The Scanner feature enables you to protect your SAP deployments using Server & Workload Protection, helping to secure critical information
from attack, including a wide variety of threats such as malware, cross-site
scripting and SQL injection. Server & Workload Protection scans
content uploaded to the SAP NetWeaver technology platform to determine its true
type
and reports this to SAP systems via the NetWeaver-VSI interface. Content scanning
protects against possible malicious script content that might be embedded or
disguised inside documents. SAP administrators can then set policy according to
which document types should be allowed.
NoteScanner is not supported on computers with a relay-enabled agent.
|
How it works
- SAP customer environments are secured through the SAP Virus Scan Interface (VSI), the security component of the SAP NetWeaver platform. The VSI is used to secure all forms of customer content including documents, embedded images, and active content including JavaScript and scripts in PDF and Office documents. The Scanner feature works seamlessly with SAP NetWeaver technology and the SAP HANA® platform.
- The Server & Workload Protection Scanner feature scans the content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents.
- SAP administrators can then set policy according to which actual document types should be allowed.
Server & Workload Protection and SAP components
Server & Workload Protection connects with the agent located on the
SAP NetWeaver server. The agent connects with libsapvsa or dsvsa.dll, which are
the
virus adapters provided by Trend Micro for scanning purposes.
The components involved in this solution are:
- Server & Workload Protection: The centralized web-based management console that administrators use to configure security policy and deploy protection to the agent.
- Agent: A security agent deployed directly on a computer. The nature of that protection depends on the rules and security settings that each agent receives from Server & Workload Protection.
- SAP NetWeaver: SAP integrated technology computing platform. The SAP NetWeaver Virus Scan Interface (NW-VSI) provides virus scanning capabilities for third-party products that perform the actual scan. The NW-VSI interface must be activated.
- SAP NetWeaver ABAP WinGUI: A Windows management console used for SAP NetWeaver. In this document, it is used for the configuration of the agent and the SAP NetWeaver Virus Scan Interface.
Set up the integration between Server & Workload Protection Scanner and SAP NetWeaver
-
Check the Supported features by platform page to see which operating systems support the Scanner feature.
-
Install the agent on an SAP application server that's running one of the supported operating systems. See Install the agent.
-
Add the SAP server to Server & Workload Protection and activate the agent on the SAP server. See Add the SAP server to Server & Workload Protection and activate the agent.
-
Open the computer or policy editor and go to.
-
Enable the SAP integration. See Assign a security profile.
-
Configure the SAP Virus Scan Interface (VSI) by calling the following transactions. See Configure SAP to use the agent:
-
VSCANGROUP
-
VSCAN
-
VSCANPROFILE
-
VSCANTEST
-
NoteDepending on your operating system and environment, the output that you see may
differ slightly from what is shown in this article.
|
Install the agent
The agent is installed with core agent functionality only. After the agent is
installed on SUSE Linux Enterprise Server or Red Hat Enterprise Linux, you can
enable protection modules on the agent. At that point, the plug-ins required for
the
protection modules will be downloaded and installed.
-
Go to the Deep Security software download page and download the agent package for your OS.
-
Install the agent on the target system. You can use rpm or zypper, depending on the OS. In this example, rpm is used by typing:
rpm -ihv Agent-Core-SuSE_<version>.x86_64.rpm
-
You should see output similar to what's shown in this example, which indicates that the agent installation is complete:
TipYou can also deploy the agent using a deployment script generated
from Server & Workload Protection.
|
The agent is now installed on the SAP server but no protection modules are active.
To
enable protection, you need to add the SAP server to Server & Workload Protection.
Add the SAP server to Server & Workload Protection and activate the agent
To add the SAP server, open the Server & Workload Protection console
and on the Computers tab, click New. There are several
ways to add the server, including synchronization with Microsoft Active Directory,
VMware vCenter, Amazon Web Services, or Microsoft Azure. You can also add the
computer using an FQDN or IP address. For detailed instructions, see About adding
computers.
The status of your instance will be either Unmanaged (Activation
Required) or Unmanaged (Unknown). Next, you will need to
activate the agent before Server & Workload Protection can assign
rules and policies to protect the computer. The activation process includes the
exchange of unique fingerprints between the agent and Server & Workload Protection. There are two ways to activate the
agent: agent-initiated or manager-initiated.
Manager-initiated activation: This method requires that Server & Workload Protection (the manager) can connect to the FQDN
or the IP of the agent via the agent's listening port number for heartbeats. This can sometimes be
difficult due to NAT port forwarding, firewall, or AWS security groups. To perform
manager-initiated activation, go to the Computers tab in the Server & Workload Protection console, right-click the instance where
the agent is installed and click . If you use manager-initiated activation, we strongly recommend you
also Protect the agent from unauthorized managers.
Agent-initiated activation: The agent-initiated method requires that the
agent can connect to Server & Workload Protection.
You will also need to enable agent-initiated activation from the Server & Workload Protection console, by clicking and selecting Allow Agent-Initiated Activation.
Next, use a locally-run command-line tool on the agent to initiate the activation
process. The minimum activation instruction contains the activation command and
the
Server & Workload Protection URL (including the port
number):
dsa_control -a dsm://[managerurl]:[port]/
where:
-a
is the command to activate the agent, anddsm://managerurl:443/
is the parameter that points the agent to Server & Workload Protection. ("managerurl" is the URL of Server & Workload Protection, and "443" is the default agent-to-manager communication port.)
The manager URL is the only required parameter for the activation command. Additional
parameters are also available. (For a list of available parameters, see Command-line basics.)
To confirm the activation:
- In the Server & Workload Protection console, go to the Computers tab.
- Click the computer name and then click Details and check that the computer's status is "Managed".
Assign a security profile
At this point, the status of the agent is Managed (Online) but there is
no protection module installed. This means that the agent and Server & Workload Protection are communicating but the agent is not
using any configuration.
There are several ways to apply protection. In this example, the configuration is
done directly on the SAP instance by activating anti-malware and SAP and assigning
the default Scan Configurations.
-
In the Computer or Policy editor, go to.
-
In the Anti-Malware section, set Configuration to On (or Inherited On) and then click Save.
-
In the Real-Time Scan, Manual Scan, or Scheduled Scan sections, set the Malware Scan Configuration and Schedule, or allow those settings to be inherited from the parent policy.
-
Click Save. The status of the anti-malware module changes to Off, installation pending. This means that the agent is retrieving the required module from Server & Workload Protection. For this to work, the client needs to access the Relay on the relay's listening port number. A few moments later, the agent should start downloading security updates such as anti-malware patterns and scan engines.
-
In the Computer editor, go to.
-
In the SAP section, set Configuration to On (or Inherited On) and then click Save.
After status of the agent changes to Managed (Online) again and the
anti-malware and Scanner (SAP) modules are On, you can proceed with the
SAP configuration.
Configure SAP to use the agent
The agent is now up and running and is able to scan the file system of its operating
system. Next, we need to make the agent aware of the SAP application server. To
use
this, we must create a virus scan adapter inside the application server. The virus
scan adapter must be part of a group. After the virus scan adapter and virus scan
group are created, we can use virus scan profiles to configure what to scan and
how
to behave.
These are the required steps:
- Configure the Trend Micro scanner group
- Configure the Trend Micro virus scan provider
- Configure the Trend Micro virus scan profile
- Test the virus scan interface
NoteThe virus scan group and the virus scan adapter are both global configurations
(client 00). The virus scan profile must be configured in each tenant (client
01, 02, etc.).
|
Configure the Trend Micro scanner group
-
In the SAP WinGUI, run the VSCANGROUP transaction. In Edit mode, click New Entries.
-
Create a new scanner group, specifying a group name in the Scanner Group area and a description of the scanner group in the Group Text area.
-
Click the Save icon or leave the edit mode.A dialog box named "Prompt for Workbench request" will appear. In the example shown below, a new workbench request is created to keep track of all the VSI-related changes:
The next step is the actual configuration of the VSI integration. It is called a
Virus Scan Adapter.
Configure the Trend Micro virus scan provider
-
In the SAP WinGUI, run the VSCAN transaction. In Edit mode, click New Entries.
-
Enter a configuration for a VSI-certified solution.In the example below, the following configuration parameters are set:SettingValueDescriptionProvider TypeADAPTER (Virus Scan Adapter)Automatically set (default)Provider NameVSA_<host name>Automatically set, serves as aliasScanner GroupSelect the group that you configured earlierAll previously created scanner groups, which you can display using the input helpStatusActive (Application Server)Automatically set (default)Servernplhost_NPL_42Automatically set, hostnameReinit. Interv.8 HoursSpecifies the number of hours after which the Virus Scan Adapter will be reinitialized and load new virus definitions.Adapter Path (Linux)/lib64/libsapvsa.soDefault pathAdapter Path (Windows)C:\Program Files\Trend Micro\Deep Security Agent\lib\dsvsa.dllDefault path
-
Click the Save icon or leave the edit mode.A prompt to pack this into a workbench request appears.
-
Confirm the request, then click the Start button.The Status light turns green, which means the adapter is loaded and active.
At this point, the VSI configuration is nearly finished. The application server is
now ready to process file transactions using a virus scan provided by Trend
Micro.
Configure the Trend Micro virus scan profile
-
In the SAP WinGUI, run the VSCANPROFILE transaction, then select the SAP operation that requires virus scan.For example, check the "Active" checkbox for /SCET/GUI_UPLOAD or /SCET/GUI_DOWNLOAD and then click the Save icon.
-
In Edit mode, click New Entries.The virus scan profiles will define how specific transactions (file uploads, file downloads, etc.) are handled corresponding to the virus scan interface. To use the previously configured virus scan adapter in the application server, you need to create a new virus scan profile:
-
In the Scan Profile box, enter "Z_TMProfile" and select the Active, Default Profile, and Evaluate Profile Configuration Param check boxes.
-
While still in edit mode, double-click the Steps folder to configure the steps:
-
Click New Entries.The steps define what to do when the profile is called by a transaction.
-
Set the Position to "0", Type to "Group" and the Scanner Group to the name of the group that you configured earlier.
-
Click the Save icon or leave the edit mode.A notification will (eventually) appear about an existing virus scan profile, /SCET/DP_VS_ENABLED.
-
Ignore the notification about an existing profile because the profile is not active and is not used.After confirming this notification, you will be asked to pack this configuration in a "customization request". Creating a new request will help keep track of the changes that have been made:
-
To create configuration parameters for a step, double-click the Profile Configuration Parameters folder, then click New Entries and set the parameters:ParameterTypeDescriptionCUST_ACTIVE_CONTENTBOOLCheck whether a file contains script (JavaScript, PHP, or ASP script) and blockCUST_CHECK_MIME_TYPEBOOL
Check whether the file extension name matches its MIME type. If they do not match, the file will be blocked. All MIME types and extension names can be exactly matched. For example: - Word files must be .doc or .dot
- JPEG files must be .jpg
- Text and binary files could be any extension (won’t block)
See Supported MIME types. -
Double-click the Step Configuration Parameters folder. Click New Entries and set the parameters:ParameterTypeDescriptionDefault (Linux)Default (Windows)SCANBESTEFFORTBOOLThe scan should be performed on the "best effort" basis; that is, all (security critical) flags that allow a VSA to scan an object should be activated, such as SCANALLFILES and SCANEXTRACT, but also internal flags. Details about exactly which flags these are can be stored in the certification.(not set)(not set)SCANALLFILESBOOLScans for all files regardless of their file extension.disableddisabledSCANEXTENSIONSCHARList of the file extensions for which the VSA should scan. Only files with the configured extensions will be checked. Other extensions are blocked. Wildcards can also be used here to search for patterns. \* stands for this location and following and ? stands for only this character. For example, exe;com;do?;ht* => \`\*\` means to scan all files.null""SCANLIMITINTThis setting applies to compressed files. It specifies the maximum number of files that will be unpacked and scanned.INT_MAX65535SCANEXTRACTBOOLArchives or compressed objects are to be unpackedenabledenabledSCANEXTRACT_SIZESIZE_TMaximum unpack size0x7FFFFFFF62914560 (60 MB)SCANEXTRACT_DEPTHINTMaximum depth to which an object is to be unpacked.2020SCANMIMETYPESCHARList of the MIME types to be scanned for. Only files with configured MIME types will be checked. Other MIME types are blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.(not set)(not set)BLOCKMIMETYPESCHARList of MIME types that will be blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.(not set)(not set)BLOCKEXTENSIONSCHARList of file extensions that will be blocked.(not set)(not set)
This configuration is per-client, so it must be done in each tenant of the SAP
application server.
Test the virus scan interface
-
In the SAP WinGUI, run the VSCANTEST transaction.Every VSI-aware SAP application server also has a built-in test to check whether the configuration steps were done correctly. For this, an EICAR test virus (www.eicar.org) is packed in a transaction that can call a specific scanner.
-
Not filling in anything will call the default profile, which was configured in the last step, so do not fill in anything.
-
Click Execute.A notification appears that explains what an EICAR test virus is.
-
Confirm the notification.The transaction is intercepted:
Infections shows information about the detected malware.
Content Information shows the correct MIME-type of the file.
The file name is always a randomly generated 7-letter alphabetic string followed by
the virus scan profile name.
After this, there is an output about each step of the transaction:
- The transaction called the default virus scan profile, which is the virus scan profile Z_TMPROFILE.
- The virus scan profile Z_TMPROFILE is configured to call an adapter from the virus scan group Z_TMGROUP.
- The virus scan group Z_TMGROUP has multiple adapters configured and calls one of them (in this case, VSA_NPLHOST).
- The virus scan adapter returns value 2-, which means a virus was found.
- Information about the detected malware is displayed by showing Eicar_test_1 and the file object /tmp/ zUeEbZZ_TMPROFILE.
- The called default virus scan profile Z_TMPROFILE fails because step 00 (the virus scan group) was not successful and therefore the file transaction is stopped from further processing.
For a cross-check, there is also information about this "malware" event in
the Server & Workload Protection console. To see the event, open the
Computer editor and click .
Supported MIME types
The MIME types supported by the Scanner vary depending on which version of the agent
you are using.
- Agent version 9.6 uses VSAPI 9.85
- Agent version 10.0 uses ATSE 9.861
- Agent version 10.1 uses ATSE 9.862
- Agent version 10.2, 10.3, 11.0, 11.1, and 11.2 uses ATSE 10.000
- Agent version 11.3 and higher uses ATSE 11.0.000
MIME Type
|
Description
|
Extension
|
Supported in 9.6 Agent
|
Supported in 10.0 Agent
|
Supported in 10.1 Agent or higher
|
application/octet-stream
|
|
*
|
Yes
|
Yes
|
Yes
|
application/com
|
COM File
|
com
|
Yes
|
Yes
|
Yes
|
application/ecmascript
|
EMCScript File
|
es
|
Yes
|
Yes
|
Yes
|
application/hta
|
HTA File
|
hta
|
Yes
|
Yes
|
Yes
|
application/java-archive
|
Java Archive (JAR) file
|
jar
|
Yes
|
Yes
|
Yes
|
application/javascript
|
Javascript File
|
js, jsxinc, jsx
|
Yes
|
Yes
|
Yes
|
application/msword
|
Word for Windows
|
doc, dot
|
Yes
|
Yes
|
Yes
|
application/vnd.ms-access
|
MS Access
|
mdb
|
No
|
No
|
No
|
application/vnd.ms-project
|
MS Project
|
mpp
|
No
|
No
|
No
|
application/msword
|
MS Word
|
doc, dot
|
Yes
|
Yes
|
Yes
|
application/octet-stream
|
COM File
|
com
|
Yes
|
Yes
|
Yes
|
application/octet-stream
|
EXE File
|
exe
|
Yes
|
Yes
|
Yes
|
application/pdf
|
Adobe Portable Document Format file
|
pdf
|
Yes
|
Yes
|
Yes
|
application/postscript
|
Postscript
|
ai
|
Yes
|
Yes
|
Yes
|
application/postscript
|
Postscript
|
ps
|
Yes
|
Yes
|
Yes
|
application/postscript
|
Postscript
|
ps
|
Yes
|
Yes
|
Yes
|
application/rar
|
RAR File
|
rar
|
Yes
|
Yes
|
Yes
|
application/rtf
|
Microsoft RTF
|
rtf
|
Yes
|
Yes
|
Yes
|
application/sar
|
Sar File
|
sar
|
Yes
|
Yes
|
Yes
|
application/vnd.ms-excel
|
Excel for Windows
|
xls, xlt, xla
|
Yes
|
Yes
|
Yes
|
application/vnd.ms-outlook
|
Outlook for Windows
|
msg
|
No
|
Yes
|
Yes
|
application/vnd.ms-powerpoint
|
Windows PowerPoint
|
ppt, pot, pps, ppa
|
Yes
|
Yes
|
Yes
|
application/vnd.ms-publisher
|
MS Publisher
|
pub
|
No
|
No
|
Yes
|
application/vnd.oasis.opendocument
|
Open Document
|
odf
|
Yes
|
Yes
|
Yes
|
application/vnd.openxmlformats-officedocument.presentationml.presentation
|
MS Office File
|
pptx, potx, ppsx, ppam, pptm, potm, ppsm
|
Yes
|
Yes
|
Yes
|
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
MS Office File
|
xlsx, xltx, xlsm, xltm, xlam, xlsb
|
Yes
|
Yes
|
Yes
|
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
MS Office File
|
docx, dotx, docm, dotm
|
Yes
|
Yes
|
Yes
|
application/vnd.rn-realmedia
|
Real Media
|
rm
|
Yes
|
Yes
|
Yes
|
application/wordperfect
|
WOrdPerfect
|
wp, wp5, wp6, wpd, w60, w61
|
Yes
|
Yes
|
Yes
|
application/x-alf
|
|
alf
|
Yes
|
Yes
|
Yes
|
application/x-arc-compressed
|
ARC File
|
arc
|
Yes
|
Yes
|
Yes
|
application/x-bzip2
|
bZIP File
|
*
|
Yes
|
Yes
|
Yes
|
application/x-cpio
|
CPIO File
|
*
|
Yes
|
Yes
|
Yes
|
application/x-director
|
Macromedia Director Shockwave Movie
|
dcr
|
Yes
|
Yes
|
Yes
|
application/x-gzip
|
Gzip
|
*
|
Yes
|
Yes
|
Yes
|
application/xhtml+xml
|
XHTML
|
dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht,
xhtm, xhtml, xml, txt
|
Yes
|
Yes
|
Yes
|
application/x-java-class
|
JAVA Applet
|
class
|
Yes
|
Yes
|
Yes
|
application/x-kep
|
|
kep
|
