AntiVirus Bridge for SAP solutions

AntiVirus Bridge for SAP solutions Version 3.0 Installation and Configuration Guide Page 1

AntiVirus Bridge for SAP solutions Installation and Configuration Guide Table of contents AntiVirus Bridge for SAP solutions...4 Product Description... 4 AntiVirus Bridge Content filter overview... 5 Installation on UNIX/Linux...6 Installation on Microsoft Windows Server...7 SAP-side configuration...8 Understanding the SAP NetWeaver Virus Scan Service...8 Configuring Content Scanning in an ABAP environment...9 Defining Scanner Groups... 9 Defining Virus Scan Providers...17 Defining Virus Scan Profiles... 25 Advanced Content Scanning - ABAP... 29 File extension blacklist:...29 File extension whitelist...30 MIME-type blacklist... 32 MIME-type whitelist... 33 Content validation...36 Blocking active content...37 Logging content scan activity... 39 ABAP Transaction Overview for Virus Scan Functions:...40 Implementing Virus Protection in the Java Environment...41 Defining a Scanner Group...41 Defining a Virus Scan Provider (Adapter)... 43 Defining Virus Scan Profiles... 46 Page 2

Advanced Content Scanning - J2EE... 48 File extension blacklist:...48 File extension whitelist...49 MIME-type blacklist... 50 MIME-type whitelist... 51 Content validation...52 Blocking active content...53 Configuring virus scanning via ICAP... 54 Scanning with one ICAP server:...54 Scanning with two ICAP servers... 55 Common ICAP server URLS... 55 Preloading configuration parameters with configuration files...56 Host-global configuration file... 56 SID-specific configuration file... 56 Configuration file format... 56 Supported configuration file parameters... 57 Page 3

AntiVirus Bridge for SAP solutions Product Description AntiVirus Bridge for SAP NetWeaver is an integrated content security solution for SAP NetWeaver application servers. The product secures file transfers from or into SAP applications, leveraging advanced content filters and built-in or external virus scan products from leading vendors. AntiVirus Bridge utilizes SAP's NetWeaver Virus Scan Interface (NW-VSI), thus seamlessly and easily enabling content scanning for any NetWeaver application. In addition to virus scanning, AntiVirus Bridge supports filtering by file extensions and true contentbased MIME-type filters. It also enables detection and blocking of active content and malformed or maliciously embedded files. AntiVirus Bridge 3.0 offers flexibility and choice when it comes to virus scanning by integrating two industry leading virus scan engines from McAfee and SOPHOS and by providing an industry-standard ICAP-interface, permitting the use of external virus scanners from virtually any security vendor offering and ICAP interface. AntiVirus Bridge integrates into the SAP management infrastructure. On SAP release 7.00 EHP2 and higher, it does not require any operating system level configuration, but is fully customizable from within the SAP application server management and customization tools. Page 4

AntiVirus Bridge Content filter overview Each object passed to AntiVirus Bridge is examined through a series of content filters, controlled by parameters set either at the SAP-system level or in individual application content scanning policies. File extension filters black-list, white-list Content based MIME-type filters black-list, white-list SAPCAR handler Content validation filter Active content filter Virus scan Picture 1: Content filter flow Page 5

Installation on UNIX/Linux The installation process is identical on all UNIX/Linux platforms, however the screen output on your machine may differ slightly from the screen-shots provided in this documentation. AntiVirus Bridge for SAP solutions for UNIX/Linux is delivered as a gzip-compressed installation shellscript, self-extracting the binaries. Please copy the file to a location where the user running the installer has write privileges and unzip the file with: gunzip./install-bowbridge-[your platform].sh.gz Executing the script with./install-bowbridge-[your platform].sh will start the installation process: Picture 2: Start installation The installer is a menu-driven, interactive application guiding you through the installation process during which you will be required to provide the following information: Agree to the BowBridge Software End User License Agreement the SIDadm user ID the installation target directory a license to be installed Page 6

