\n \n<\/pre>\n
SAP VSI introduces three abstraction layers:<\/p>\n
Virus Scan Group:<\/span><\/strong> A Virus Scan Group may contain several Virus Scan Providers with identical configurations<\/span><\/p>\n<\/li>\n\nVirus Scan Profile:<\/span><\/strong> allows administrators to combine the unique functionalities of multiple Virus Scan Groups and combine them using logical AND\/OR relationships. Creating configurations where <\/span>files will be checked by multiple virus scan engines is possible. Also, Virus Scan Profiles may be created to maintain granular, application-specific scanning configurations.<\/span><\/p>\n<\/li>\n<\/ol>\n<\/a><\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.<\/span>Configuration in SAP AS ABAP<\/span> <\/div><\/h3>Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying\nalternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.<\/span><\/p>\nSetting up virus protection for ABAP-based SAP applications requires the following major steps:<\/span><\/p>\n1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
Virus Scan Profile:<\/span><\/strong> allows administrators to combine the unique functionalities of multiple Virus Scan Groups and combine them using logical AND\/OR relationships. Creating configurations where <\/span>files will be checked by multiple virus scan engines is possible. Also, Virus Scan Profiles may be created to maintain granular, application-specific scanning configurations.<\/span><\/p>\n<\/li>\n<\/ol>\n<\/a><\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.<\/span>Configuration in SAP AS ABAP<\/span> <\/div><\/h3>Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying\nalternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.<\/span><\/p>\nSetting up virus protection for ABAP-based SAP applications requires the following major steps:<\/span><\/p>\n1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
<\/a><\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.<\/span>Configuration in SAP AS ABAP<\/span> <\/div><\/h3>Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying\nalternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.<\/span><\/p>\nSetting up virus protection for ABAP-based SAP applications requires the following major steps:<\/span><\/p>\n1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
<\/p>\n<\/div>
Once installed, the bowbridge Anti-Virus basic configuration is performed entirely from the SAP customization tools. Additional options, such as activating debug tracing, specifying\nalternative update sources or fine-tuning of active-content types, can be achieved via configuration files in an on-premises deployment or via the bowbridge customer portal in Hybrid- and Cloud-deployments.<\/span><\/p>\nSetting up virus protection for ABAP-based SAP applications requires the following major steps:<\/span><\/p>\n1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
Setting up virus protection for ABAP-based SAP applications requires the following major steps:<\/span><\/p>\n1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
1. Definition of Virus Scanner Groups<\/span><\/p>\n2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
2. Definition of Virus Scan Providers<\/span><\/p>\n3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
3. Definition and activation of Virus Scan Profiles<\/span><\/p>\n4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.1.<\/span>Maintaining Virus Scanner Groups<\/span> <\/div><\/h3>A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
4. On SAP gateway systems, activation of Virus Scanning at the SAP gateway.<\/p>\n
A scanner group combines multiple virus scanners of the same type. As users will select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, they must assign each Virus Scan Provider to at least one scanner group.<\/span><\/p>\nWe recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
We recommend setting up multiple scanner groups in order to maintain multiple scan configurations on the system.<\/span><\/p>\nTo set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
