bowbridge Anti-Virus 4.x - Solution Overview1.WelcomeWelcome to bowbridge Anti-Virus for SAP Solutions, version 4.x. Anti-Virus 4.x is a nearly complete rewrite of the successful bowbridge Anti-Virus product, aiming at addressing the evolving requirements of SAP deployments in on-premises and cloud environments.
2.Product ComponentsAnti-Virus 4.x is significantly more modular than previous versions of the product to accommodate more deployment options for on-premises, hybrid, and cloud deployments.
2.1.Core ComponentsThese components exist in every bowbridge Anti-Virus 4.x deployment. 2.1.1.Virus Scan Adapter (VSA / VSA-client)The Virus Scan Adapter (VSA) is a shared library (a DLL on Windows) that connects to SAP’s Virus Scan Interface (VSI). The VSA is loaded into the SAP kernel (dialog work processes on an ABAP stack and the jstart server process on a Java stack). The main functions of the VSA are to:
REFERENCE: Technically, the VSA consists of two libraries, the “VSA wrapper”, and the “VSA implementation library”. Refer to the bowbridge Troubleshooting Guide for more details.
2.1.2.Message BrokerThe message broker is the central communication hub interconnecting all components of the Anti-Virus solution. It is based on the Apache Artemis message broker and implements AMQP 1.0 with authentication and SSL/TLS-based encryption to ensure the integrity and confidentiality of all inter-component communications. VSA clients and scan workers connect to the broker, which dispatches scan requests to the best-available scan worker and routes replies back to the requesting client. Depending on the deployment model, the broker either runs locally on the application server, on a separate host/container, or in the cloud. 2.1.3.Controlbowbridge Control is a central, critical component of a bowbridge Anti-Virus 4.x installation. Each installation of bowbridge Anti-Virus 4.x must include precisely one control instance. Its main functions are:
2.2.Security WorkersProcesses performing the actual threat detection are referred to as “Security Workers.” In cloud deployments, scan workers are operated and monitored by bowbridge as part of the CloudScan offering. 2.2.1.MIMEscanbowbridge MIMEscan processes every scan request, regardless of the remaining scan policy. Its main functions are:
2.2.2.Archive-ExtractorThe bowbridge archive-extractor security worker ensures recursive scanning of multiple archive file types. If the security policy requires recursive scanning of archives (Virus Scan Profile parameter SCANEXTRACT), all security checks defined in the policy are applied to every file in the archive. The archive extractor security worker handles the following archive formats:
and the following compression formats:
2.2.3.Active Content Detectionbowbridge Active Content Detection detects multiple types of executables and active content in files and blocks those files following the security policy. We continuously improve Active Content Detection. With the initial release of Anti-Virus 4.0, the worker detects the following types of active content:
2.2.4.ICAP ClientThis security worker forwards the file to an ICAP server for scanning. ICAP servers are commonly used in web-proxy security and are a cost-effective and centralized approach to malware scanning, albeit not as fast as the other anti-malware engines. 2.2.5.ClamAV clientThis security worker forwards the file to a local or remote/central ClamAV open-source malware detection engine instance. While bowbridge does not recommend solely the use of ClamAV in production environments, it may be a good and cost-effective option for non-production environments or even as a second-opinion scan engine in production environments. 2.2.6.SOPHOS Malware ScanThis security worker utilizes the Sophos anti-virus scan engine to scan files for malware. 2.2.7.Trellix Malware ScanThis security worker utilizes the Trellix (formerly known as McAfee) anti-virus scan engine to scan files for malware. Bowbridge delivers the Trellix anti-virus scan engine as part of bowbridge Anti-Virus and relays malware definition updates and engine updates published by Trellix within ten minutes of their release by Trellix. 2.3.Integration WorkersThese optional modules are required to integrate bowbridge Anti-Virus 4.x with customer-owned cyber-security infrastructure 2.3.1.Event HandlerThis worker receives and processes events from other modules and can trigger customizable actions via OS-level scripts. The most common use cases are generating custom alerts, such as emails, or integrating bowbridge Anti-Virus 4.x with SIEM solutions. 2.3.2.EPOloggerThis worker forwards bowbridge Anti-Virus event and status information to a Trellix ePolicy Orchestrator (ePO). 