Virus Scan Provider: describes the access to a virus scanner
Virus Scan Adapter: extends the SAP kernel functionality and enables the SAP kernel to access the malware scanner directly. The virus scan adapter is loaded as a dynamic library (DLL on Woindows). It is executed within the address space of the the J2EE or ABAP engine and is, therefore, the variant offering the highest performance.
Virus Scan Server: defines a (logical or physical) server that gets scan-objects via SAP RFC. This variant delivers significantly lower scan throughput and might fail when scanning large files. Its use is discouraged.
Virus Scan Group: A Virus Scan Group may contain several Virus Scan Providers with identical configurations
Virus Scan Profile: allows administrators to combine the unique functionalities of multiple Virus Scan Groups and combine them using logical AND/OR relationships. Creating configurations where files will be checked by multiple virus scan engines is possible. Also, Virus Scan Profiles may be created to maintain granular, application-specific scanning configurations.
2.Configuration in SAP AS ABAP
Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying
alternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.
Setting up virus protection for ABAP-based SAP applications requires the following major steps:
1. Definition of Virus Scanner Groups
2. Definition of Virus Scan Providers
3. Definition and activation of Virus Scan Profiles
4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.
2.1.Maintaining Virus Scanner Groups
A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.
We recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.
To set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters for every group.
Upon completing the OS-level installation, the bowbridge-installation-summary.txt file contains the required parameters and their values.
NOTE:
Not all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required/supported by bowbridge Anti-Virus 4.
The options supported by bowbridge Anti-Virus 4 are:
Parameter Name
Required?
Notes
INITDIRECTORY
Yes
bowbridge program base-path
INITDRIVERS
Yes
URL of the message broker
INITENGINES
Yes
List and order of scan workers to use
INITLICENSE_PATH
Yes
API key and authentication to the broker
INITSERVERS
Only for ICAP and ClamAV
ICAP-URLs or ClamAV connection URL
INITTIMEOUT
No
Initialization timeout for the Virus Scan Provider
INITTEMP_PATH
No
Temporary directory to use. If not specified, the OS-level default is used
Because the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If SID-specific paths have to be used, using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded/resolved to respective values on each system.
2.2.Maintaining Virus Scan Providers
To set up and maintain Scanner Groups, access transaction VSCANGROUP.
NOTE:
SAP VSI supports two types of Virus Scan Providers:
Virus Scan Adapter
Virus Scan Server
While both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See SAP Note 782963 for details.
If you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.
Upon creating/maintaining a Virus Scan Provider, the following parameters must be provided:
Parameter Name
Notes
Provider Type
Use “Adapter” whenever possible
Provider Name
Must begin with “VSA_”. Using the default works fine.
Scanner Group
The scanner group this provider is part of
Status
Controls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring/restore it to the defined status. In most cases, this should be “Active Application-Server”
Server
The application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.
Interval Reinit
Specifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button
Adapter Path
Fully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand/resolve to the local value on each instance.
2.3.Maintaining Virus Scan Profiles
Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.
Since SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0) in the SAP Security Audit Log.
For example, if the SCET/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.
SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”
There are, therefore, two ways to manage Virus Scan Profiles effectively:
Maintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.
In this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile
Create one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.
For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile
In either case, the profiles contain the following parameters:
Dialog Structure Folder “Virus Scan Profile”
Parameter Name
Type
Required?
Notes
Scan Profile Name
Text
Yes
Custom profiles must be in Y or Z namespaces
Profile Text
Text
No
A free-form descriptive text
Active
Checkbox
No
Marks the profile as active
Default Profile
Checkbox
No
Marks this profile as Default. Note only ONE profile can be marked as Default
Evaluate Profile Configuration Parameters
Checkbox
No
Activates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.
Not relevant for Security Audit Log
Checkbox
No
Sincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.
Use reference
Checkbox
No
If checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.
Dialog Structure Folder “Steps”
Parameter Name
Type
Required?
Notes
Position
Text
Yes
Numerical value. Only used to order the steps
Type
Selector
Yes
The type of the reference, Group, or Profile.
Scanner Group
Selector
Yes
Scanner Group to use in this step (if “Group” is selected for Type)
Virus Scan Profile
Selector
Yes
Virus Scan Profile to use in this step (if “Profile” is selected for Type)
Step Configuration Parameters apply only to the selected step of the Virus Scan Profile.
A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES
A semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST
CLEANQUARANTINE
Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED
1
Recursively scan embedded items, like base64, uuencoded, data-URLs
SCANALLFILES
1
Scan all files, regardless of their type
SCANBESTEFFORT
1
Apply all available scan techniques
SCANEXTENSIONS
A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT
1
Extract Archives and compressed data files and scan the content (recursively)
SCANEXTRACT_DEPTH
20
Maximum nesting depth for archives
SCANLOGPATH
Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES
A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.
Profile Configuration Parameters apply to any step of the profile.
Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.
CUST_ALL_SCANERR_AS_WARNING
0
Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!
CUST_CHECK_MIME_TYPE
0
Activate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.
CUST_CLEAN
0
Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!
CUST_MIME_TYPES_ARE_BLACKLIST
0
Toggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”
CUST_NO_SCANINFO
0
Instruct the VSA only to return the blocking verdict, but no details on the scan.
CUST_NOT_SCANNED_AS_WARNING
0
In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.
2.4.ODATA Virus Scan
When file transfers are embedded in ODATA, AS ABAP can scan these at the gateway level.
Access transaction /n/IWFND/VIRUS_SCAN to maintain virus scan at the gateway level:
To enable virus scanning at the gateway, ensure the “Disable Virus Scanning” checkbox is not checked.