To set up and maintain Scanner Groups, access transaction VSCANGROUP. A list of key-value pairs may be specified as Configuration Parameters<\/em> for every group.\nUpon completing the OS-level installation, the bowbridge-installation-summary.txt<\/em> file contains the required parameters and their values.<\/p>\n<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nINITDIRECTORY<\/td>\nYes<\/td>\nbowbridge program base-path<\/td>\n<\/tr>\n\nINITDRIVERS<\/td>\nYes<\/td>\nURL of the message broker<\/td>\n<\/tr>\n\nINITDEXTRADRIVERS<\/td>\nNo<\/td>\nEncryption key for events (optional)<\/td>\n<\/tr>\n\nINITENGINES<\/td>\nYes<\/td>\nList and order of scan workers to use<\/td>\n<\/tr>\n\nINITLICENSE_PATH<\/td>\nYes<\/td>\nAPI key and authentication to the broker<\/td>\n<\/tr>\n\nINITSERVERS<\/td>\nOnly for ICAP and ClamAV<\/td>\nICAP-URLs or ClamAV connection URL<\/td>\n<\/tr>\n\nINITTIMEOUT<\/td>\nNo<\/td>\nInitialization timeout for the Virus Scan Provider<\/td>\n<\/tr>\n\nINITTEMP_PATH<\/td>\nNo<\/td>\nTemporary directory to use. If not specified, the OS-level default is used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nBecause the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.2.<\/span>Maintaining Virus Scan Providers<\/span> <\/div><\/h3>To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n <\/p>\n\n<\/p>\nNOTE:<\/p>\nSAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
<\/a><\/p>\n\nNOTE:<\/p>\nNot all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n\nThe options supported by bowbridge Anti-Virus 4 are:<\/p>\n
NOTE:<\/p>\n
Not all parameters displayed in the parameter selection are valid in Virus Scanner Groups. Only the INIT*-parameters are relevant. And of those, only the ones below are required\/supported by bowbridge Anti-Virus 4.<\/p>\n
The options supported by bowbridge Anti-Virus 4 are:<\/p>\n
Because the initialization parameters defined in the Virus Scanner Group will apply to all hosts and are usually transported to all systems of a system line, one should use paths that exist on all affected instances. If\u00a0 SID-specific paths have to be used,\u00a0 using environment variables, such as $SAPSYSTEMNAME or $HOSTNAME is supported for path and file names. The values will be expanded\/resolved to respective values on each system.<\/p>\n<\/div>
To set up and maintain Scanner Groups, access transaction VSCANGROUP.<\/p>\n
<\/p>\n
SAP VSI supports two types of Virus Scan Providers: <\/span><\/p>\n\nVirus Scan Adapter<\/strong><\/i><\/span><\/li>\nVirus Scan Server<\/strong><\/i><\/span><\/li>\n<\/ul>\nWhile both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
While both options are fully supported with Anti-Virus bowbridge and SAP recommend using the Virus Scan Adapter<\/strong> configuration whenever possible because it is more stable, delivers much better performance, and overcomes other limitations of the Virus Scan Server deployment mode. See <\/span>SAP Note 782963 for details.<\/span><\/p>\nIf you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
If you have to deploy bowbridge Anti-Virus in the Virus Scan Server model, please contact bowbridge technical support for additional documentation on implementing that configuration. We also encourage looking at the “Scan-Server” deployment model of bowbridge Anti-Virus 4. It combines the advantages of a central scanning server with those of not using RFC to transfer files to be scanned.<\/span><\/p>\n\n <\/p>\n<\/p>\n <\/p>\nUpon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n\n\n\nParameter Name<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nProvider Type<\/td>\nUse “Adapter” whenever possible<\/td>\n<\/tr>\n\nProvider Name<\/td>\nMust begin with “VSA_”. Using the default works fine.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nThe scanner group this provider is part of<\/td>\n<\/tr>\n\nStatus<\/td>\nControls how the Provider is started. CCMS will periodically check the Provider’s status and attempt to bring\/restore it to the defined status. In most cases, this should be “Active Application-Server”<\/td>\n<\/tr>\n\nServer<\/td>\nThe application server this particular VSA runs on. In SAP systems with multiple instances, one Virus Scan Provider must be maintained for each instance.<\/td>\n<\/tr>\n\nInterval Reinit<\/td>\nSpecifies the interval in which CCMS will attempt to re-initialize the Virus Scan Provider. While not technically needed, a Re-Init refreshes the data displayed in VSCAN. A re-initialization can also be triggered manually by clicking the “Load” button<\/td>\n<\/tr>\n\nAdapter Path<\/td>\nFully qualified path to the libbbAV.so.4 file. Environment variables, such as $SAPSYSTEMNAME or $HOSTNAME are supported in the path parameter and will expand\/resolve to the local value on each instance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.3.<\/span>Maintaining Virus Scan Profiles<\/span> <\/div><\/h3>Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\nSince SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\nFor example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\nSAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
