11 Protecting against malware with ClamSAP #
ClamSAP integrates the ClamAV anti-malware toolkit into SAP NetWeaver and SAP Mobile Platform applications. ClamSAP is a shared library that links between ClamAV and the SAP NetWeaver Virus Scan Interface (NW-VSI). The version of ClamSAP shipped with SUSE Linux Enterprise Server for SAP Applications 15 SP5 supports NW-VSI version 2.0.
By default, ClamAV does not scan files exceeding various limits like
file sizes, nesting level, or scan time. Such files are reported as "OK". The
current default settings for the ClamAV virus scan engine in the
clamscan
commandline tool and the clamd
scan daemon are set in a way that:
Files and archives are scanned, but only up to the configured or default limits for size, nesting level, scan time, etc.
The scan engine reports these files as being "OK".
This could potentially allow attackers to bypass the virus scanning.
Alerts can be enabled to set the
--alert-exceeds-max=yes
option on the
clamscan
commandline or via AlertExceedsMax
TRUE
in clamd.conf
for daemon based scans.
Settings these options will cause a "FOUND" report of status type
Heuristics.Limits.Exceeded
. You need to handle such
files differently in front-ends or processing of reports.
Before enabling the alert, ensure that front-ends will not suddenly quarantine or remove those files.
11.1 Installing ClamSAP #
On the application host, install the packages for ClamAV and ClamSAP. To do so, use the command:
>
sudo zypper install clamav clamsap
Before you can enable the daemon
clamd
, initialize the malware database:>
sudo freshclam
Start the service
clamd
:>
sudo systemctl start clamd
Check the status of the service
clamd
with:>
systemctl status clamd
● clamd.service - ClamAV Antivirus Daemon Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago [...]
11.2 Creating a virus scanner group in SAP NetWeaver #
Log in to the SAP NetWeaver installation through the GUI. Do not log in as a
DDIC
orSAP*
user, because the virus scanner needs to be configured cross-client.Create a Virus Scanner Group using the transaction
.To switch from view mode to change mode, click the button ).
(Confirm the message
by clicking the check mark. The table is now editable.Select the first empty row. In the text box
, specifyCLAMSAPVSI
. Under , specifyCLAMSAP
.Make sure that
is not checked.- (
11.3 Setting up the ClamSAP library in SAP NetWeaver #
In the SAP NetWeaver GUI, call the transaction
.To switch from view mode to change mode, click the button ).
(Confirm the message
by clicking the check mark. The table is now editable.Click
.Fill in the form accordingly:
Adapter (Virus Scan Adapter)
VSA_HOSTNAME
(for example:VSA_SAPSERVER
)Scanner Group
: The name of the scanner group that you set up in Section 11.2, “Creating a virus scanner group in SAP NetWeaver” (for example:CLAMSAPVSI
)HOSTNAME_SID_INSTANCE_NUMBER
(for example:SAPSERVER_P04_00
)libclamdsap.so
11.4 Configuring the default location of virus definitions #
By default, ClamAV expects the virus definitions to be located in /var/lib/clamsap
.
To change this default location, proceed as follows:
Log in to the SAP NetWeaver installation through the GUI. Do not log in as a
DDIC
orSAP*
user, because the virus scanner needs to be configured cross-client.Select the
CLAMSAPVSI
group.In the left navigation pane, click
.To switch from view mode to change mode, click the button ).
(Confirm the message
by clicking the check mark. The table is now editable.Figure 11.1: #Click
and select INITDRIVERDIRECTORY.Figure 11.2: #Enter the path to a different virus scanner location.
- (
11.5 Engaging ClamSAP #
To run ClamSAP, go to the transaction Start.
. Then clickAfterward, a summary will be displayed, including details of the ClamSAP and ClamAV (shown in Figure 11.4, “Summary of ClamSAP data”).
11.6 For more information #
For more information, also see the project home page https://sourceforge.net/projects/clamsap/.