Integrate with SAP NetWeaver
The Scanner feature enables you to protect your SAP deployments using Deep Security, helping to secure critical information from attack, including a wide variety of threats such as malware, cross-site scripting and SQL injection. Deep Security scans content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver-VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents. SAP administrators can then set policy according to which document types should be allowed.
How it works
- The Deep Security Scanner feature scans the content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents.
- SAP administrators can then set policy according to which actual document types should be allowed.
Deep Security and SAP components
Deep Security Manager connects with the Deep Security Agent located on the SAP NetWeaver server. The agent connects with libsapvsa or dsvsa.dll, which are the virus adapters provided by Trend Micro for scanning purposes.
The components involved in this solution are:
- Deep Security Manager: The centralized web-based management console that administrators use to configure security policy and deploy protection to the Deep Security Agent.
- Deep Security Agent: A security agent deployed directly on a computer. The nature of that protection depends on the rules and security settings that each Deep Security Agent receives from the Deep Security Manager.
- SAP NetWeaver: SAP integrated technology computing platform. The SAP NetWeaver Virus Scan Interface (NW-VSI) provides virus scanning capabilities for third-party products that perform the actual scan. The NW-VSI interface must be activated.
- SAP NetWeaver ABAP WinGUI: A Windows management console used for SAP NetWeaver. In this document, it is used for the configuration of the Deep Security Agent and the SAP NetWeaver Virus Scan Interface.
Set up the integration between Deep Security Scanner and SAP NetWeaver
- Activate the Deep Security Scanner feature.
- Check the Supported features by platform page to see which operating systems support the Scanner feature.
- Install the Deep Security Agent on an SAP application server that's running one of the supported operating systems. See Install the agent .
- Add the SAP server to Deep Security and activate the agent on the SAP server. See Add the SAP Server to Deep Security Manager and activate the agent.
- Enable the SAP integration feature in a computer or policy. See Assign a security profile.
- Configure the SAP Virus Scan Interface (VSI) by calling the following transactions. See Configure SAP to use the agent:
Depending on your operating system and environment, the output that you see may differ slightly from what is shown in this article.
- In the Deep Security Manager, go to Administration > Licenses.
- Select Enter New Activation Code.
- In the Deep Security Scanner area (under Additional Features), enter your Deep Security Scanner activation code, then select Next and follow the prompts.
The Settings > Scanner tab will now be available in the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., where you can enable the SAP feature for individual computers or policies.
The Deep Security Agent is installed with core agent functionality only. After the agent is installed on SUSE Linux Enterprise Server or Red Hat Enterprise Linux, you can enable protection modules on the agent. At that point, the plug-ins required for the protection modules will be downloaded and installed.
- Go to the Trend Micro Download Center (http://downloadcenter.trendmicro.com) and download the Deep Security Agent package for your OS.
- Install the agent on the target system. You can use rpm or zypper, depending on the OS. In this example, rpm is used by typing:
rpm -ihv Agent-Core-SuSE_<version>.x86_64.rpm
- You should see output similar to what's shown in this example, which indicates that the agent installation is complete:
You can also deploy the agent using a deployment script generated from the Deep Security Manager.
- To add the SAP server, open the Deep Security Manager console and on the Computers tab, select New. There are several ways to add the server, including synchronization with Microsoft Active Directory, VMware vCenter, Amazon Web Services, or Microsoft Azure. You can also add the computer using an FQDN or IP address. For detailed instructions, see About adding computers.
- The status of your instance will be either Unmanaged (Activation Required) or Unmanged (Unknown). Next, you will need to activate the agent before the manager can assign rules and policies to protect the computer. The activation process includes the exchange of unique fingerprints between the agent and the manager. This ensure that only one Deep Security Manager can communicate with the agent. There are two ways to activate the agent: agent-initiated or manager-initiated.
- Manager-initiated activation: The manager-initiated method requires that the Deep Security Manager can connect to the FQDN or the IP of the agent via the agent's listening port number for heartbeats. This can sometimes be difficult due to NAT port forwarding, firewall, or AWS security groups. To perform manager-initiated activation, go to the Computers tab in the Deep Security Manager console, right-click the instance where the agent is installed and select Actions > Activate. If you use manager-initiated activation, we strongly recommend you also Protect Deep Security Agent from unauthorized Deep Security Managers.