Upon creating\/maintaining a Virus Scan Provider, the following parameters must be provided:<\/p>\n
Virus Scan Profiles are a set of parameters specifying how a scan will be performed. Their names reference ABAP function modules in which the Virus Scan Profile name is hard-coded. During the execution of such function modules, scans are automatically performed with the profile settings if the respective virus scan profile is marked as “active”. Each profile defines one or more “Steps,” invoking a virus scan provider from a Virus Scanner Group or referencing another Virus Scan Profile.<\/p>\n
Since SAP BASIS 757 inactive virus scan profile will result in warning messages (event type “FU0)\u00a0 in the SAP Security Audit Log.<\/p>\n
For example, if the SCET\/GUI_UPLOAD profile is active, then any file upload via SAP GUI will be scanned with the settings of the SCET\/GUI_UPLOAD profile. This is fully transparent to the application using the function module and works without any application changes.<\/p>\n
SAP delivers several virus scan profiles, which are mostly empty. In their default configuration, they reference the so-called “Default Profile.”<\/p>\n
<\/a><\/p>\nThere are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n\nMaintain the Scan Settings in each relevant profile individually. This approach makes sense for maintaining specific scan settings that vary by function module; for example, if GUI uploads need to be scanned with settings other than HTTP uploads.\nIn this case, uncheck the “Use Reference” checkbox in the Virus Scan Profile and maintain steps, MIME-types, and profile configuration parameters in the Virus Scan Profile<\/li>\nCreate one or a few “reference profiles” with common scan settings and use those as references in the other profiles that need to be activated.\nFor this approach, create new profiles in the Z or Y namespace and maintain the required parameters. For example, administrators could create a Z_BASIC profile for pure virus scanning and a Z_ADVANCED profile containing more advanced filtering, like MIME-type filters and active content detection.\nIf, additionally, one of the reference profiles is marked as “Default,” it would be sufficient to activate any other SAP-delivered profile for it to reference the Default Profile and perform scans with the settings of the Default Profile<\/li>\n<\/ul>\nIn either case, the profiles contain the following parameters:<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Virus Scan Profile”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nScan Profile Name<\/td>\nText<\/td>\nYes<\/td>\nCustom profiles must be in Y or Z namespaces<\/td>\n<\/tr>\n\nProfile Text<\/td>\nText<\/td>\nNo<\/td>\nA free-form descriptive text<\/td>\n<\/tr>\n\nActive<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks the profile as active<\/td>\n<\/tr>\n\nDefault Profile<\/td>\nCheckbox<\/td>\nNo<\/td>\nMarks this profile as Default. Note only ONE profile can be marked as Default<\/td>\n<\/tr>\n\nEvaluate Profile Configuration Parameters<\/td>\nCheckbox<\/td>\nNo<\/td>\nActivates the parameters defined in the “Profile Configuration Parameters folder. If parameters are maintained in the Profile Configuration Parameters, and this checkbox is inactive, a warning will be displayed upon saving virus scan profile changes. For example, the SCET\/DP_VS_ENABLED causes this warning in its default, SAP-delivered configuration.<\/p>\n<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
There are, therefore, two ways to manage Virus Scan Profiles effectively:<\/p>\n
In either case, the profiles contain the following parameters:<\/p>\n
<\/a><\/td>\n<\/tr>\n\nNot relevant for Security Audit Log<\/td>\nCheckbox<\/td>\nNo<\/td>\nSincef SAP BASIS 757, warning messages are written to the security audit log when a file transfer would have been scanned if this profile was active. This checkbox disables the Security Audit Log Messages for this profile.<\/td>\n<\/tr>\n\nUse reference<\/td>\nCheckbox<\/td>\nNo<\/td>\nIf checked, the settings maintained in the profile are ignored, and those maintained in the referenced profile specified are used. If, in turn, no reference profile is specified, the Default Profile is used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n\n\n\nDialog Structure Folder “Steps”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nType<\/strong><\/td>\nRequired?