan their content recursively
1
Yes
SCANEXTRACT_DEPTH
Maximum depth to which nested archives are extracted
20
Yes
SCANEXTRACT_MAX_FILE
Maximum number of elements in an archive.
No
SCANEXTRACT_NO_VIRUSSCAN
Skip the VIRUS-SCAN step of archive-extraction.
The archive will be extracted, and MIME-policy and active-content policy will be applied to every element, but the VIRUS scan will only be performed on the archive as a whole
0
No
SCANEXTRACT_RATIO
Maximum ratio of the extracted archive size to the original archive size
128
Yes
SCANEXTRACT_SIZE
Maximum size of an extracted archive in bytes
Yes
SCANLOGPATH
Full path, including filename for the file to which any scan activity will be logged.
Overwritten if set in the virus scan profile.
Always active in with cloud-based scans
Yes
SCANMIMETYPES
Semi-colon-separated list of allowed MIME-types allowed.
Files matching this list will continue to be processed and not blocked at this scanning stage.
yes
SCANTIMEOUT
Maximum duration (in milliseconds) before a scan operation fails
30000
No
SCANUUENCODED
uudecodes any buffer containing a UU-encoding header
1
No
SCANXMLCONTENT
Scan every element in a passed XML file
0
No
SVG_MODE
specifies what MIME-type to return for HTML files containing SVG [SVG/HTML]
SVG
No
XML_MODE
specifies what MIME type to return for HTML files containing XML [HTML/XML]
XML
No
4.3.Active-Content Parameters
In Virus Scan Profiles, SAP only implemented a generic on/off switch for active content detection with the Profile Configuration Parameter CUST_CHECK_ACTIVECONTENT. However, in order to maintain a good security posture and not disrupt business processes, a more granular configuration of what exactly needs to be blocked as active content is required. The following parameters provide this granularity. They may be implemented at the realm level or for individual SIDs.
Parameter
Description
Global Default
CSV_INJECTION
Invocation of external applications from a CSV file
See https://owasp.org/www-community/attacks/CSV_Injection
1
EXECUTABLE
Any file executable by the OS, such as binary executables, shared libraries, Windows screen savers, MSI-files, Java, shell-scripts, batch- or command files.
1
FLASH
Macromadia Flash
1
GIFAR
GIFAR (or similar) files that may be opened as more than one format (aka Chameleon files)
See https://en.wikipedia.org/wiki/Gifar
See https://userapps.support.sap.com/sap/support/knowledge/en/3033584
1
HTML_EVENTHANDLER
Event-handler registrations in HTML.
See https://owasp.org/www-community/xss-filter-evasion-cheatsheet
1
HTML_SCRIPT
HTML with SCRIPT tags
1
MSOFFICE_DDE
Dynamic Data Embedding in Microsoft Office Documents.
See https://pentestlab.blog/2018/01/16/microsoft-office-dde-attacks/
1
MSOFFICE_JAVA
Java Classes embedded in MS Office OOXML files
1
MSOFFICE_MACRO
Generic dectection for macros in CDFv2 and OOXML Office Documents
1
MSOFFICE_MACRO_SIGNED
Exception option for signed macros.
Note: This checks only IF the macro is signed. The signature is not validated
1
MSOFFICE_OLE
Files embedded in MS Office documents via Object Linking and Embedding (OLE)
1
PDF_ACROFORM
Acrobat Forms in PDF documents
Deactivated by default as Adobe Document Services for SAP uses AcroForms
See SAP note 2413268
0
PDF_ACTIVEACTION
ActiveAction dictionary element can be used to trigger actions and/or JavaScript
0
PDF_JAVASCRIPT
JavaScript Elements in PDF
1
PDF_LAUNCH
The ability to launch external executables from within a PDF document
1
PDF_METADATA_PERL
detects perl within the meta-data of a PDF file
1
PDF_METADATA_PHP
detects php within the meta-data of a PDF file
1
PDF_OPENACTION
Trigger to run when the document is opened.
Deactivated as benign use is very common (i.e. scanners)
Important not to deactivate when PDF_JAVASCRIPT is also deactivated
0
PDF_RICHMEDIA
Embedding of Rich Media content in PDF files
1
SILVERLIGHT
detects Microsoft Silverlight
1
XML_JAVASCRIPT
detects JavaScript in an XML document
1
XML_XSLT
detects XSLT transformation sheets which can be used to translate any XML into HTML + JS
1
ZIP_JAVA_ARCHIVE
Checks for Java classes in ZIP files (basically JAR files without the .jar extension)
1
This website or its third party tools use cookies.
By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to the use of cookies.OKRead more
NOTE:
