Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Guide / Protecting against malware with ClamSAP
Applies to SUSE Linux Enterprise Server for SAP Applications 15 SP4

11 Protecting against malware with ClamSAP

  

ClamSAP integrates the ClamAV anti-malware toolkit into SAP NetWeaver and SAP Mobile Platform applications. ClamSAP is a shared library that links between ClamAV and the SAP NetWeaver Virus Scan Interface (NW-VSI). The version of ClamSAP shipped with SUSE Linux Enterprise Server for SAP Applications 15 SP4 supports NW-VSI version 2.0.

Important
Important: Avoid false positive reports for large files exceeding maximum file size

By default, ClamAV does not scan files exceeding various limits like file sizes, nesting level, or scan time. Such files are reported as "OK". The current default settings for the ClamAV virus scan engine in the clamscan commandline tool and the clamd scan daemon are set in a way that:

  • Files and archives are scanned, but only up to the configured or default limits for size, nesting level, scan time, etc.

  • The scan engine reports these files as being "OK".

  • This could potentially allow attackers to bypass the virus scanning.

Alerts can be enabled to set the --alert-exceeds-max=yes option on the clamscan commandline or via AlertExceedsMax TRUE in clamd.conf for daemon based scans. Settings these options will cause a "FOUND" report of status type Heuristics.Limits.Exceeded. You need to handle such files differently in front-ends or processing of reports.

Before enabling the alert, ensure that front-ends will not suddenly quarantine or remove those files.

11.1 Installing ClamSAP

  

  1. On the application host, install the packages for ClamAV and ClamSAP. To do so, use the command: 

    > sudo zypper install clamav clamsap

  2. Before you can enable the daemon clamd, initialize the malware database: 

    > sudo freshclam

  3. Start the service clamd: 

    > sudo systemctl start clamd

  4. Check the status of the service clamd with: 

    > systemctl status clamd
● clamd.service - ClamAV Antivirus Daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago
[...]

11.2 Creating a virus scanner group in SAP NetWeaver

  

  1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or SAP* user, because the virus scanner needs to be configured cross-client.

  2. Create a Virus Scanner Group using the transaction VSCANGROUP.

    Edit View Scanner Group with editable table

  3. To switch from view mode to change mode, click the button Change View (Change View).

    Confirm the message This table is cross-client by clicking the check mark. The table is now editable.

  4. Select the first empty row. In the text box Scanner Group, specify CLAMSAPVSI. Under Group Text, specify CLAMSAP.

    Make sure that Business Add-in is not checked.

    Edit View Scanner Group with editable table

  5. To save the form, click the button Save (Save).

11.3 Setting up the ClamSAP library in SAP NetWeaver

  

  1. In the SAP NetWeaver GUI, call the transaction VSCAN.

  2. To switch from view mode to change mode, click the button Change View (Change View).

    Confirm the message This table is cross-client by clicking the check mark. The table is now editable.

  3. Click New entries.

  4. Fill in the form accordingly:

    • Provider Type: Adapter (Virus Scan Adapter)

    • Provider Name: VSA_HOSTNAME (for example: VSA_SAPSERVER)

    • Scanner Group: The name of the scanner group that you set up in Section 11.2, “Creating a virus scanner group in SAP NetWeaver” (for example: CLAMSAPVSI)

    • Server: HOSTNAME_SID_INSTANCE_NUMBER (for example: SAPSERVER_P04_00)

    • Adapter Path: libclamdsap.so

    Form New Entries: Details of Added Entries

  5. To save the form, click the button Save.

11.4 Configuring the default location of virus definitions

  

By default, ClamAV expects the virus definitions to be located in /var/lib/clamsap. To change this default location, proceed as follows:

  1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or SAP* user, because the virus scanner needs to be configured cross-client.

  2. Select the CLAMSAPVSI group.

  3. In the left navigation pane, click Configuration Parameters.

  4. To switch from view mode to change mode, click the button Change View (Change View).

    Confirm the message This table is cross-client by clicking the check mark. The table is now editable.

    Figure 11.1:
      

  5. Click New Entries and select INITDRIVERDIRECTORY.

    Figure 11.2:
      

  6. Enter the path to a different virus scanner location.

  7. To save the form, click the button Save (Save).

11.5 Engaging ClamSAP

  

To run ClamSAP, go to the transaction VSCAN. Then click Start.

Change view “virus scan provider definition”
Figure 11.3: Change view virus scan provider definition
  

Afterward, a summary will be displayed, including details of the ClamSAP and ClamAV (shown in Figure 11.4, “Summary of ClamSAP data”).

Summary of ClamSAP data
Figure 11.4: Summary of ClamSAP data
  

11.6 For more information

  

For more information, also see the project home page https://sourceforge.net/projects/clamsap/.