<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nPosition<\/td>\nText<\/td>\nYes<\/td>\nNumerical value. Only used to order the steps<\/td>\n<\/tr>\n\nType<\/td>\nSelector<\/td>\nYes<\/td>\nThe type of the reference, Group, or Profile.<\/td>\n<\/tr>\n\nScanner Group<\/td>\nSelector<\/td>\nYes<\/td>\nScanner Group to use in this step (if “Group” is selected for Type)<\/td>\n<\/tr>\n\nVirus Scan Profile<\/td>\nSelector<\/td>\nYes<\/td>\nVirus Scan Profile to use in this step (if “Profile” is selected for Type)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nStep Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n\n\n\nDialog Structure Folder “Step Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nBLOCKEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to block (aka “Blocklist”)<\/td>\n<\/tr>\n\nBLOCKMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to block (aka “Blocklist”). Technically identical to specifying a list of MIME-types and setting the Profile Configuration parameter CUST_MIMETYPES_ARE_BLACKLIST<\/td>\n<\/tr>\n\nCLEANQUARANTINE<\/td>\n<\/td>\nKey of the quarantine worker to receive infected objects in a cryptographically protected quarantine ZIP archive<\/td>\n<\/tr>\n\nSCANALLEMBEDDED<\/td>\n1<\/td>\nRecursively scan embedded items, like base64, uuencoded, data-URLs<\/td>\n<\/tr>\n\nSCANALLFILES<\/td>\n1<\/td>\nScan all files, regardless of their type<\/td>\n<\/tr>\n\nSCANBESTEFFORT<\/td>\n1<\/td>\nApply all available scan techniques<\/td>\n<\/tr>\n\nSCANEXTENSIONS<\/td>\n<\/td>\nA semicolon-separated list of file extensions to continue processing. Files with extensions NOT on this list will be blocked (“Allowlist”)<\/td>\n<\/tr>\n\nSCANEXTRACT<\/td>\n1<\/td>\nExtract Archives and compressed data files and scan the content (recursively)<\/td>\n<\/tr>\n\nSCANEXTRACT_DEPTH<\/td>\n20<\/td>\nMaximum nesting depth for archives<\/td>\n<\/tr>\n\nSCANLOGPATH<\/td>\n<\/td>\nName of the file to log all scan operations to. Note a SCANLOG_BASEPATH must be configured in \/config\/bb-av-control.cfg<\/em><\/td>\n<\/tr>\n\nSCANMIMETYPES<\/td>\n<\/td>\nA semicolon-separated list of MIME-types to continue processing. Files with MIME-types NOT on this list will be blocked (aka “Allowlist”). Technically identical to specifying a list of MIME-types. Because of the length limit of the field, it is better to provide the list line-by-line in the MIME-types folder of the Dialog Structure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\nProfile Configuration Parameters apply to any step of the profile.<\/p>\n <\/p>\n\n\n\nDialog Structure Folder “Profile Configuration Parameters”<\/td>\n<\/tr>\n\nParameter Name<\/strong><\/td>\nDefault value<\/strong><\/td>\nNotes<\/strong><\/td>\n<\/tr>\n\nCUST_ACTIVE_CONTENT<\/td>\n0<\/td>\nDetect and block files containing active-content elements. Check the “Hierarchical Configurations” section for details on how to fine-tune what type of content is detected and blocked as active content.<\/td>\n<\/tr>\n\nCUST_ALL_SCANERR_AS_WARNING<\/td>\n0<\/td>\nOverride any scan error returned by the VSA and treat it as a warning, therefore accepting the file. Effectively, this equals switching the Virus Scan Profile to a “fail-open” configuration. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_CHECK_MIME_TYPE<\/td>\n0<\/td>\nActivate the filtering of files based on MIME types (if provided) and activate the enforcement MIME-type to extension matching.\nOverride with the SCAN-parameter ENFORCE_MIME_EXTENSION_MATCH. Check the “Hierarchical Configurations” section for details on how to fine-tune and layered scan configurations.<\/td>\n<\/tr>\n\nCUST_CLEAN<\/td>\n0<\/td>\nAttempt to clean infected files. This may MODIFY the file and the original content may be lost. Use with caution!<\/strong><\/td>\n<\/tr>\n\nCUST_MIME_TYPES_ARE_BLACKLIST<\/td>\n0<\/td>\nToggles the list of MIME-types in the “MIME-types” folder from “Allowlist” to “Blocklist”<\/td>\n<\/tr>\n\nCUST_NO_SCANINFO<\/td>\n0<\/td>\nInstruct the VSA only to return the blocking verdict, but no details on the scan.<\/td>\n<\/tr>\n\nCUST_NOT_SCANNED_AS_WARNING<\/td>\n0<\/td>\nIn situations where a file cannot be scanned, i.e., due to encryption or password protection, accept the file with a warning instead of blocking it.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n<\/div>\n\t\t\t\t\t<\/div><\/div><\/div><\/div><\/div> 2.4.<\/span>ODATA Virus Scan<\/span> <\/div><\/h3>
Step Configuration Parameters apply only to the selected step of the Virus Scan Profile.<\/p>\n
Profile Configuration Parameters apply to any step of the profile.<\/p>\n