Installation on Microsoft Windows Server The Windows version of AntiVirusBridge comes as a single file installer. Local Administrator privileges are required to perform the installation. Please download and execute the file install_bowbridge30_win86_64.exe and follow the instructions of the installer. During the installation process, you may deselect components that are already installed on your system, i.e. one or both of the embedded scan engines, should you not require them. Providing a license during the installation process is optional, as licenses may be added or replaced at any time after the installation. After specifying the parameters, the installer copies the product to the installation path provided in the installer. Page 7

SAP-side configuration For details on how to configure your SAP landscape to enable Virus Protection for your application, BowBridge recommends referring to the latest SAP documentation for your product and version. Understanding the SAP NetWeaver Virus Scan Service NetWeaver's Virus Scan Service introduces three abstraction layers: 1. Virus Scan Provider: describes the access to a virus scanner a) Virus Scan Adapter: allows direct access to a virus scanner. The adapter is loaded as a dynamic library (DLL or lib) and is executed within the address space of the the J2EE or ABAP engine and is therefore the variant offering the highest performance. b) Virus Scan Server: defines a (logical or physical) server which gets scan-objects via RPC. This variant has a much lower performance and might fail when scanning large files. 2. Virus Scan Group: A Virus Scan Group may cover several Virus Scan Providers. 3. Virus Scan Profile: allows to consolidate multiple Virus Scan Groups and combine them using logical AND/OR relationships. Thus it is possible to create high-security deployments in which scan objects need to be checked by multiple servers. Also Virus Scan Profiles may be created to allow application-specific scanning configurations. In all layers, a default entry can be chosen to be the one to use, if no explicit choice is being made by the application. Picture 3: Layers of the SAP virus scanning architecture Page 8

Configuring Content Scanning in an ABAP environment AntiVirus Bridge's basic configuration is performed entirely from the SAP customization tools. Very few additional options, such as debug traces and alternative update sources can be configured via configuration files, either at the host-level or the application server instance level. Setting up virus protection for ABAP based SAP applications requires three major steps: 1. Definition of Virus Scan Group 2. Definition of Virus Scan Providers 3. Definition and activation of virus scan profiles. Defining Scanner Groups A scanner group combines multiple virus scanners of the same type. Since you select the Virus Scan Provider using the scanner group when maintaining the virus scan profile, you must assign each Virus Scan Provider to a scanner group. We recommend setting up multiple scanner groups if you want to maintain multiple scan configurations on your system. Picture 4: Setting up a virus scan group on ABAP Stack Page 9

Configuration Steps: 1. Open transaction VSCANGROUP. 2. Select New Entries 3. Specify name and description for the scanner group. Field Scanner Group Group Text Notes Freely definable name for the Scanner Group. I.e. BOWBRIDGE Description of the Scanner Group 4. Select the group you just created and double-click Configuration Parameters in the Dialog structure pane. Picture 5: Defining initialization parameters Page 10

Here, you may specify the following initialization parameters: Parameter INITDIRECTORY INITENGINES Mandatory YES No Desription Specifies the base directory of your Bowbridge installation. Specifies the virus scan method to use. Possible Values: - SOPHOS - MCAFEE - ICAP (requires INITSERVERS to be set) Multiple scan engine instances (up to 10) can be started by adding the number of instances (i.e. 'SOPHOS;5') to the engine selection. We recommend one engine per 20 DIA work processes. INITSERVERS For ICAP only Specifies the ICAP service URL(s). Consult section Configuring ICAP Backends for details. INITTEMP_PATH No Specifies the temp directory to be used by the Virus Scan adapter, i.e. to decompress SAPCAR archives for scanning INITTIMEOUT No Specifies the maximum time (in seconds) for a virus scan engine to start. 5. Save your entries. Page 11