Yes
|
Yes
|
Yes
|
application/x-otf
|
|
otf
|
Yes
|
Yes
|
Yes
|
application/x-sapshortcut
|
|
sap, sapc
|
Yes
|
Yes
|
Yes
|
application/x-shockwave-flash
|
Macromedia Flash
|
swf
|
Yes
|
Yes
|
Yes
|
application/x-silverlight-app
|
PKZIP
|
xap
|
Yes
|
Yes
|
Yes
|
application/x-sim
|
|
sim
|
Yes
|
Yes
|
Yes
|
application/x-tar
|
TAR File
|
tar
|
Yes
|
Yes
|
Yes
|
application/x-vbs
|
|
*
|
Yes
|
Yes
|
Yes
|
application/zip
|
ZIP File
|
zip, zipx
|
Yes
|
Yes
|
Yes
|
audio/basic
|
Audio
|
snd, au
|
Yes
|
Yes
|
Yes
|
audio/midi
|
MIDI
|
mid, midi, rmi, mdi, kar
|
Yes
|
Yes
|
Yes
|
audio/x-aiff
|
Audio InterChange File Format from Apple/SGI
|
aiff, aif, aifc
|
Yes
|
Yes
|
Yes
|
audio/x-mpeg-3
|
MP3
|
mp3
|
Yes
|
Yes
|
Yes
|
audio/x-realaudio
|
Real Audio
|
ra
|
Yes
|
Yes
|
Yes
|
audio/x-voc
|
Creative Voice Format(VOC)
|
voc
|
Yes
|
Yes
|
Yes
|
image/bmp
|
Windows BMP
|
bmp
|
Yes
|
Yes
|
Yes
|
image/gif
|
GIF
|
gif
|
Yes
|
Yes
|
Yes
|
image/ico
|
Windows Icon
|
ico
|
Yes
|
Yes
|
Yes
|
image/jpeg
|
JPEG
|
jpg, jpeg, jpe, jif, jfif, jfi
|
Yes
|
Yes
|
Yes
|
image/msp
|
Microsoft Paint
|
msp
|
Yes
|
Yes
|
Yes
|
image/png
|
Portable Network Graphics
|
png
|
Yes
|
Yes
|
Yes
|
image/ppm
|
PPM image
|
ppm
|
Yes
|
Yes
|
Yes
|
image/svg+xml
|
|
svg
|
Yes
|
Yes
|
Yes
|
image/tiff
|
TIFF
|
tif, tiff
|
Yes
|
Yes
|
Yes
|
image/vnd.ms-modi
|
Microsoft Document Imaging
|
mdi
|
Yes
|
Yes
|
Yes
|
image/x-cpt
|
Corel PhotoPaint
|
cpt
|
Yes
|
Yes
|
Yes
|
image/x-pcx
|
PCX
|
pcx
|
Yes
|
Yes
|
Yes
|
image/x-pict
|
Macintosh Bitmap
|
pct
|
Yes
|
Yes
|
Yes
|
image/x-ras
|
Sun Raster(RAS)
|
ras
|
Yes
|
Yes
|
Yes
|
image/x-wmf
|
Windows Metafile
|
wmf
|
Yes
|
Yes
|
Yes
|
text/csv
|
CSV
|
csv, txt
|
Yes
|
Yes
|
Yes
|
text/html
|
HTML
|
dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht,
xhtm, xhtml, xml, txt
|
Yes
|
Yes
|
Yes
|
text/plain
|
|
*
|
Yes
|
Yes
|
Yes
|
text/plain
|
Text File
|
txt
|
Yes
|
Yes
|
Yes
|
text/xml
|
XML
|
dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht,
xhtm, xhtml, xml, txt
|
Yes
|
Yes
|
Yes
|
text/xsl
|
XSL
|
xsl
|
Yes
|
Yes
|
Yes
|
unknown/unknown
|
|
*
|
Yes
|
Yes
|
Yes
|
video/mpeg
|
|
*
|
Yes
|
Yes
|
Yes
|
video/quicktime
|
Quick Time Media
|
qt
|
Yes
|
Yes
|
Yes
|
video/x-fli
|
AutoDesk Animator
|
fli
|
Yes
|
Yes
|
Yes
|
video/x-flv
|
Macromedia Flash FLV Video
|
flv
|
Yes
|
Yes
|
Yes
|
video/x-ms-asf
|
Advanced Streaming Format
|
asf
|
Yes
|
Yes
|
Yes
|
video/x-scm
|
Lotus ScreenCam Movie
|
scm
|
Yes
|
Yes
|
Yes
|