1. SAP customer environments are secured through the SAP Virus Scan Interface (VSI), the security component of the SAP NetWeaver platform. The VSI is used to secure all forms of content including documents, embedded images, and active content such as JavaScript and scripts in PDF and Microsoft Office documents. Scanner works seamlessly with SAP NetWeaver technology and the SAP HANA platform.
2. Scanner performs scans of the content uploaded to the SAP NetWeaver technology platform to determine its true type and reports this to SAP systems via the NetWeaver VSI interface. Content scanning protects against possible malicious script content that might be embedded or disguised inside documents.
3. SAP administrators can then set policy according to which actual document types should be allowed.

Workload Security and SAP components

• Workload Security: The centralized web-based management console that administrators use to configure security policy and deploy protection to the agent.
• Agent: A security agent deployed directly on a computer. The nature of that protection depends on the rules and security settings that each agent receives from Workload Security.
• SAP NetWeaver: SAP integrated technology computing platform. The SAP NetWeaver Virus Scan Interface (NW-VSI) provides virus scanning capabilities for third-party products that perform the actual scan. The NW-VSI interface must be activated.
• SAP NetWeaver ABAP WinGUI: A Windows management console used for SAP NetWeaver. In this document, it is used for the configuration of the agent and the SAP NetWeaver Virus Scan Interface.

Enable integration between Workload Security Scanner and SAP NetWeaver

1. Purchase Scanner for your Workload Security account. When the order is complete, you are able to see Scanner in your Workload Security console. To check whether or not Scanner is enabled, open the Computer or Policy editor and go to Settings. You should see a Scanner tab.
2. Check Supported features by platform to see which operating systems support Scanner.
3. Install the agent on an SAP application server running one of the supported operating systems. See Install the agent‌.
4. Add the SAP server to Workload Security and activate the agent on the SAP server. See Add the SAP server to Workload Security and activate the agent.
5. Enable the SAP integration feature in a computer or policy. See Assign a security profile‌.
6. Configure the SAP Virus Scan Interface (VSI) by calling the following transactions. See Configure SAP to use the agent.
   • VSCANGROUP
   • VSCAN
   • VSCANPROFILE
   • VSCANTEST

Install Deep Security Agent

1. Go to the Deep Security software download page and download the agent package for your OS.
2. Install the agent on the target system. You can use rpm or zypper, depending on the OS. In this example, rpm is used by typing: rpm -ihv Agent-Core-SuSE_<version>.x86_64.rpm
3. You should see output similar to what's shown in this example, which indicates that the agent installation is complete:
   

Add SAP server to Workload Security and activate Deep Security Agent

• -a is the command to activate the agent, and
• dsm://managerurl:443/ is the parameter that points the agent to Workload Security. managerurl is the URL of Workload Security, and 443 is the default agent-to-manager communication port.

1. In the Workload Security console, go to the Computers tab.
2. Click the computer name and then click Details and check that the computer's status is Managed.

Assign a security profile

1. In the Computer or Policy editor, go to Anti-Malware → General.
2. In the Anti-Malware section, set Configuration to On (or Inherited On), and then click Save.
   
3. In the Real-Time Scan, Manual Scan, or Scheduled Scan section, set the Malware Scan Configuration and Schedule, or allow those settings to be inherited from the parent policy.
4. Click Save. The status of the anti-malware module changes to Off, installation pending. This means that the agent is retrieving the required module from Workload Security. For this to work, the client needs to access the relay on the relay's listening port number. A few moments later, the agent should start downloading security updates such as anti-malware patterns and scan engines.
5. In the Computer editor, go to Settings → Scanner.
6. In the SAP section, set Configuration to On (or Inherited On), and then click Save.

Configure SAP to use Deep Security Agent

1. Configure the Trend Micro scanner group or Configure the Trend Micro scanner group in a Java Environment
2. Configure the Trend Micro virus scan provider or Configure the Trend Micro virus scan provider in a Java Environment
3. Configure the Trend Micro virus scan profile or Configure the Trend Micro virus scan profile in a Java Environment
4. Test the virus scan interface or Test the virus scan interface in a Java Environment

Configure the Trend Micro scanner group

1. In the SAP WinGUI, run the VSCANGROUP transaction. In edit mode, click New Entries.
   
2. Create a new scanner group, specifying a group name in the Scanner Group field and a description of the scanner group in the Group Text field.
   
