Show TOC

 SAP Virus Scan InterfaceLocate this document in the navigation structure

Description

Any kind of external data such as office documents, images, binaries are considered insecure unless they are scanned for malicious and/or suspicious code.  Virus scanning should be performed every time potentially polluted data is imported through input channels into the SAP system. Possible input channels are:

  • File upload from front end PC's or file system on the application server
  • File upload using the Internet
  • Document exchange with RFC, XML, XI

Since SAP-managed databases are central distribution points, it is very dangerous to store malformed or otherwise dangerous data in them as this data might spread very quickly across the network. Applications that are transferring files to or from SAP-managed databases must ensure that the data is not vulnerable to any known threats.

What Do I Get from the SAP NetWeaver Platform?

SAP has developed an interface especially for this purpose. It is intended to provide virus scanning services for the application developers as transparently as possible. The interface is known as the SAP NetWeaver Virus Scan Interface (NW-VSI) and is available for both AS ABAP and AS Java.

You can use the virus scan interface to include external virus scanners in the SAP system to increase the security of your system. A third-party product (external anti-virus solution) is required  to perform the actual virus scan. The certifiable interface called "NW-VSI" (SAP NetWeaver Virus Scan Interface) needs to be activated.

This means that you can use a high-performance integration solution to scan files or documents that are processed by applications for viruses. This applies both for applications delivered by SAP and for customer developments, for example, during data transfers across networks or when documents are exchanged using interfaces.

The architecture of the Virus Scan Interface allows you to combine different products, systems, and platforms to scan your applications for viruses. This is possible since SAP provides a certified interface for the virus scan products of other vendors. The partners' virus scan engines can, for example, have completely different architectures.  However, by integrating an adapter using a proprietary connection, any partner can connect any existing virus scan product to the virus scan interface.

On the SAP side, different VSILIB layers are used to include the ABAP and Java worlds, and to deal with platform dependencies (of operating systems and processors, that is, 32 or 64 bit) in the integration of the virus scan interface.

Elements of the Virus Scan Interface

The graphic below clarifies the layer structure of the SAP Virus Scan Interface (SAP VSI API) and shows which parts are delivered by SAP, and which by the relevant partners.

Software Layers of the Virus Scan Interface

The SAP Virus Scan Interface (SAP VSI API):

  • Is accessed by partner products directly with the scan engine or indirectly using a separate virus scan adapter.
  • Contains the functions required to configure and to initialize the scan engine.
  • Provides the parameters and data for every virus scan.
  • Processes the check result.

ABAP or Java application programs start virus scans with dedicated classes and methods of the SAP virus scan interface, which, in turn, call a virus scan server or the AS Java directly using RFC.

What Do I Need to Do?

a) Virus Scan Profiles

Different applications have different requirements for virus scanning. For example, an HR application dealing with external recruiting forms wants high security scanning whereas performance is not a critical aspect. On the other hand, a CRM application dealing with mostly internal documents wants less scanning effort and better performance. Virus scan profiles are used to allow for application-specific configuration of virus scanning.

Application programs use virus scan profiles to check data for viruses. You can also define which scanner group/groups are to be used to check a document. You can also use a virus scan profile to assign configuration parameters for the virus scanner. If you check for viruses with this virus scan profile, the virus scanner receives the parameters.

Virus scan profiles can point to other profiles (reference mechanism).  SAP delivers profiles for its applications, pointing all to the "default profile". By creating one single virus scan profile and flagging it as the "default profile", customers can use this profile for all SAP applications without separate configuration.

The system administrator can use the profile to activate or deactivate the virus scan for each component. By default, a virus scan profile is provided for each SAP application that integrates a virus scan. For more information, see Defining Virus Scan Profiles .

You should define your own virus scan profile if your application uploads external documents (such as DOC, XLS, PDF, and so on) into the SAP system and stores them for further processing or delivery. Examples of applications of this type are document upload in the Knowledge Warehouse or the eRecruiting application in HR, which uploads application forms.

You should not define your own virus scan profile if your application uploads data that is parsed by your own application. For example, an application that parses a XML file itself for configuration purposes.

b) Configuring and Testing the Virus Scan Provider

The virus scan provider is the service of the AS Java that makes the virus scanning interface available to the SAP applications of the Engine. You can use either a virus scan adapter or a virus scan server as a virus scan provider. The virus scan server is an alternative if you cannot use the better-performing virus scan adapter.

The configuration of the virus scan provider service is stored in the Configuration Manager of the AS Java. You can use the Visual Administrator for graphical administration.

For detailed information, see Setting Up Virus Scan Providers .

In order to check that your configured virus scan provider is functioning correctly, use the procedure described in Testing the Installation of the Virus Scan Provider . See also section "d) Testing Your Application" below.

c) Developing VSI-Aware Applications

The AS Java service "Virus Scan Provider" ( tc/sec/vsi/service ) provides the interface "Virus Scan Interface". The Java interface "Virus Scan Interface" ( tc/sec/vsi/interface ) provides the scan API for applications within the AS Java. The virus scanning is performed using an instance object previously obtained from the virus scan provider service. An application may choose to either scan byte array or scan file on the disk. The scan result is reported through an exception handling mechanism.

For a detailed description of the API, see Interfaces and Classes of the Virus Scan Provider API . For more information, see also the JavaDocs for the relevant interfaces and classes. You can find the JavaDocs at www.sdn.sap.com/irj/sdn/javadocs .

In order to integrate virus scanning into your own application you need to set a reference in your configuration file to tc/sec/vsi/interface (see below). You must not reference the AS Java service directly.

The interfaces are delivered within the SAP NetWeaver Studio. Alternatively, you can use the JAR file " tc_sec_vsi_interface.jar " in your engine folder (see below).

d) Testing Your Application

A test application is delivered within each AS Java. Use the URL path http://<hostname>:<port>/vscantest . You can start the test application that belongs to the 'Virus Scan Provider'. This contains two servlets: one for the overview of the configured objects and a servlet for testing the scan API, which operates in the same way as the test application using the (ABAP) Transaction 'VSCANTEST'.

Example Code
Further Information
  • SAP Note 848189: Virus Scan Provider service in the J2EE engine
  • SAP Note 786179: Data security products: Application in the antivirus area
  • SAP NetWeaver Virus Scan Interface (NW-VSI) Specification
    Note

    www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/icc/NW-VSI%20Interface%20Documentation.pdf

    This document is available on the SAP Developer Network at www.sdn.sap.com/irj/sdn/services under SAP Integration and CertificationCenter(ICC)   →  Integration Scenarios (alphabetical)   →  NW-VSI.

  • Are you uploading documents into SAP? And what about checking them for viruses? (SDN Weblog)
    Note

    weblogs.sdn.sap.com/pub/wlg/2742