Defining Virus Scan Providers NetWeaver supports two types of Virus Scan Providers: Virus Scan Adapters and Virus Scan Servers. While both options are fully supported with AntiVirusBridge, BowBridge and SAP recommend using the Virus Scan Adapter configuration as it is more stable and provides significantly better performance. Configuration Steps: 1. Open transaction VSCAN. 2. Add a new Entry Picture 6: 7: Defining a virus scan provider (UNIX) You need to provide at least the path to the actual BowBridge library. It is located in your installation directory and is named libavb30.so on UNIX platforms (libavb30.sl on HP-UX) and BBVSA30.DLL on Windows. You further need to include this newly created virus scan provider into a the scanner group you just created. Select the scanner group from the list. Picture 8: Selecting a scanner group for the provider Page 12

Field Provider Type Provider Name Scanner Group Status Server ReinitInterval Adapter Path Possible Values Notes ADAPTER AntiVirus Bridge runs inside the work process (Virus Scan Adapter) of the application server VSA_<Name> You can overwrite the host name with any Default value: name. However, you must retain the VSA_ VSA_<host name> prefix. All previously created The scanner group combines multiple Virus scanner groups, Scan Providers. which you can display All of the Virus Scan Providers in a scanner using the input help. group have the same set of configuration parameters and will therefore use the same scan method. Active The values active and inactive indicate whether (Application server) the adapter is to be activated when the Inactive application server or a work process is (Application server) restarted. Active: An adapter is loaded for the work process. Inactive: No adapter is loaded for the work process. The input help Application server on which the Virus Scan provides a list of the Adapter is to be started and/or monitored. existing servers. Do not specify a different server name. Specifies the number of hours after which the adapter is re-initialized. Set this to an interval of your choice to see the latest scan-engine and pattern versions Full path of the library Specifies the full path to the libavb30.so library that contains the in your installation directory Virus Scan Adapter 3. Enter the data for the Virus Scan Adapter. 4. Save your entries 5. Click on Start, the adapter should start and you should see details of the adapter. Depending on the INITENGINES parameter specified in transaction VSCANGROUP, you will see the details of the scan method you specified (versions may be different in your deployment) Page 13

Expected result with SOPHOS-Engine: Picture 9: Virus scan provider details - SOPHOS-engine Expected result with McAfee-Engine: Picture 10: Virus scan provider details - McAfee-engine Page 14

Expected result with ICAP-engine (with 2 ClamAV ICAP servers): Picture 11: Virus scan provider details - ICAP-engines Page 15

Defining Virus Scan Profiles Applications use virus scan profiles to run content checks. Virus scan profiles hold the application specific content security parameters to be passed to AntiVirusBridge in order to perform the proper scan operation. A virus scan profile specifies steps that are to be run during a content scan. A step is either a virus scanner, which is found using the scanner group, or a step specifies, in turn, a virus scan profile, which is then performed as part of the enclosing virus scan profile. A virus scan is performed under the name of a virus scan profile. The system administrator can use the profile to activate or deactivate the virus scan for each component. By default, each SAP application that integrates a virus scan provides a virus scan profile. The names of these virus scan profiles is constructed as follows /<Name of the package of the application>/<name of the function>. Check the virus scan profiles delivered by SAP, and determine for which components you are activating or deactivating the virus scan. Create your own virus scan profiles in the Y* and Z* namespaces. Picture 12: Pre-defined virus scan profiles Page 16

Configuration Steps: 1. Open transaction VSCANPROFILE, and, if necessary, switch to change mode. The screen View: Change "Virus Scan Profile": Overview appears. 2. Choose New Entries. 3. Specify the data for the virus scan profile. Picture 13: New virus scan profile Select the Active and Default Profile check-boxes and ensure the Use Reference checkbox is not checked. As all pre-defined virus scan profiles use the default profile as reference, all applicable applications will effectively use this new profile. Page 17