- Agent-initiated activation: The agent-initiated method requires that the Deep Security Agent can connect to the configured Deep Security Manager address via the manager's listening port number for heartbeats.
You can find the Deep Security Manager address (FQDN or IP) in the Deep Security Manager console, under Administration > Manager Nodes.
You will also need to enable agent-initiated activation from the Deep Security Manager console, by selecting Administration > System Settings > Agents and then selecting Allow Agent-Initiated Activation.
Next, use a locally-run command-line tool on the Deep Security Agent to initiate the activation process. The minimum activation instruction contains the activation command and the manager's URL (including the port number):
dsa_control -a dsm://[managerurl]:[port]/
- -a is the command to activate the agent , and
- dsm://managerurl:4120/ is the parameter that points the agent to the Deep Security Manager. ("managerurl" is the URL of the Deep Security Manager, and "4120" is the default agent-to-manager communication port.)
The manager URL is the only required parameter for the activation command. Additional parameters are also available. (For a list of available parameters, see Command-line basics.)
In the following example, we use the agent-initiated activation by typing:
/opt/ds_agent/dsa_control -a dsm://cetl-dsm.ceur-testlab.trendmicro.de:4120/
This output indicates that the agent activation is complete.
- To confirm the activation, in the Deep Security Manager console, go to the Computers tab. Select the computer name and then select Details and check that the computer's status is "Managed".
At this point, the status of the agent is Managed (Online) but there is no protection module installed. This means that the agent and the manager are communicating but the agent is not using any configuration.
There are several ways to apply protection. In this example, the configuration is done directly on the SAP instance by activating SAP, activating Anti-Malware to provide the agent with the latest pattern and scan engine, and assigning the default Scan Configurations.
- In the Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Anti-Malware > General.
- In the Anti-Malware section, set Configuration to On (or Inherited On) and then select Save.
- In the Real-Time Scan, Manual Scan, or Scheduled Scan sections, set the Malware Scan Configuration and Schedule, or allow those settings to be inherited from the parent policy.
- Select Save. The status of the Anti-Malware module changes to Off, installation pending. This means that the agent is retrieving the required module from the Deep Security Manager. For this to work, the client needs to access the Deep Security Relay on the relay's listening port number. A few moments later, the agent should start downloading security updates such as Anti-Malware patterns and scan engines.
- In the Computer editor, go to Settings > Scanner.
- In the SAP section, set Configuration to On (or Inherited On) and then select Save.
After status of the agent changes to Managed (Online) again and the Anti-Malware and Scanner (SAP) modules are On, you can proceed with the SAP configuration.
The Deep Security Agent is now up and running and is able to scan the file system of its operating system. Next, we need to make the agent aware of the SAP application server. To use this, we must create a virus scan adapter inside the application server. The virus scan adapter must be part of a group. After the virus scan adapter and virus scan group are created, we can use virus scan profiles to configure what to scan and how to behave.
These are the required steps:
- Configure the Trend Micro scanner group
- Configure the Trend Micro virus scan provider
- Configure the Trend Micro virus scan profile
- Test the virus scan interface
The virus scan group and the virus scan adapter are both global configurations (client 00). The virus scan profile must be configured in each tenant (client 01, 02, etc.).
- In the SAP WinGUI, run the VSCANGROUP transaction.
- In Edit mode, select New Entries. Create a new scanner group, specifying a group name in the Scanner Group area and a description of the scanner group in the Group Text area.
- Selecting Save or leaving the edit mode will prompt you to commit a "workbench request". In this example, a new workbench request is created to keep track of all the VSI-related changes:
The next step is the actual configuration of the VSI integration. It is called a Virus Scan Adapter.
- In the SAP WinGUI, run the VSCAN transaction.
- In Edit mode, select New Entries. Creating a new entry displays a prompt in which the configuration of the VSI- certified solution takes place. In this example, the following configuration parameters are set:
Setting Value Description Provider Type ADAPTER (Virus Scan Adapter) Automatically set (default) Provider Name VSA_<host name> Automatically set, serves as alias Scanner Group Select the group that you configured earlier All previously created scanner groups, which you can display using the input help Status Active (Application Server) Automatically set (default) Server nplhost_NPL_42 Automatically set, hostname Reinit. Interv. 8 Hours Specifies the number of hours after which the Virus Scan Adapter will be reinitialized and load new virus definitions. Adapter Path (Linux) /lib64/libsapvsa.so Default path Adapter Path (Windows) C:\Program Files\Trend Micro\Deep Security Agent\lib\dsvsa.dll Default path
- When you select Save or leave the edit mode, there is another prompt to pack this into a workbench request. After confirming, select the Start button. The Status light will turn green, which means the adapter is loaded and active:
At this point, the VSI configuration is nearly finished. The application server is now ready to process file transactions using a virus scan provided by Trend Micro Deep Security.
- In the SAP WinGUI, run the VSCANPROFILE transaction, then select the SAP operation that requires virus scan. For example, check the "Active" checkbox for /SCET/GUI_UPLOAD or /SCET/GUI_DOWNLOAD and then select Save.
- In Edit mode, select New Entries. The virus scan profiles will define how specific transactions (file uploads, file downloads, etc.) are handled corresponding to the virus scan interface. To have the previously configured virus scan adapter used in the application server, a new virus scan profile needs to be created:
- In the Scan Profile box, enter "Z_TMProfile" and select the Active, Default Profile, and Evaluate Profile Configuration Param check boxes.
- While still in edit mode, double-click Steps to configure the steps:
- Select New Entries.
- The steps define what to do when the profile is called by a transaction. Set the Position to "0", Type to "Group" and the Scanner Group to the name of the group that you configured earlier.
- After selecting Save or leaving the edit mode, you will eventually receive a notification about an existing virus scan profile, /SCET/DP_VS_ENABLED. you can ignore this notification because the profile is not active and is not used. After confirming this notification, you will be asked to pack this configuration in a "customization request". Creating a new request will help keep track of the changes that have been made:
- To create configuration parameters for a step, double-click the Profile Configuration Parameters node. Select New Entries and set the parameters:
- Word files must be .doc or .dot
- JPEG files must be .jpg
- Text and binary files could be any extension (won’t block)
See Supported MIME types.
- Double-click the Step Configuration Parameters node. Select New Entries and set the parameters:
Parameter Type Description Default (Linux) Default (Windows) SCANBESTEFFORT BOOL The scan should be performed on the "best effort" basis; that is, all (security critical) flags that allow a VSA to scan an object should be activated, such as SCANALLFILES and SCANEXTRACT, but also internal flags. Details about exactly which flags these are can be stored in the certification. (not set) (not set) SCANALLFILES BOOL Scans for all files regardless of their file extension. disabled disabled SCANEXTENSIONS CHAR List of the file extensions for which the VSA should scan. Only files with the configured extensions will be checked. Other extensions are blocked. Wildcards can also be used here to search for patterns. * stands for this location and following and ? stands for only this character. For example, exe;com;do?;ht* => \`\*\` means to scan all files. null "" SCANLIMIT INT This setting applies to compressed files. It specifies the maximum number of files that will be unpacked and scanned. INT_MAX 65535 SCANEXTRACT BOOL Archives or compressed objects are to be unpacked enabled enabled SCANEXTRACT_SIZE SIZE_T Maximum unpack size 0x7FFFFFFF 62914560 (60 MB) SCANEXTRACT_DEPTH INT Maximum depth to which an object is to be unpacked. 20 20 SCANMIMETYPES CHAR List of the MIME types to be scanned for. Only files with configured MIME types will be checked. Other MIME types are blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled. (not set) (not set) BLOCKMIMETYPES CHAR List of MIME types that will be blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled. (not set) (not set) BLOCKEXTENSIONS CHAR List of file extensions that will be blocked. (not set) (not set)
This configuration is per-client, so it must be done in each tenant of the SAP application server.
- In the SAP WinGUI, run the VSCANTEST transaction.
- Every VSI-aware SAP application server also has a built-in test to check whether the configuration steps were done correctly. For this, an EICAR test virus (www.eicar.org) is packed in a transaction that can call a specific scanner. Not filling in anything will call the default profile, which was configured in the last step.
- Clicking Execute prompts a notification that explains what an EICAR test virus is. After confirming this, you will see how the transaction is intercepted:
Infections shows information about the detected malware.
Content Information shows the correct MIME-type of the file.
The file name is always a randomly generated 7-letter alphabetic string followed by the virus scan profile name.
After this, there is an output about each step of the transaction:
- The transaction called the default virus scan profile, which is the virus scan profile Z_TMPROFILE.
