bowbridge Anti-Virus 4.x - Configuration Guide

1.SAP VSI Architecture

SAP VSI introduces three abstraction layers:

  1. Virus Scan Provider: describes the access to a virus scanner
    • Virus Scan Adapter: extends the SAP kernel functionality and enables the SAP kernel to access the malware scanner directly. The virus scan adapter is loaded as a dynamic library (DLL on Woindows). It is executed within the address space of the the J2EE or ABAP engine and is, therefore, the variant offering the highest performance.
    • Virus Scan Server: defines a (logical or physical) server that gets scan-objects via SAP RFC. This variant delivers significantly lower scan throughput and might fail when scanning large files. Its use is discouraged.
  2. Virus Scan Group: A Virus Scan Group may contain several Virus Scan Providers with identical configurations

  3. Virus Scan Profile: allows administrators to combine the unique functionalities of multiple Virus Scan Groups and combine them using logical AND/OR relationships. Creating configurations where files will be checked by multiple virus scan engines is possible. Also, Virus Scan Profiles may be created to maintain granular, application-specific scanning configurations.

Layers of the SAP Virus Scanning Architecture

 

2.Configuration in SAP AS ABAP

Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying
alternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.

Setting up virus protection for ABAP-based SAP applications requires the following major steps:

1. Definition of Virus Scanner Groups

2. Definition of Virus Scan Providers

3. Definition and activation of Virus Scan Profiles

4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.

 

2.1.Maintaining Virus Scanner Groups

A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.

We recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.

To set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters for every group.
Upon completing the OS-level installation, the bowbridge-installation-summary.txt file contains the required parameters and their values.

VSCANGROUP


NOTE:

Not all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required/supported by bowbridge Anti-Virus 4.


The options supported by bowbridge Anti-Virus 4 are:

Parameter Name Required? Notes
INITDIRECTORY Yes bowbridge program base-path
INITDRIVERS Yes URL of the message broker
INITENGINES Yes List and order of scan workers to use
INITLICENSE_PATH Yes API key and authentication to the broker
INITSERVERS Only for ICAP and ClamAV ICAP-URLs or ClamAV connection URL
INITTIMEOUT No Initialization timeout for the Virus Scan Provider
INITTEMP_PATH No Temporary directory to use. If not specified, the OS-level default is used

Because the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If  SID-specific paths have to be used,  using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded/resolved to respective values on each system.

2.2.Maintaining Virus Scan Providers

To set up and maintain Scanner Groups, access transaction VSCANGROUP.

 


NOTE:

SAP VSI supports two types of Virus Scan Providers:

  • Virus Scan Adapter
  • Virus Scan Server

While both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See SAP Note 782963 for details.

If you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.


 

Virus Scan Provider

 

Upon creating/maintaining a Virus Scan Provider, the following parameters must be provided:

Parameter Name Notes
Provider Type Use “Adapter” whenever possible
Provider Name Must begin with “VSA_”. Using the default works fine.
Scanner Group The scanner group this provider is part of
Status Controls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring/restore it to the defined status. In most cases, this should be “Active Application-Server”
Server The application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.
Interval Reinit Specifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button
Adapter Path Fully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand/resolve to the local value on each instance.

2.3.Maintaining Virus Scan Profiles

Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.

Since SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)  in the SAP Security Audit Log.

For example, if the SCET/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.

SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”

SAP-delivered Virus Scan Profiles

There are, therefore, two ways to manage Virus Scan Profiles effectively:

  • Maintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.
    In this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile
  • Create one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.
    For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
    If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile

In either case, the profiles contain the following parameters:

 

Dialog Structure Folder “Virus Scan Profile”
Parameter Name Type Required? Notes
Scan Profile Name Text Yes Custom profiles must be in Y or Z namespaces
Profile Text Text No A free-form descriptive text
Active Checkbox No Marks the profile as active
Default Profile Checkbox No Marks this profile as Default. Note only ONE profile can be marked as Default
Evaluate Profile Configuration Parameters Checkbox No Activates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.