Field Possible Values Notes Scan Profile Specifies the name of a virus scan profile. Profile Text Explanatory text for a virus scan profile. Active Specifies that this virus scan profile is active. The virus scan profile can only be used if this indicator is set. SAP applications can used fixed profile names that are delivered. By default, these profiles are not active, meaning that the application program works without a virus scan. You can activate the virus scan for each application by setting this indicator. Default Profile Indicator that this virus scan profile is the default profile. You can set this indicator for a maximum of one virus scan profile. This virus scan profile is used in the following cases: If an application requests a virus scanner without specifying a virus scan profile If a virus scan profile is requested for which the Use Reference Profile indicator is set, and the Reference Profile is empty Use Reference To operate multiple applications using the same virus scan profile, set the Use Reference indicator and specify the reference profile. Reference Profile Specifies the name of the reference profile. Since a virus scan profile can use another virus scan profile as a The input help provides a list reference profile, you can operate multiple applications using of all of the profiles that have the same virus scan profile. already been defined. If the Use Reference Profile indicator is set in the virus scan If you leave the field empty, profile, this field specifies the name of the reference profile to be the system uses the default used. Instead of the settings of the current virus scan profile, the profile. settings of the reference profile are then used. This means that several virus scan profiles can use the settings of a shared reference profile, such as the scanner groups to be used. Relationship Specifies the type of logical linkage for the steps in the virus scan profile. If multiple steps that are to be performed during the virus scan with a virus scan profile are defined for a profile, you can use this field to control how the overall result of the virus scan is to All steps successful: The be evaluated. virus scan must have Using multiple steps allows you to scan documents with scan performed all steps without engines from different vendors at the same time. errors. The program interprets a virus scan as error-free only if the scan At least one step successful: engine returns the return value Check performed successfully or It is sufficient if one step of (in the case of cleanups) Cleanup performed successfully. the virus scan was All other return values are regarded as unsuccessful virus successfully performed. scans. This also includes situations such as: The program did not check the document because the file name extension is categorized as non-critical. The program could not check the document, because the document is a password-protected archive. The scan engine is obsolete. Page 18

4. Double-click on Steps and specify your newly created virus scan group on position 0 Picture 14: Virus Scan Profile - Configuration Steps Field Possible Values Notes Specifies the position of the scanner group in the virus scan profile. Position <integer value> If a virus scan profile uses multiple scanner groups, place these in the desired sequence by assigning a position number. Specifies whether a step in the virus scan profile refers to a scanner group or another virus scan profile. If you choose Group, the system uses a Virus Scan Server from this group (or a BAdI implementation) Type Group or Profile for the virus scan. If you choose Profile, the program processes the specified virus scan profile instead of this step. You can define any conditions by combining the steps of the virus scan profile with the linkage type of the steps (AND/OR). Combines multiple Virus Scan Servers. The input help provides a list All of the Virus Scan Servers of a scanner group Scanner Group of all existing scanner groups. have the same set of configuration parameters and will therefore use the same scan engine. Virus Scan Profile The input help provides a list of all existing profiles. Specifies the name of a virus scan profile that you can include as a step in the profile that you are currently processing. 5. Save your entries. At this stage, you have configured basic virus scanning for your ABAP SAP applications Page 19

Advanced Content Scanning - ABAP In addition to virus scanning, AntiVirusBridge offers several advanced content scan functionalities. These are configured through the virus scan profiles. File extension blacklist: You may use this function to block files with certain extensions before even scanning them for malware. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Step Configuration Parameters of the Step linked to your virus scan group. 2. Add BLOCKEXTENSIONS as a new entry. 3. Specify the extensions you want to block as a semicolon-separated list: Example:.exe;.com;.dll Picture 15: File extension blacklist Page 20

File extension whitelist Configuring a whitelist for extensions is more restrictive than specifying a blacklist. With whitelists, only files with extensions on the list will be submitted to scanning. All other files will be blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Step Configuration Parameters of the Step linked to your virus scan group. 2. Add SCANEXTENSIONS as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list: Example:.doc;.pdf;.odt Picture 16: File extension whitelist Page 21

MIME-type blacklist You may use this function to block files with certain MIME-types before even scanning them for malware. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Step Configuration Parameters of the Step linked to your virus scan group. 2. Add BLOCKMIMETYPES as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list. The * wildcard is allowed Example: application/pdf; */x-jar Picture 17: MIME-type blacklist Page 22

MIME-type whitelist Configuring a whitelist for MIME-types is more restrictive than specifying a blacklist. With whitelists, only files with MIME-types on the list will be submitted to scanning. All other files will be blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Step Configuration Parameters of the Step linked to your virus scan group. 2. Add SCANMIMETYPES as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list: Example: image/*; application/msword; */pdf Picture 18: MIME-type whitelist Page 23

Content validation Attackers may try to circumvent security by assigning files a file extension that does not match its actual content. AntiVirusBridge can analyze the content of any file and match it to legitimate extensions for that content type. Violations are blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Profile Configuration Parameters of the Step linked to your virus scan group. 2. Add CUST_CHECK_MIMETYPE as a new entry. 3. Set the value to 1 Picture 19: Content validation Page 24

Blocking active content Attackers may try upload files with active elements into your application in order to compromise clients accessing these documents or in order to stage a Cross-Site Scripting (XSS) attach. AntiVirusBridge can detect and block files containing active content. It is equipped with filters detecting: JavaScript Scripts and Macros in Office documents JavaScript and ActiveAction in PDF Silverlight Flash Java archives embedded in image files and Office documents. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Profile Configuration Parameters of the Step linked to your virus scan group. 2. Add CUST_ACTIVE_CONTENT as a new entry. 3. Set the value to 1 Picture 20: Blocking active content Page 25

Logging content scan activity You may use the parameter SCAN_LOGPATH to specify the name of a file into which AntiVirusBridge logs scan activity in a simple, human-readable format. Page 26

ABAP Transaction Overview for Virus Scan Functions: Transaction Notes VSCAN Configuration of the Virus Scan Provider VSCANGROUP Configuration of the Virus Scan Groups VSCANPROFILE Configuration of the Virus Scan Profiles VSCANTEST Test for the Virus Scan Interface Page 27

Implementing Virus Protection in the Java Environment The Virus Scan Provider is the service of the J2EE Engine that makes the tc/sec/vsi/interface interface available to the SAP applications of the Engine. The implementation involves three steps: 1. Defining a Scanner Group 2. Defining a Virus Scan Provider 3. Defining and activating a Virus Scan Profile. Depending on the release of your NetWeaver Application Server, the configuration steps below need to be performed in the J2EE Visual Administrator or on the latest systems equivalent steps need to be performed in the NetWeaver Administrator Web interface. Defining a Scanner Group Picture 21: Defining a virus scanner group in J2EE Visual Administrator Page 28

Configuration Steps: 1. In the Visual Administrator, open the Server node and choose the cluster Virus Scan Provider. 2. On the Groups tab page, create a scanner group by choosing the New button and specify the name of the new group in the dialog box, and confirm your entry with OK. 3. Providing a description is optional and needs to be confirmed by clicking SET Page 29

Defining a Virus Scan Provider (Adapter) Picture 22: Defining a virus scan provider in J2EE Visual Administrator Configuration Steps: 1. In the Visual Administrator, choose the cluster Virus Scan Provider. 2. On the Provider tab page, create a Virus Scan Provider either under the Virus Scan Adapter node or the Virus Scan Server node by choosing the New button. NOTE: Although configuration as Virus Scan Server and Virus Scan Adapter are both supported, BowBridge and SAP strongly recommend using the Adapter mode. In Adapter mode, the VSA loads directly into the SAP kernel, providing increased stability and significantly better performance. Specify the following data on the Settings tab page: Page 30

Field Entry Default Indicator that this Virus Scan Provider is the default provider. You can set this indicator for a maximum of one Virus Scan Provider. This Virus Scan Provider is used if an application requests a virus scanner without specifying a Virus Scan Provider. Name Name of the Virus Scan Adapter. The name entered is automatically saved with the prefix VSA_. Description Description of the current adapter Group The input help provides a list of the available groups to which you can assign the current adapter. Init. Interval (hours) Specifies the number of hours after which AntiVirus Bridge is to be regularly reinitialized. Max. Instances You need to reinitialize AntiVirus Bridge so that it loads the latest configuration. Adapter Path Complete path to the storage location of the adapter, as specified in the documentation of the partner product. If you leave this field empty, the environment variable VSA_LIB is set. 3. To save your entries on the Settings tab page, choose Set. 4. To activate a trace output for this Virus Scan Provider, set the desired indicator on the Trace tab page. 5. On the Parameters tab page, set the parameters required for the product that you are using. a) Use the input help to specify the parameter in the Parameter name field. b) Use the input help to specify the parameter type in the Parameter type field. c) Enter the value of the parameter in the Parameter value field. d) To save your entries, choose Set. AntiVirusBridge supports the following parameters: Parameter INITDIRECTORY Mandatory YES INITENGINES No INITSERVERS For ICAP only INITTEMP_PATH No INITTIMEOUT No Desription Specifies the base directory of your Bowbridge installation. Specifies the virus scan method to use. Possible Values: - SOPHOS - MCAFEE - ICAP (requires INITSERVERS to be set) Specifies the ICAP service URL(s). Consult section Configuring ICAP Backends for details. adapter, i.e. to decompress SAPCAR archives for scanning Specifies the maximum time (in seconds) for a virus scan engine to start. Page 31

6. To activate the Virus Scan Provider, select it and choose Activate. Page 32

Defining Virus Scan Profiles Application programs use virus scan profiles to check data for viruses. A virus scan profile contains a list of scanner groups that check a document. You can also use a virus scan profile to assign configuration parameters for the virus scanner. If you check for viruses with this virus scan profile, the virus scanner receives the parameters. A virus scan profile specifies steps that are to be run during a scan. A step is either a virus scanner, which is found using the scanner group, or a step specifies, in turn, a virus scan profile, which is then performed as part of the enclosing virus scan profile. A virus scan is performed under the name of a virus scan profile. The system administrator can use the profile to activate or deactivate the virus scan for each component. By default, a virus scan profile is provided for each SAP application that integrates virus scan functionality. Picture 23: Defining a virus scan profile in J2EE Visual Administrator Configuration Steps: 1. In the Visual Administrator, choose the cluster Virus Scan Provider. 2. On the Profiles tab page, create a virus scan profile by choosing the New button. Page 33

3. You have the following options on the Settings tab page: a) Use a reference profile: Since a virus scan profile can use another virus scan profile as a reference profile, it is possible to operate multiple applications using the same virus scan profile. b) To create a link to an existing reference profile, proceed as follows: i. Set the Use reference indicator. ii. Use the input help to select a reference profile. c) Define a new profile i. To do this, specify the following data: Field Name Description Use Reference Linkage Group Profile Comment Name of the new profile Description of the new profile This indicator must not be set, since the other input fields would otherwise be hidden Linkage of the steps of this profile: All steps successful: AND linkage, with which every step must be successful for the overall result to be successful. At least one Step successful: OR linkage, with which only one step needs to be successful for the overall result to be successful. Use the input help to select a group Use the input help to select a profile ii. To transfer the selection for the Group and Profile fields, choose Add. iii. Configure the list with the keys MOVE UP, MOVE DOWN, and DELETE. When checking for viruses, the list is processed from top to bottom with the linkage from the Linkage field. 4. To save the profile, choose Set: The new profile appears in the tree display. 5. To activate the profile, select it and choose Activate. At this stage, you have configured basic virus scanning for your Java SAP applications Page 34

Advanced Content Scanning - J2EE In addition to virus scanning, AntiVirusBridge offers several advanced content scan functionalities. These are configured through the virus scan profiles. File extension blacklist: You may use this function to block files with certain extensions before even scanning them for malware. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab. 2. Add BLOCKEXTENSIONS as a new entry of Parameter type CHAR 3. Specify the extensions you want to block as a semicolon-separated list: Example:.exe;.com;.dll Picture 24: File extension blacklist 7. click SET to save your entries Page 35

File extension whitelist Configuring a whitelist for extensions is more restrictive than specifying a blacklist. With whitelists, only files with extensions on the list will be submitted to scanning. All other files will be blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab. 2. Add SCANEXTENSIONS as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list: Example:.doc;.pdf;.odt Picture 25: File extension whitelist 4. Click SET to save your entries Page 36

MIME-type blacklist You may use this function to block files with certain MIME-types before even scanning them for malware. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab. 2. Add BLOCKMIMETYPES as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list. The * wildcard is allowed Example: application/pdf; */x-jar Picture 26: MIME-type blacklist 4. Click SET to save your entries Page 37

MIME-type whitelist Configuring a whitelist for MIME-types is more restrictive than specifying a blacklist. With whitelists, only files with MIME-types on the list will be submitted to scanning. All other files will be blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab. 2. Add SCANMIMETYPES as a new entry. 3. Specify the extensions you want to permit to be scanned as a semicolon-separated list: Example: image/*; application/msword; */pdf Picture 27: MIME-type whitelist 4. Click SET to save your entries Page 38

Content validation Attackers may try to circumvent security by assigning files a file extension that does not match its actual content. AntiVirusBridge can analyze the content of any file and match it to legitimate extensions for that content type. Violations are blocked. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab 2. Add CUST_CHECK_MIMETYPE as a new entry. 3. Set the value to 1 Picture 28: Content validation 4. Click SET to save your entries Page 39

Blocking active content Attackers may try upload files with active elements into your application in order to compromise clients accessing these documents or in order to stage a Cross-Site Scripting (XSS) attach. AntiVirusBridge can detect and block files containing active content. It is equipped with filters detecting: JavaScript Scripts and Macros in Office documents JavaScript and ActiveAction in PDF Silverlight Flash Java archives embedded in image files and Office documents. Configuration Steps: 1. Open the virus scan profile for your application (or the one it references) and open the Parameters tab 2. Add CUST_ACTIVE_CONTENT as a new entry. 3. Set the value to 1 Picture 29: Blocking active content Page 40

Configuring virus scanning via ICAP AntiVirus Bridge can leverage existing ICAP-capable virus scan engines. Despite offering less scan throughput, the use of ICAP can be an interesting option if: scanning with an engine from a specific vendor, other then McAfee or SOPHOS is desired separation of SAP-management and security management is desired. ICAP-based virus scanning is provided as a service by your security department you do not wish to run a virus scan engine on your NetWeaver application server To use ICAP for virus scanning, you need to specify ICAP as the INITENGINES parameter: on ABAP: in the Virus Scan Group configuration on J2EE: in the Virus Scan Provider parameters tab AntiVirusBridge supports up to two ICAP servers. When two ICAP servers are provided, concurrent connections are automatically shared among the two ICAP servers. Also, if one of the ICAP servers fails, the remaining one will be used for scanning. To setup ICAP servers, you need to configure the INITSERVERS parameter to contain the ICAP URL(s) and timeout values in the following format: Scanning with one ICAP server: icap://[hostname or IP]:[port optional]/icap-service-path ; connect-timeout ; operation timeout Example: icap://192.168.10.123:1345/avscan;2000;20000 Note: the port option i.e. :1345 is only required if your ICAP service runs on a port other than the default port TCP/1344) Page 41

Scanning with two ICAP servers icap://[server 1 hostname or IP]:[port optional]/icap-service-path ; connect-timeout ; operation timeout ; icap://[server 2 hostname or IP]:[port optional]/icap-service-path ; connect-timeout ; operation timeout Example: icap://192.168.10.123:1345/avscan;2000;20000;icap://192.16.10.124/avscan;3000;25000 Common ICAP server URLS Product ICAP URL BowBridge Software AV Scanning Virtual Appliance icap://<ip-address or host name>/avscan Kaspersky Labs AntiVirus for Proxy icap://<ip-address or host name>/av/respmod McAfee Secure Web/Internet Gateway (legacy) icap://<ip-address or host name>/respmod McAfee Web Gateway 7 (WebWasher) icap://<ip-address or host name>/wwrespmod Symantec Scan Engine 5.x icap://<ip-address or host name>/avscanresp Trend Micro InterScan Web Security icap://<ip-address or host name>/antivirus Page 42

Preloading configuration parameters with configuration files Situations exist, in which certain configurations need to be provided to AntiVirusBridge without them having to be configured at the SAP customization level. For this purpose, AntiVirusBridge will check for the presence of a host-global configuration file and a SID-specific configuration file. Further, some functionality, such as trace-file output, alternate update sources and alternate path to a SAPCAR executable can be set via config files only. Host-global configuration file The host-global configuration file is to be created and stored as: /etc/bowbridge/bbvsa30.cfg SID-specific configuration file The SID-specific configuration file is to be created and stored as: /usr/sap/[sid]/bowbridge/bbvsa30.cfg AntiVirusBridge evaluates parameters in the following order: host-global configuration file SID-specific configuration file parameters passed from the SAP application server Configuration file format The host-global and SID-specific configuration file follow the same simple format. It is structured in sections: INIT SCAN TRACE UPDATE MISC where section names need to be in brackets (i.e. [INIT] ). Values for the supported parameters are provide without quotation marks after an equal sign (i-e: INITENGINES=SOPHOS;2 ) Name-Value-pairs or entire sections may be commented out with a preceeding # Page 43

Supported configuration file parameters Section [INIT] Description Base directory of the BowBridge installation Scan engine and number of engines to use. ICAP server(s) to use in ICAP mode Temp Path, used to unpack SAPCAR archives Non-standard timeout value for engine initialization Non-standard path to the external SAPCAR executable Parameter INITDIRECTORY INITENGINES INITSERVERS INITTEMP_PATH INITTIMEOUT SAPCARPATH Section [SCAN] Parameter SCANBESTEFFORT SCANALLFILES BLOCKMIMETYPES SCANMIMETYPES BLOCKEXTENSIONS SCANEXTENSIONS BLOCKACTIVECONTENT SCANEXTRACT SCANEXTRACT_DEPTH SCANLOGPATH CHECKMIMETYPE Description Scan files with optimal engine settings (default setting) Scan all files (default value) MIME type blacklist (see Advanced content scanning ) MIME type whitelist File extension blacklist File extension whitelist Block active content Extract archives for scanning and repack SAPCAR archives Maximum extraction depth for nested SAPCAR archives Path and filename of the scan activity log Verify MIME-Extension integrity Section [TRACE] Parameter TRACELEVEL TRACEFILE Description Verbosity level of the trace output: Values 0-7 Path to the trace files When active, trace will generate up to four distinct trace files: provided_filename: output of the virus scan adapter provided_filename_ctl: output of the control process provided_filename_sea: output of the scan engine adapter provided_filename_upd: output of the update process (not for ICAP) Page 44

Section [UPDATE] Parameter Description SERVER IP-address or hostname of the local update server or NOUPDATE PROXY Proxy server configuration to use for updates. The setting overrides the http_proxy and https_proxy environment variables. The format is: <username>:<password>@<proxy-ip or hostname>:<proxy-port> where username and password are optional Section [MISC] Parameter LEGACY_MODE Description Causes the VSA not to advertize all functionality to older SAP kernels Page 45

Page 46