- The virus scan profile Z_TMPROFILE is configured to call an adapter from the virus scan group Z_TMGROUP.
- The virus scan group Z_TMGROUP has multiple adapters configured and calls one of them (in this case, VSA_NPLHOST).
- The virus scan adapter returns value 2-, which means a virus was found.
- Information about the detected malware is displayed by showing Eicar_test_1 and the file object /tmp/ zUeEbZZ_TMPROFILE.
- The called default virus scan profile Z_TMPROFILE fails because step 00 (the virus scan group) was not successful and therefore the file transaction is stopped from further processing.
For a cross-check, there is also information about this "malware" event in the Deep Security Manager console. To see the event, open the Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and select Anti-Malware > Events.
The MIME types supported by Deep Security Scanner vary depending on which version of the Deep Security Agent you are using.
- Deep Security Agent 9.6 uses VSAPI 9.85
- Deep Security Agent 10.0 uses ATSE 9.861
- Deep Security Agent 10.1 uses ATSE 9.862
- Deep Security Agent 10.2, 10.3, 11.0, 11.1, and 11.2 uses ATSE 10.000
- Deep Security Agent 11.3 and higher uses ATSE 11.0.000
|MIME Type||Description||Extension||Supported in 9.6 Agent
||Supported in 10.0 Agent
||Supported in 10.1 Agent or higher
|application/java-archive||Java Archive (JAR) file||jar||Yes||Yes||Yes|
|application/msword||Word for Windows||doc, dot||Yes||Yes||Yes|
|application/msword||MS Word||doc, dot||Yes||Yes||Yes|
|application/pdf||Adobe Portable Document Format file||Yes||Yes||Yes|
|application/vnd.ms-excel||Excel for Windows||xls, xlt, xla||Yes||Yes||Yes|
|application/vnd.ms-outlook||Outlook for Windows||msg||No||Yes||Yes|
|application/vnd.ms-powerpoint||Windows PowerPoint||ppt, pot, pps, ppa||Yes||Yes||Yes|
|application/vnd.openxmlformats-officedocument.presentationml.presentation||MS Office File||pptx, potx, ppsx, ppam, pptm, potm, ppsm||Yes||Yes||Yes|
|application/vnd.openxmlformats-officedocument.spreadsheetml.sheet||MS Office File||xlsx, xltx, xlsm, xltm, xlam, xlsb||Yes||Yes||Yes|
|application/vnd.openxmlformats-officedocument.wordprocessingml.document||MS Office File||docx, dotx, docm, dotm||Yes||Yes||Yes|
|application/wordperfect||WOrdPerfect||wp, wp5, wp6, wpd, w60, w61||Yes||Yes||Yes|
|application/x-director||Macromedia Director Shockwave Movie||dcr||Yes||Yes||Yes|
|application/xhtml+xml||XHTML||dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht, xhtm, xhtml, xml, txt||Yes||Yes||Yes|
|application/zip||ZIP File||zip, zipx||Yes||Yes||Yes|
|audio/midi||MIDI||mid, midi, rmi, mdi, kar||Yes||Yes||Yes|
|audio/x-aiff||Audio InterChange File Format from Apple/SGI||aiff, aif, aifc||Yes||Yes||Yes|
|audio/x-voc||Creative Voice Format(VOC)||voc||Yes||Yes||Yes|
|image/jpeg||JPEG||jpg, jpeg, jpe, jif, jfif, jfi||Yes||Yes||Yes|
|image/png||Portable Network Graphics||png||Yes||Yes||Yes|
|image/vnd.ms-modi||Microsoft Document Imaging||mdi||Yes||Yes||Yes|
|text/html||HTML||dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht, xhtm, xhtml, xml, txt||Yes||Yes||Yes|
|text/xml||XML||dhtm, dhtml, htm, html, htx, sht, shtm, shtml, stml, xht, xhtm, xhtml, xml, txt||Yes||Yes||Yes|
|video/quicktime||Quick Time Media||qt||Yes||Yes||Yes|
|video/x-flv||Macromedia Flash FLV Video||flv||Yes||Yes||Yes|
|video/x-ms-asf||Advanced Streaming Format||asf||Yes||Yes||Yes|
|video/x-scm||Lotus ScreenCam Movie||scm||Yes||Yes||Yes|