In the Virus Scan Profile field, specify a Virus Scan Profile explicitly or leave the field empty (remove any “-” that may be there by default), then execute the transaction.
3.Configuration in AS Java
Once installed, the bowbridge Anti-Virus basic configuration is performed entirely in NetWeaver Administrator (NWA). Additional options, such as activating debug tracing and
alternative update sources or granular deactivation of active-content types can be configured via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.
Setting up virus protection for Java-based SAP applications requires the following major steps:
1. Definition of Virus Scanner Groups
2. Definition of Virus Scan Providers
3. Definition and activation of Virus Scan Profiles
3.1.Maintaining Virus Scanner Groups
Virus Scan Providers with identical configurations are grouped in a Virus Scanner Group. However, even with only one Virus Scan Provider, a Scanner Group containing just this element must be created.
Virus Scanner Groups are maintained from the Virus Scan Provider section in the Netweaver Administrator’s Configuration Tab.
In the Group Tab of the Virus Scan Provider management, Edit, then add/change a Virus Scan Group.
When creating a new group, administrators may decide to mark it as the default group.
Specifying INIT Parameters, as with an ABAP stack, is not required on a Java Stack.
3.2.Maintaining Virus Scan Adapters
Virus Scan Adapters are the preferred option to set up a Virus Scan Provider on SAP AS JAVA. The Virus Scan Server option is also supported, but its use is discouraged.
Virus Scan Adapters are configured in the “Adapters” Tab of the Virus Scan Provider setup.
All Virus Scan Adapter Names must be prefixed with VSA_
Virus Scan Adapter parameter details:
“Settings” Tab
Parameter Name
Type
Required?
Notes
Default Scan Provider
Checkbox
No
Marks this provider as the default
Adapter Name
Text
Yes
Name of the Provider. Must be prefixed with “VSA_”
Adapter Description
Text
No
Free-form descriptive text
Scan Group
Selector
Yes
Maps the provider to a Scan Group
Init Interval (Hours)
Text
Yes
Interval in hours after which the J2EE Kernel re-initializes the Virus Scan Adapter
Maximum Instances
Text
Yes
Maximum number of VSA instances. IMPORTANT: This number must be equal or higher than the number of threads in the start server. The default number of threads is 140. Hence the value of this parameter should be 140 or higher.
VSA Library Path
Text
Yes
Full path to the libbbAV.so.4 library. Please note that due to a GUI error, the path can only be entered when clicking on the left end of the field, and is not displayed properly.
3.3.Maintaining Virus Scan Profiles
Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference Java methods in which the Virus Scan Profile name is hard-coded. During the execution of such methods, scans are automatically performed with the profile settings if the profile is marked as active. The profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.
For example, if the htmlb_FileUpload profile is active, then any file upload via HTTP will be scanned with the settings of the htmlb_FileUploadprofile profile. This is fully transparent to the application using the function module and works without any application changes.
SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”
There are, therefore, two ways to manage Virus Scan Profiles effectively:
Maintain the Scan Settings in each relevant profile individually. This approach makes sense if you maintain specific scan settings that vary by function module. For example, if you want HTTP uploads to be scanned with different settings than pi_Messaging uploads.
In this case, uncheck the “Use Reference” checkbox in the virus scan profile and maintain steps, MIME-types, and profile configuration parameters in the virus scan profile
Create one or few “reference profiles” with common scan settings and use those as references in the other profiles you need to activate.
For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default profile and perform scans with the settings of the Default Profile
In either case, the profiles contain the following parameters:
Virus Scan Profile Settings – Settings Tab
Parameter Name
Type
Required?
Notes
Default Scan Profile
Checkbox
No
Marks this profile as Default. Note only ONE profile can be marked as Default
Scan Profile Name
Text
Yes
Custom profiles must be in Y or Z namespaces
Profile Description
Text
No
A free-form descriptive text
Reference Profile
Selector
No
Points to the profile to reference.
Profile Steps
List
Yes (unless using a reference)
Ordered list of Groups or Profiles to run through.
Use the Parameters tab to fine-tune the scan settings of the virus scan profile:
Virus Scan Profile Settings – Parameters Tab
Parameter Name
Type
Notes
BLOCKEXTENSIONS
CHAR
A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES
CHAR
A semicolon-separated list of MIME-types to block (aka “Blocklist”).
CLEANQUARANTINE
CHAR
Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED
BOOL
Recursively scan embedded items, like base64, uuencoded, data-URLs (default: 1)
SCANALLFILES
BOOL
Scan all files, regardless of their type (default: 1)
SCANBESTEFFORT
BOOL
Apply all available scan techniques (default: 1)
SCANEXTENSIONS
CHAR
A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT
BOOL
Extract Archives and compressed data files and scan the content (recursively) (default: 1)
SCANEXTRACT_DEPTH
INT
Maximum nesting depth for archives (default: 20)
SCANLOGPATH
CHAR
Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES
CHAR
A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”).
CUST_ACTIVE_CONTENT
BOOL
Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content. (default: 0)
CUST_ALL_SCANERR_AS_WARNING
BOOL
Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Basically, this is switching the Virus Scan Profile to a “fail-open” configuration. Use with caution! (default: 0)
CUST_CHECK_MIME_TYPE
BOOL
Activate the filtering of files based on MIME-types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layer scan configurations. (default: 0)
CUST_CLEAN
BOOL
Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution! (default: 0)
CUST_NO_SCANINFO
BOOL
Instruct the VSA only to return the blocking verdict, but no details on the scan. (default: 0)
CUST_NOT_SCANNED_AS_WARNING
BOOL
In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it. (default: 0)
This website or its third party tools use cookies.
By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to the use of cookies.OKRead more
NOTE:
