As a number of malicious programs (malware) is growing, the need for adequate protection against the risk of damage or loss of data is increasing. Corporate operating systems should be protected against various kinds of viruses, worms and other threats. Normally, organizations use antivirus tools for scanning at the level of files.

With the expansion of the scope of malware activity, the requirements regarding antivirus applications are increasing. This results in a risk for the SAP system itself.

More than 50% of the security notes published by SAP concern vulnerabilities that may allow for logging into the system. Viruses attacking SAP can, for example, steal passwords entered by users, and other confidential information, block access to websites, damage the operating system or boot sectors. SAP systems are the basic and most critical systems for ensuring the business continuity in organizations, and like other applications, they require frequent patches in order to optimize processes. This in turn generates the need for granting permissions to the system to third parties and thus increases the risk of storing and spreading unwanted software in SAP systems.

Every day, the SAP application is processing a lot of documents that can be transferred between systems or uploaded directly through SAP GUI. Each of these documents may contain malicious software that may cause irreversible problems. Appropriate protection using SAP NetWeaver interoperating with an antivirus program will allow for most of the risks in the daily work with SAP to be avoided. A good example would be the maintenance of the knowledge base or documentation in SAP systems, where a document can be scanned for threats each time it is accessed.

An interface for antivirus

SAP does not provide a tool for scanning the system itself, however it provides an interface that can be used to connect third party scanning software with the SAP NetWeaver platform. In this way, companies using SAP are able to select a preferred application responsible for security in the organization.

The integration of SAP with third party antivirus software is enabled by the SAP NetWeaver Virus Scan Interface (NW-VSI). NW-VSI provides an interface for ABAP and JAVA application servers.

In this approach, each party is responsible for its part. The third-party software provider delivers libraries of viruses, while the Virus Scan Interface is responsible for the processing of documents on the basis of the information gathered. NW-VSI is integrated with SAP NetWeaver, monitors the data sent by the SAP application and protects it against unwanted software.

NW-VSI

The SAP NetWeaver Virus Scan Interface is an interface between SAP NetWeaver and an antivirus program. It enables scanning of files or documents processed by the system for virus infections. These can be, for example, Word, PDF files, spreadsheets or photos. All these documents are scanned for viruses, worms or Trojans just before being uploaded to the SAP system.

This applies to both the applications delivered directly by SAP, as well as internal implementations. The data can be scanned, for example, when document files are being imported to SAP using SAP GUI or when files are being transferred between SAP systems.

The connection between third party security applications and the SAP system via NW-VSI resulted in a clear division and easy integration.

The SAP application decides what exactly will be scanned and when. For this reason, each scanning is enforced by VSI on demand. VSI offers the possibility of using several third party antivirus tools simultaneously. As a result, if a threat is detected, NW-VSI decides what to do with a given file. The interface transmits the file to the third party antivirus program, where it is verified and sent back to NW-VSI or blocked if a threat is detected.

The configuration of the entire solution can be divided into three parts. The first one is the configuration of the ABAP or Java application server. The second part concerns the VSI interface configuration, and the last one refers to the anti-virus tool itself.

Virus Scan Engine

Virus Scan Engine contains the logic of the anti-virus program operation. It is responsible for scanning files, comparing the patterns of viruses with scanned files, using heuristic methods to identify new viruses, and removing an infected code from files. Scan Engine verifies and takes specific actions in relation to viruses.

Virus Scan Engine (VSE) and SAP NetWeaver can be installed on a single server, which results in faster communication compared to using RFC connections. However, in this case, a decline in the performance of the SAP system can be noted due to the load generated by the antivirus program itself. It is also possible to separate VSE and SAP NetWeaver in order to avoid performance problems.

In this case, communication is slower and it is possible to increase the traffic in the network of the organization through continuous transmission of documents for scanning. In order to spread the load of each anti-virus engine (VSE) you can use the Virus Scan Group, which applies the “round robin” method. All VSEs from a given manufacturer can be incorporated into a single group. As a result, when one of VSEs is busy, the document is forwarded to the VSE next in line.

Virus Scan Adapter

Virus Scan Adapter is a connector between a third party scanning tool and the SAP interface. It may be, for example, a separate library or the Virus Scan Engine itself. Virus Scan Adapter is an application responsible for the transmission of information from the Scan Engine directly to VSI interface libraries. The Adapter is prepared by an antivirus software provider based on templates provided by SAP.

Virus Scan Server

Virus Scan Server is a tool provided by SAP as part of SAP NetWeaver. VSS is a separate RFC server. It allows for scanning on the basis of an RFC communication protocol. VSS is used when VSE is installed on a satellite server other than the scanned SAP NetWeaver. The main task of VSS is the integration of virus scanners available via VSAs installed in the SAP landscape.

VSS can operate in two modes:

  • an application starter – VSS runs on the same system as the SAP system;
  • a self starter – runs on the same system or a remote system. It is used, for example, when the SAP system operates in the 64-bit architecture, and antivirus software in the 32-bit one.

The Virus Scan Server has also several limitations that should be considered:

  • scanning is slower, because every object is transported via RFC;
  • increased workload in the case of maintenance of VSS on separate systems;
  • it may not be used to scan files larger than 30 MB.

Antivirus for SAP

The key benefits of running antivirus applications for SAP systems, integrated with SAP NetWeaver include:

  • protection against SQL-injections;
  • protection against cross-site scripting;
  • protection against OS-command injections;
  • protection with extensive filtering options;
  • data protection when transferring files;
  • flexibility enabled by the support of a wide range of platforms.