Not relevant for Security Audit Log Checkbox No Sincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.
Use reference Checkbox No If checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.

 

Dialog Structure Folder “Steps”
Parameter Name Type Required? Notes
Position Text Yes Numerical value. Only used to order the steps
Type Selector Yes The type of the reference, Group, or Profile.
Scanner Group Selector Yes Scanner Group to use in this step (if “Group” is selected for Type)
Virus Scan Profile Selector Yes Virus Scan Profile to use in this step (if “Profile” is selected for Type)

 

Step Configuration Parameters apply only to the selected step of the Virus Scan Profile.

Dialog Structure Folder “Step Configuration Parameters”
Parameter Name Default value Notes
BLOCKEXTENSIONS A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES A semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST
CLEANQUARANTINE Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED 1 Recursively scan embedded items, like base64, uuencoded, data-URLs
SCANALLFILES 1 Scan all files, regardless of their type
SCANBESTEFFORT 1 Apply all available scan techniques
SCANEXTENSIONS A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT 1 Extract Archives and compressed data files and scan the content (recursively)
SCANEXTRACT_DEPTH 20 Maximum nesting depth for archives
SCANLOGPATH Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.

 

Profile Configuration Parameters apply to any step of the profile.

 

Dialog Structure Folder “Profile Configuration Parameters”
Parameter Name Default value Notes
CUST_ACTIVE_CONTENT 0 Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.
CUST_ALL_SCANERR_AS_WARNING 0 Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!
CUST_CHECK_MIME_TYPE 0 Activate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.
CUST_CLEAN 0 Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!
CUST_MIME_TYPES_ARE_BLACKLIST 0 Toggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”
CUST_NO_SCANINFO 0 Instruct the VSA only to return the blocking verdict, but no details on the scan.
CUST_NOT_SCANNED_AS_WARNING 0 In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.

 

2.4.ODATA Virus Scan

When file transfers are embedded in ODATA, AS ABAP can scan these at the gateway level.

Access transaction /n/IWFND/VIRUS_SCAN to maintain virus scan at the gateway level:

To enable virus scanning at the gateway, ensure the “Disable Virus Scanning” checkbox is not checked.

In the Virus Scan Profile field, specify a Virus Scan Profile explicitly or leave the field empty (remove any “-” that may be there by default), then execute the transaction.

 

3.Configuration in AS Java

Once installed, the bowbridge Anti-Virus basic configuration is performed entirely in NetWeaver Administrator (NWA).  Additional options, such as activating debug tracing and
alternative update sources or granular deactivation of active-content types can be configured via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.

Setting up virus protection for Java-based SAP applications requires the following major steps:

1. Definition of Virus Scanner Groups

2. Definition of Virus Scan Providers

3. Definition and activation of Virus Scan Profiles

3.1.Maintaining Virus Scanner Groups

Virus Scan Providers with identical configurations are grouped in a Virus Scanner Group. However, even with only one Virus Scan Provider, a Scanner Group containing just this element must be created.

Virus Scanner Groups are maintained from the Virus Scan Provider section in the Netweaver Administrator’s Configuration Tab.

Virus Scan Provider in NWA

In the Group Tab of the Virus Scan Provider management, Edit, then add/change a Virus Scan Group.
When creating a new group, administrators may decide to mark it as the default group.
Specifying INIT Parameters, as with an ABAP stack, is not required on a Java Stack.

3.2.Maintaining Virus Scan Adapters

Virus Scan Adapters are the preferred option to set up a Virus Scan Provider on SAP AS JAVA. The Virus Scan Server option is also supported, but its use is discouraged.

Virus Scan Adapters are configured in the “Adapters” Tab of the Virus Scan Provider setup.

