Integrate with SAP NetWeaver

Architecture

1. SAP customer environments are secured through the SAP Virus Scan Interface (VSI), the security component of the SAP NetWeaver platform. The VSI is used to secure all forms of customer content including documents, embedded images, and active content including JavaScript and scripts in PDF and Office documents. The Scanner feature works seamlessly with SAP NetWeaver technology and the SAP HANA® platform.
2. The Server & Workload Protection Scanner scans the content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents.
3. SAP administrators can then set policy according to which actual document types should be allowed.

Server & Workload Protection and SAP components

• Server & Workload Protection: The centralized web-based management console that administrators use to configure security policy and deploy protection to the agent.
• Agent: A security agent deployed directly on a computer. The nature of that protection depends on the rules and security settings that each agent receives from Server & Workload Protection.
• SAP NetWeaver: SAP integrated technology computing platform. The SAP NetWeaver Virus Scan Interface (NW-VSI) provides virus scanning capabilities for third-party products that perform the actual scan. The NW-VSI interface must be activated.
• SAP NetWeaver ABAP WinGUI: A Windows management console used for SAP NetWeaver. In this document, it is used for the configuration of the agent and the SAP NetWeaver Virus Scan Interface.

Configure integration of Server & Workload Protection Scanner and SAP NetWeaver

1. See Supported features by platform to obtain information about the operating systems that support Scanner.
2. Install the agent on an SAP application server running one of the supported operating systems. See Install the agent‌.
3. Add the SAP server to Server & Workload Protection and activate the agent on the SAP server. See Add the SAP server to Server & Workload Protection and activate the agent.
4. Open the computer or policy editor and go to Settings → Scanner.
5. Enable the SAP integration. See Assign a security profile‌.
6. Configure the SAP Virus Scan Interface (VSI) by calling the following transactions:
   • VSCANGROUP
   • VSCAN
   • VSCANPROFILE
   • VSCANTEST
   See Configure SAP to use the agent

Install the agent

1. Go to the Deep Security software download page and download the agent package for your OS.
2. Install the agent on the target system. You can use rpm or zypper, depending on the OS. In this example, rpm is used by typing: rpm -ihv Agent-Core-SuSE_<version>.x86_64.rpm
3. Expect the output similar to the following:
   
   This indicates that the agent installation is complete

Add the SAP server to Server & Workload Protection and activate the agent

• -a is the command to activate the agent, and
• dsm://managerurl:443/ is the parameter that points the agent to Server & Workload Protection. ("managerurl" is the URL of Server & Workload Protection, and "443" is the default agent-to-manager communication port.)

1. In the Server & Workload Protection console, select the Computers tab.
2. Click the computer name, then click Details and check that the computer's status is Managed.

Assign a security profile‌

1. In the Computer or Policy editor, go to Anti-Malware → General.
2. In the Anti-Malware section, set Configuration to On (or Inherited On), and then click Save.
   
3. In the Real-Time Scan, Manual Scan, or Scheduled Scan sections, set the Malware Scan Configuration and Schedule, or allow those settings to be inherited from the parent policy.
4. Click Save. The status of the anti-malware module changes to Off, installation pending. This means that the agent is retrieving the required module from Server & Workload Protection. For this to work, the client needs to access the Relay on the relay's listening port number. A few moments later, the agent should start downloading component updates such as anti-malware patterns and scan engines.
5. In the Computer editor, go to Settings → Scanner.
6. In the SAP section, set Configuration to On (or Inherited On), and then click Save.

Configure SAP to use the agent

1. Configure the scanner group
2. Configure the virus scan provider
3. Configure the virus scan profile
4. Test the virus scan interface

Configure the scanner group

1. In the SAP WinGUI, run the VSCANGROUP transaction. In Edit mode, click New Entries.
   
2. Create a new scanner group, specifying a group name in the Scanner Group area and a description of the scanner group in the Group Text area.
   
3. Click Save or leave the edit mode.
   A dialog named Prompt for Workbench request appears. In the following example, a new workbench request is created to keep track of all the VSI-related changes:
   

Configure the virus scan provider

1. In the SAP WinGUI, run the VSCAN transaction. In Edit mode, click New Entries.
   
2. Enter a configuration for a VSI-certified solution.
   In the following example, a number of configuration parameters are set:
   

   Setting	Value	Description
   Provider Type	ADAPTER (Virus Scan Adapter)	Automatically set (default)
   Provider Name	VSA_<host name>	Automatically set, serves as alias
   Scanner Group	Select the group that you configured earlier	All previously created scanner groups, which you can display using the input help
   Status	Active (Application Server)	Automatically set (default)
   Server	nplhost_NPL_42	Automatically set, hostname
   Reinit. Interv.	8 Hours	Specifies the number of hours after which the Virus Scan Adapter is reinitialized and load new virus definitions.
   Adapter Path (Linux)	/lib64/libsapvsa.so	Default path
   Adapter Path (Windows)	C:\Program Files\TrendAI™\Deep Security Agent\lib\dsvsa.dll	Default path

3. Click Save or leave the edit mode.
   A prompt to pack this into a workbench request appears.
4. Confirm the request, then click Start.
   The Status light turns green, which means the adapter is loaded and active.
   

Configure the virus scan profile

1. In the SAP WinGUI, run the VSCANPROFILE transaction, then select the SAP operation that requires virus scan.
   For example, select Active for /SCET/GUI_UPLOAD or /SCET/GUI_DOWNLOAD, and then click Save.
   
2. In edit mode, click New Entries.
   The virus scan profiles define how specific transactions (file uploads, file downloads, and so on) are handled corresponding to the virus scan interface. To use the previously configured virus scan adapter in the application server, you need to create a new virus scan profile.
3. In Scan Profile, enter Z_TMProfile and select Active, Default Profile, and Evaluate Profile Configuration Param.
   
4. While still in edit mode, double-click Steps to configure the steps:
   
5. Click New Entries.
   The steps define what to do when the profile is called by a transaction.
6. Set Position to 0, Type to Group, and Scanner Group to the name of the group that you configured earlier.
7. Click Save or leave the edit mode.
   A notification eventually appears about an existing virus scan profile, /SCET/DP_VS_ENABLED.
8. Ignore the notification about an existing profile because the profile is not active and is not used.
   After confirming this notification, you are asked to pack this configuration in a customization request. Creating a new request helps keep track of the changes that have been made:
   
9. To create configuration parameters for a step, double-click Profile Configuration Parameters, then click New Entries and set the parameters:

   Parameter	Type	Description
   CUST_ACTIVE_CONTENT	BOOL	Check if a file contains script (JavaScript, PHP, ASP script) and block.
   CUST_CHECK_MIME_TYPE	BOOL	Check if the file extension name matches its MIME type. If they do not match, the file is blocked. All MIME types and extension names can be exactly matched. For example: Word files must be .doc or .dot JPEG files must be .jpg Text and binary files could be any extension (do not block) See Supported MIME types for the built-in mapping table. To configure the scanner to recognize MIME types or file extensions that the built-in table does not include, see Add custom MIME type mappings.

10. Double-click Step Configuration Parameters. Click New Entries and set the parameters:

    Parameter	Type	Description	Default on Linux	Default on Windows
    SCANBESTEFFORT	BOOL	The scan should be performed on the best effort basis; that is, all security critical flags that allow a VSA to scan an object should be activated, such as SCANALLFILES and SCANEXTRACT, but also internal flags. Details about exactly which flags these are can be stored in the certification.	not set	not set
    SCANALLFILES	BOOL	Scans for all files regardless of their file extension.	disabled	disabled
    SCANEXTENSIONS	CHAR	List of the file extensions for which the VSA should scan. Only files with the configured extensions are checked. Other extensions are blocked. Wildcards can also be used here to search for patterns. \* stands for this location and following and ? stands for only this character. For example, exe;com;do?;ht* => \`\*\` means to scan all files.	null	""
    SCANLIMIT	INT	This setting applies to compressed files. It specifies the maximum number of files to unpack and scan.	INT_MAX	65535
    SCANEXTRACT	BOOL	Archives or compressed objects are to be unpacked	enabled	enabled
    SCANEXTRACT_SIZE	SIZE_T	Maximum unpack size	0x7FFFFFFF	62914560 (60 MB)
    SCANEXTRACT_DEPTH	INT	Maximum depth to which an object is to be unpacked.	20	20
    SCANLOGPATH	CHAR	Custom log path for VSA Must be an absolute path to either a regular file or to a location where a regular file can be created. Cannot be an executable file path. Only limited log messages are written. For example, the detected malware. Supported by agent versions released May 2, 2024, and later.	(not set)	(not set)
    SCANMIMETYPES	CHAR	List of the MIME types for which to scan. Only files with configured MIME types are checked. Other MIME types are blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.	not set	not set
    BLOCKMIMETYPES	CHAR	List of MIME types to block. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.	not set	not set
    BLOCKEXTENSIONS	CHAR	List of file extensions to block.	not set	not set

Add custom MIME type mappings

• Policy (recommended): Entries are defined in the Server & Workload Protection console and applied to every SAP server protected by the policy.
• Local INI file: Entries are defined directly on a single SAP server. Use this method to override the policy on a specific host, or to apply an entry before the agent receives the updated policy.

1. In Server & Workload Protection, open the Computer or Policy editor and go to Settings → Scanner.
2. In the SAP area, locate Custom MIME type mappings and add one entry for each MIME type that you want the scanner to recognize. For each entry, provide the following values:
   • MIME type: The complete MIME type string, for example, application/x-custom.
   • File extensions: A comma-separated list of one or more extensions to associate with the MIME type, specified without leading dots. Extensions are matched case-insensitively. For example, cst, custom.
3. Click Save. Server & Workload Protection validates each entry and rejects any entry that has an empty MIME type or an empty extension list. Valid entries are distributed to the agent at the next heartbeat and are merged with the built-in mapping table that the SAP Scanner uses.

<CustomMimeMappings>
		<CustomMimeMapping mimeType="application/x-custom" extensions=";cst;custom;"/>
		<CustomMimeMapping mimeType="application/vnd.company" extensions=";comp;"/>
		<CustomMimeMapping mimeType="text/x-specialformat" extensions=";spc;special;"/>
</CustomMimeMappings>

1. On the SAP server, create or edit the file /var/opt/ds_agent/am/custom_mime.ini.
2. Add each mapping on its own line, using the following syntax:

   <mime-type>=;<extension1>;<extension2>;…

   For example:

   application/x-custom=;cst;custom;
   		application/vnd.company=;comp;
   			text/x-specialformat=;spc;special;

   The file must conform to the following format requirements:
   • One mapping per line, with no section headers. The file format differs from dt.ini.
   • A semicolon at the start of the extension list, between consecutive extensions, and at the end of the list.
   • Extensions specified without leading dots. Extensions are matched case-insensitively.
3. Save the file. The agent applies the new entries the next time it receives a scan request. Restarting the agent is not required.

Important When the same MIME type is defined in both the local INI file and the policy, the local INI entry replaces the policy entry on that server. All other policy-defined entries remain in effect.

1. The scanner first consults the built-in mapping table. If the file's MIME type is present in the built-in table and the file's extension is listed for that MIME type, the file is allowed to pass to the next scan stage.
2. If the file's MIME type is not present in the built-in table, the scanner consults the custom mappings: first the local INI file, then the policy. If the file's extension is listed for the detected MIME type in either source, the file is allowed to pass.
3. If no source recognizes the combination of MIME type and extension, the scanner blocks the file.

• To verify that the agent has received the policy-defined entries, examine /var/opt/ds_agent/guests/0000-0000-0000/amvmcfg.xml on the SAP server. The file should contain a <CustomMimeMappings> element that lists each of your entries.
• To verify that the local INI file is being read, search /var/opt/ds_agent/diag/ds_am.log for entries that reference custom_mime.ini.
• If a file continues to be blocked after you have added a custom mapping for it, run the SAP transaction VSCANTEST and review the Content Information output. The MIME type that the scanner detected must match the mimeType value in your mapping exactly. The scanner does not normalize casing or trim surrounding whitespace, so any discrepancy prevents the entry from taking effect.

Test the virus scan interface

1. In the SAP WinGUI, run the VSCANTEST transaction.
   
   Every VSI-aware SAP application server also has a built-in test to check whether the configuration steps were done correctly. For this, an EICAR test virus (www.eicar.org) is packed in a transaction that can call a specific scanner.
2. If you do not fill in anything, the default profile is called, which was configured in the last step, so do not fill in anything.
3. Click Execute.
   A notification appears that explains what an EICAR test virus is.
4. Confirm the notification.
   The transaction is intercepted:
   

1. The transaction called the default virus scan profile, which is the virus scan profile Z_TMPROFILE.
2. The virus scan profile Z_TMPROFILE is configured to call an adapter from the virus scan group Z_TMGROUP.
3. The virus scan group Z_TMGROUP has multiple adapters configured and calls one of them (in this case, VSA_NPLHOST).
4. The virus scan adapter returns value 2-, which means a virus was found.
5. Information about the detected malware is displayed by showing Eicar_test_1 and the file object /tmp/ zUeEbZZ_TMPROFILE.
6. The called default virus scan profile Z_TMPROFILE fails because step 00 (the virus scan group) was not successful and therefore the file transaction is stopped from further processing.

Supported MIME types

• Agent version 9.6 uses VSAPI 9.85
• Agent version 10.0 uses ATSE 9.861
• Agent version 10.1 uses ATSE 9.862
• Agent version 10.2, 10.3, 11.0, 11.1, and 11.2 uses ATSE 10.000
• Agent version 11.3 and higher uses ATSE 11.0.000