3. Click the Save icon or leave the edit mode.
   A Prompt for Workbench request dialog appears. In the following example, a new workbench request is created to keep track of all the VSI-related changes:
   

Configure the Trend Micro virus scan provider

1. In the SAP WinGUI, run the VSCAN transaction. In edit mode, click New Entries.
   
2. Enter a configuration for a VSI-certified solution.
   In this example, the following configuration parameters are set:
   

   Setting	Value	Description
   Provider Type	ADAPTER (Virus Scan Adapter)	Automatically set (default)
   Provider Name	VSA_<host name>	Automatically set, serves as alias
   Scanner Group	Select the group that you configured earlier	All previously created scanner groups, which you can display using the input help
   Status	Active (Application Server)	Automatically set (default)
   Server	nplhost_NPL_42	Automatically set, hostname
   Reinit. Interv.	8 Hours	Specifies the number of hours after which the Virus Scan Adapter will be reinitialized and load new virus definitions.
   Adapter Path (Linux)	/lib64/libsapvsa.so	Default path
   Adapter Path (Windows)	C:\Program Files\Trend Micro\Deep Security Agent\lib\dsvsa.dll	Default path

3. Click the Save icon or leave the edit mode.
   A prompt to pack this into a workbench request appears.
4. Confirm the request, then click Start.
   The Status light turns green, which means the adapter is loaded and active.
   

Configure the Trend Micro virus scan profile

1. In the SAP WinGUI, run the VSCANPROFILE transaction, then select the SAP operation that requires virus scan.
   For example, select Active for /SCET/GUI_UPLOAD or /SCET/GUI_DOWNLOAD, and then click the Save icon.
   
2. In edit mode, click New Entries.
   The virus scan profiles define how specific transactions (file uploads, file downloads, and so on) are handled corresponding to the virus scan interface. To use the previously configured virus scan adapter in the application server, you need to create a new virus scan profile.
3. In Scan Profile, enter Z_TMProfile and select Active, Default Profile, and Evaluate Profile Configuration Param.
   
4. While still in edit mode, double-click the Steps folder to configure the steps:
   
5. Click New Entries.
   The steps define what to do when the profile is called by a transaction.
6. Set the Position to 0, Type to Group and the Scanner Group to the name of the group that you configured earlier.
7. Click the Save icon or leave the edit mode.
   A notification eventually appears about an existing virus scan profile, /SCET/DP_VS_ENABLED.
8. Ignore the notification about an existing profile because the profile is not active and is not used.
   After confirming this notification, you are asked to pack this configuration in a customization request. Creating a new request helps keep track of the changes that have been made:
   
9. To create configuration parameters for a step, double-click the Profile Configuration Parameters folder, then click New Entries and set the parameters:

   Parameter	Type	Description
   CUST_ACTIVE_CONTENT	BOOL	Check if a file contains script (JavaScript, PHP, or ASP script) and block.
   CUST_CHECK_MIME_TYPE	BOOL	Checks if the file extension name matches its MIME type. If they do not match, the file is blocked.All MIME types and extension names must be exactly matched. For example: Microsoft Word files must be `.doc` or `.dot`; JPEG image files must be `.jpg`. However, text and binary files can have any extensions, as long as these are not the extensions for other known files; that is, it can be `.txt` or `.bin`, but not `.doc` or `.jpg` See Supported MIME types.

10. Double-click the Step Configuration Parameters folder, then click New Entries and set the parameters:

    Parameter	Type	Description	Default (Linux)	Default (Windows)
    SCANBESTEFFORT	BOOL	The scan should be performed on the best effort basis; that is, all security critical flags that allow a VSA to scan an object should be activated, such as SCANALLFILES and SCANEXTRACT, but also internal flags. Details about exactly which flags these are can be stored in the certification.	(not set)	(not set)
    SCANALLFILES	BOOL	Scans for all files regardless of their file extension.	disabled	disabled
    SCANEXTENSIONS	CHAR	List of the file extensions for which the VSA should scan. Only files with the configured extensions are checked. Other extensions are blocked. Wildcards can also be used here to search for patterns. \* stands for this location and following and ? stands for only this character. For example, exe;com;do?;ht* => \`\*\` means to scan all files.	null	""
    SCANLIMIT	INT	This setting applies to compressed files. It specifies the maximum number of files to be unpacked and scanned.	INT_MAX	65535
    SCANEXTRACT	BOOL	Archives or compressed objects are to be unpacked	enabled	enabled
    SCANEXTRACT_SIZE	SIZE_T	Maximum unpack size	0x7FFFFFFF	62914560 (60 MB)
    SCANEXTRACT_DEPTH	INT	Maximum depth to which an object is to be unpacked.	20	20
    SCANLOGPATH	CHAR	Custom log path for VSA. Must be an absolute path to either a regular file or to a location where a regular file can be created. Cannot be an executable file path. Only limited log messages are written. For example, the detected malware. Supported in Deep Security Agent 20 LTS update 2024-05-02.	(not set)	(not set)
    SCANMIMETYPES	CHAR	List of the MIME types to be scanned for. Only files with configured MIME types will be checked. Other MIME types are blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.	(not set)	(not set)
    BLOCKMIMETYPES	CHAR	List of MIME types that will be blocked. This parameter works only if CUST_CHECK_MIME_TYPE is enabled.	(not set)	(not set)
    BLOCKEXTENSIONS	CHAR	List of file extensions that to be blocked.	(not set)	(not set)

Test the virus scan interface

1. In the SAP WinGUI, run the VSCANTEST transaction.
   
   Every VSI-aware SAP application server also has a built-in test to check whether the configuration steps were done correctly. For this, an EICAR test virus (www.eicar.org) is packed in a transaction that can call a specific scanner.
2. Not filling in anything calls the default profile, which was configured in the last step, so do not fill in anything.
3. Click Execute.
   A notification appears that explains what an EICAR test virus is.
4. Confirm the notification.
   The transaction is intercepted:
   

1. The transaction called the default virus scan profile, which is the virus scan profile Z_TMPROFILE.
2. The virus scan profile Z_TMPROFILE is configured to call an adapter from the virus scan group Z_TMGROUP.
3. The virus scan group Z_TMGROUP has multiple adapters configured and calls one of them (in this case, VSA_NPLHOST).
4. The virus scan adapter returns value 2-, which means a virus was found.
5. Information about the detected malware is displayed by showing Eicar_test_1 and the file object /tmp/ zUeEbZZ_TMPROFILE.
6. The called default virus scan profile Z_TMPROFILE fails because step 00 (the virus scan group) was not successful and therefore the file transaction is stopped from further processing.

Configure the Trend Micro scanner group in a Java environment

1. Log in to SAP NetWeaver Administrator.
2. Select the Configuration tab, and then select Virus Scan Provider.
   
3. In change mode, in the Groups tab, click Add.
4. In the Group Name field, enter the name of the group, and then click Continue. This adds a new row to the Virus Scan Groups list.
   
5. In the Settings tab, enter the description of the group in the Group Description field that is part of the Virus Scan Group Details.
6. Select Default Scan Group to use this group as the default group.

Configure the Trend Micro virus scan provider in a Java environment

1. In change mode, in the Adapters tab, click Add to create the Virus Scan Provider as a virus scan adapter.
2. Use the Adapter Name field to add the rest of the name after the predefined prefix, and then click Continue. The name must start with VSA and an underscore appended to it . This adds a new row in the Virus Scan Adapters group.
   
3. Provide the path to the VSA shared library, which is /lib64/libsapvsa.so on UNIX and C:\Program Files\Trend Micro\Deep Security Agent\lib\dsvsa.dll on Windows.
4. Make a selection from the Scan Group list.
5. Select Default Scan Provider.
6. Save your settings and activate the Virus Scan Provider.
   

Configure the Trend Micro virus scan profile in a Java environment

1. On the Profiles tab, click Add to create a virus scan profile in change mode.
2. In the Profile Name field, enter the rest of the name after the predefined prefix, and then click Continue. This adds a new row in a Virus Scan Profiles group.
3. Under Virus Scan Profile Details, select the Settings tab, and then select the profile to be edited as a reference profile by setting the Default Scan Profile indicator:
   • To use the default profile, select Default Profile from the the Reference Profile list.
   • To use a reference profile, from the Reference Profile list, select an existing reference profile to which to link the new profile. This is possible due to the fact that since a virus scan profile can use another virus scan profile as a reference profile, multiple applications can be operated through the same virus scan profile.
4. To define the new profile, click Add and complete the following fields:

   Field	Description
   Profile Name	The name of the new profile.
   Profile Description	Description of the new profile.
   Reference Profile	If selected, other fields would be hidden.
   Step Linkage	Linkage of the steps of this profile:- All steps successful: AND linkage, with which every step must be successful for the overall result to be successful.- At least one step successful: OR linkage, with which only one step needs to be successful for the overall result to be successful.
   Profile Steps	Steps in this profile.

5. Specify the profile steps in the Profile Steps group, as follows:
   • Click Add.
   • Make a selection from the Step Type list as either a group or another profile to use.
   • Specify the value for the group or profile.
   • Use Move Up, Move Down, and Remove to configure the Profile Steps list.
   
6. To activate the profile, save your entries, then select the profile in the Virus Scan Profiles group, and then click Activate.

1. Select the Parameters tab of the relevant profile in edit mode.
2. Click Add to create a new entry.
3. Save the entries.

Test the virus scan interface in a Java environment

1. Start the test application under the /vscantest path .
2. Specify the object to check, using either the provided test data or your own local file.
3. Select the virus scan profile, scanner group, or the virus scan provider to test.
4. Select one of the following options:
   • Check only - The specified anti-virus product scans the data for viruses and displays the result.
   • Check and clean - In addition to scanning and displaying the result, the specified anti-virus product attempts to clean the data if a virus infection is diagnosed.
5. Click Execute the action to start the test.

Supported MIME types

• Agent version 9.6 uses VSAPI 9.85
• Agent version 10.0 uses ATSE 9.861
• Agent version 10.1 uses ATSE 9.862
• Agent version 10.2, 10.3, 11.0, 11.1, and 11.2 uses ATSE 10.000
• Agent version 11.3 and later uses ATSE 11.0.000