All Virus Scan Adapter Names must be prefixed with VSA_

Virus Scan Adapter in NWA

 

Virus Scan Adapter parameter details:

 

“Settings” Tab
Parameter Name Type Required? Notes
Default Scan Provider Checkbox No Marks this provider as the default
Adapter Name Text Yes Name of the Provider. Must be prefixed with “VSA_”
Adapter Description Text No Free-form descriptive text
Scan Group Selector Yes Maps the provider to a Scan Group
Init Interval (Hours) Text Yes Interval in hours after which the J2EE Kernel re-initializes the Virus Scan Adapter
Maximum Instances Text Yes Maximum number of VSA instances. IMPORTANT: This number must be equal or higher than the number of threads in the start server. The default number of threads is 140. Hence the value of this parameter should be 140 or higher.
VSA Library Path Text Yes Full path to the libbbAV.so.4 library. Please note that due to a GUI error, the path can only be entered when clicking on the left end of the field, and is not displayed properly.

Adapter Path Display Error

 

3.3.Maintaining Virus Scan Profiles

Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference Java methods in which the Virus Scan Profile name is hard-coded. During the execution of such methods, scans are automatically performed with the profile settings if the profile is marked as active. The profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.

For example, if the htmlb_FileUpload profile is active, then any file upload via HTTP will be scanned with the settings of the htmlb_FileUploadprofile profile. This is fully transparent to the application using the function module and works without any application changes.

SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”

Virus Scan Profiles

There are, therefore, two ways to manage Virus Scan Profiles effectively:

  • Maintain the Scan Settings in each relevant profile individually. This approach makes sense if you maintain specific scan settings that vary by function module. For example, if you want HTTP uploads to be scanned with different settings than pi_Messaging uploads.
    In this case, uncheck the “Use Reference” checkbox in the virus scan profile and maintain steps, MIME-types, and profile configuration parameters in the virus scan profile
  • Create one or few “reference profiles” with common scan settings and use those as references in the other profiles you need to activate.
    For this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.
    If, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default profile and perform scans with the settings of the Default Profile

In either case, the profiles contain the following parameters:

 

 

Virus Scan Profile Settings – Settings Tab
Parameter Name Type Required? Notes
Default Scan Profile Checkbox No Marks this profile as Default. Note only ONE profile can be marked as Default
Scan Profile Name Text Yes Custom profiles must be in Y or Z namespaces
Profile Description Text No A free-form descriptive text
Reference Profile Selector No Points to the profile to reference.
Profile Steps List Yes (unless using a reference) Ordered list of Groups or Profiles to run through.

 

Use the Parameters tab to fine-tune the scan settings of the virus scan profile:

Virus Scan Profile Settings – Parameters Tab
Parameter Name Type Notes
BLOCKEXTENSIONS CHAR A semicolon-separated list of file extensions to block (aka “Blocklist”)
BLOCKMIMETYPES CHAR A semicolon-separated list of MIME-types to block (aka “Blocklist”).
CLEANQUARANTINE CHAR Key of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive
SCANALLEMBEDDED BOOL Recursively scan embedded items, like base64, uuencoded, data-URLs (default: 1)
SCANALLFILES BOOL Scan all files, regardless of their type (default: 1)
SCANBESTEFFORT BOOL Apply all available scan techniques (default: 1)
SCANEXTENSIONS CHAR A semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)
SCANEXTRACT BOOL Extract Archives and compressed data files and scan the content (recursively) (default: 1)
SCANEXTRACT_DEPTH INT Maximum nesting depth for archives (default: 20)
SCANLOGPATH CHAR Name of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in /config/bb-av-control.cfg
SCANMIMETYPES CHAR A semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”).
CUST_ACTIVE_CONTENT BOOL Detect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content. (default: 0)
CUST_ALL_SCANERR_AS_WARNING BOOL Override any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Basically, this is switching the Virus Scan Profile to a “fail-open” configuration. Use with caution! (default: 0)
CUST_CHECK_MIME_TYPE BOOL Activate the filtering of files based on MIME-types (if provided) and activate the enforcement MIME-type to extension matching.
Override with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layer scan configurations. (default: 0)
CUST_CLEAN BOOL Attempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution! (default: 0)
CUST_NO_SCANINFO BOOL Instruct the VSA only to return the blocking verdict, but no details on the scan. (default: 0)
CUST_NOT_SCANNED_AS_WARNING BOOL In situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it. (default: 0)

 

Suggest Edit