2.3.3.QuarantineWhen a file is blocked by the VSA, SAP’s default behavior is to discard that file. Its content is deleted and cannot be restored. The Quarantine Worker is therefore designed for customers wishing to retain a copy of blocked files, for example, as evidence or for forensic analysis. It receives copies of files that any of the security workers have blocked and stores them, along with a human-readable description of the blocking reason, in a password-protected archive. This prevents potentially malicious and dangerous files from being opened or executed inadvertently but ensures engineers can reconstruct the blocked content, for example, on an air-gapped system. 3.Deployment OptionsThanks to its modular architecture, administrators can deploy bowbridge Anti-Virus in several different scenarios. This section describes the most common ones to inform decision makers which deployment scenario best meets their specific requirements. 3.1.LocalIn this deployment scenario, all modules are deployed to the SAP application server(s). It mimics the only deployment option available in previous versions. It is the easiest upgrade path from earlier versions to version 4.x. This scenario delivers the highest scan performance as all scanning activity happens locally on each application server and communication between the modules relies on IPC. However, this deployment model also requires the highest configuration and administration overhead. Administrators must deploy configurations to every application server, monitor status and virus data updates on each application server, etc. Further, in installations needing relatively few scans or which run only interactive applications, the performance gain may not justify the resource and administration overhead of running a dedicated virus-scanning engine on every application server. 3.2.DistributedIn this deployment scenario, administrators need to only install the VSA-client component on every application server. Several application servers or system-lines with multiple application servers may share scan workers. 3.3.CloudScanThis deployment model does not require administrators to deploy workers to their application servers. It only requires VSA clients, which connect to bowbridge-powered scanning services provided by bowbridge on all major hyperscalers or provided by several hosting partners. 3.4.Advanced Deployment ScenariosInstallation in shared directories (i.e., NFS-mounted directories)Deploying bowbridge Anti-Virus 4.x in directories shared by multiple application servers, such as NFS-mounts, is possible and supported. However, administrators must pay special attention to the following:
We strongly recommend reaching out to your bowbridge partner or bowbridge technical support to assist with your configuration’s planning and/or validation. Distributed with containerized workersIn this “Distributed” deployment scenario variant, administrators do not deploy control and/or scan workers bare-metal servers or VMs but deploy them as container workloads on top of Docker with optional orchestration tools, such as Kubernetes. Bowbridge provides, maintains, and supports all workers as Docker containers. Self-managed auto-scaling deploymentbowbridge Anti-Virus supports auto-scaling of scan worker capacities. Based on load high-water marks and low-water marks defined by the administrator, the control worker starts and stops additional workers to handle the load dynamically. Container-Orchestration with/without auto-scalingThe bowbridge control worker and scan worker containers can be managed by orchestration platforms, such as Kubernetes or Docker Swarm. Orchestration platforms automate most of the monitoring and ensure optimal utilization of resources. If so configured, they also allow automatic, dynamic, load-based allocation and de-allocation of scan workers. Semi-distributed vs. fully distributedIn typical environments, some workers use up more resources than others. For instance, determining the MIME-type is usually low-impact, whereas extracting a deeply nested archive or virus-scanning large binary files is CPU-intensive. To maximize the overall performance without over-allocating resources for workers that don’t need them, it is possible to further split-up the “Distributed” deployment model. With bowbridge Anti-Virus 4.x, operating each worker on a separate VM or container is possible. Adding resources of a particular type only requires starting up a new VM or adding a container of that type. For example, running one instance of the MIME-scan worker, two instances of the archive-extractor, one instance of the active content detection worker, and three Trellix malware scanning workers is possible.
IMPORTANT: Technically, it is also possible to increase the number of worker processes of a particular type in the “semi-distributed scenario,” with all workers running on the same host. However, as CPU resources are shared across all local processes, such a configuration has little to no benefit. Instead, adjusting the number of worker threads may increase scan throughput, especially with large numbers of concurrent scans.
|