GRC
HR
SCM
CRM
BI


Article

 

Achieving Virus Protection in Your ABAP and Java Programs with SAP NetWeaver

by Dr. Jürgen Schneider | SAPinsider

July 1, 2004

by Dr. Jürgen Schneider, SAP AG SAPinsider - 2004 (Volume 5), July (Issue 3)
 

For software manufacturers, service providers, system administrators, and everyday users, computer viruses are one of the greatest threats to the security and availability of your systems and applications. Simply said, a computer virus is proof that software programs are not always designed for productive uses — a single program can destroy data or render systems unavailable. The problem is amplified even more if a program like a worm or virus finds one of the many ways to run on a victim's computer and implements a mechanism to replicate and distribute itself to other computer systems via persistent media or over network connections.1

Infection very often happens via bootable media, such as diskettes and disk drives, or more recently via email, file downloads, or open network communication ports. In today's corporate environments, the prevalence of office and Web technologies — such as HTML, JavaScript, ActiveX, Java Applets, and document macros — increases the number of touch points through which viruses can infiltrate your systems and applications. Ordinary users are finding it increasingly difficult, if not impossible, to protect themselves from such attacks.

So what can we actually do against viruses? First of all, software must be designed for security. If a specification prescribes what a program should do, the program needs to achieve exactly this and no more (and the specification needs to include the security requirements!). Any additional functionality or generalization of the program's core functions is a major security risk — it is unexpected by users and is often not included in the quality assurance process.

Secondly, a program cannot be allowed to spread viruses into its environment. In other words, a program needs to check for the presence of viruses or other unanticipated "active content" in any data it accepts and imports into an environment where code can be executed. Typical locations for such virus checks are file and document uploads, as well as mail servers, message and discussion boards, and the like.2

Therefore, the new SAP NetWeaver technology platform contains an interface, the Virus Scan Interface (VSI), allowing you to attach virus scan engines from SAP technology partners. With VSI, you can use one or several products from partner vendors that specialize in identifying and eliminating viruses before they infect your systems.

After an overview of VSI and a thorough exploration of how administrators can configure and operate it through new SAP offerings, this article discusses how to use the Virus Scan Interface from both ABAP and Java programs.

The Virus Scan Interface in SAP NetWeaver

Scanning for viruses and destroying or quarantining them are very specialized activities. Dedicated product vendors have put many years of work into developing and optimizing their scan engines. Typically, virus scan engines use virus definition files, which contain patterns of all currently known viruses, to compare the digital input provided — byte by byte — against known virus patterns. The quality and efficiency of a virus scan product can be measured by considering:

  • The flexibility and intelligence of its pattern recognition algorithm, especially considering that many viruses have already learned to slightly alter their binary representation with each replication step

  • The performance (throughput) of their scan engines

  • The speed of the update mechanism for their virus definition files

The objective of the new Virus Scan Interface (VSI) provided with SAP NetWeaver is to integrate, via an SAP-certified partner interface, third-party virus scanners with applications running on the SAP NetWeaver platform.3 The technical approach of VSI is similar to that of other security partner interfaces, such as secure network communications (SNC) or secure store and forward (SSF), which use digital signatures and encryption at the application level to protect valuable data. Figure 1 depicts an architectural overview of the Virus Scan Interface.

Figure 1
Software Architecture of the SAP Virus Scan Interface, Which Includes Partner and SAP Offerings

The SAP Virus Scan Interface is a C programming language interface (SAP VSI API). The SAP VSI Library loads certified partner products (virus scan adapters that call into partner scan engines) at this interface as a shared library. In its first version with SAP NetWeaver '04, the SAP VSI Library is included in an SAP Remote Function Call (RFC) Server program, the Virus Scan Server, and also in the runtime environment provided with the SAP J2EE Engine. Application programs written in ABAP or Java use dedicated classes and methods provided with the SAP NetWeaver platform (SAP Virus Scan API for ABAP/Java) to invoke individual scans via an RFC call to a Virus Scan Server or directly with the SAP J2EE Engine.

Figure 1 also identifies the solution parts provided by SAP and the parts provided by third-party vendors. SAP provides the ABAP and Java APIs (classes and methods), the Virus Scan Server program (which can be instantiated several times; see the following section), the SAP VSI Library, and the SAP VSI API.

Partner products either implement the SAP VSI API directly with their scan engines or provide a virus scan adapter (implementing the SAP VSI API), which connects to their scan engine. The SAP VSI API includes the necessary functions to set up and initialize a partner's scan engine, provide scan parameters and data for each individual scan process, and properly process the scan result.

Configuring and Operating Virus Scan Servers

As shown in Figure 1, virus scan adapters connecting third-party virus scan engines are loaded by an RFC server program called Virus Scan Server. This executable program is delivered by SAP with the SAP NetWeaver platform. When setting up, configuring, and operating Virus Scan Servers, we distinguish between two operating modes: Application-Server-Starter (single host platform) and Self-Starter (multiple host platforms).

Application-Server-Starter Mode
When using the Application-Server-Starter mode, the Virus Scan Server is running together with the application server on a single host, integrated with the SAP Web Application Server via CCMS (Computer Center Management System) for starting, monitoring, and stopping the Virus Scan Server on the application server (see Figure 2). A dedicated monitor collection — "Virus Scan Server" — is provided in the "SAP CCMS Monitors for Optional Components" section of SAP dialog transaction RZ20.

Figure 2
Virus Scan Server as Application-Server-Starter

Self-Starter Mode
When using the Self-Starter mode, the Virus Scan Server is running on a separate host and registers at a selected SAP gateway (see Figure 3) using the command line interface of the Virus Scan Server executable. This operating mode is useful because of platform dependencies. If, for example, the partner virus scan product is only available for Microsoft Windows platforms, but your SAP system is running on Unix, the Self-Starter operating mode is appropriate.

Figure 3
Virus Scan Server as Self-Starter

Setting Up and Defining Virus Scan Servers

To set up and define parameters for Virus Scan Servers, you can perform the necessary steps from the SAP Implementation Guide (transaction IMG).

1. Create a Scanner Group

First, create at least one "scanner group." This combines multiple Virus Scan Servers of the same type to allow load balancing. When performing virus scans, always specify the scanner group; the actual Virus Scan Server is automatically selected from this group. Virus Scan Servers are therefore always assigned to exactly one scanner group.

To create a scanner group, choose SAP Web Application Server -> System Administration -> Virus Scan Interface from the IMG, and then choose the Execute option next to Define Scanner Groups. You only need to specify a name for the scanner group and provide a textual explanation.

2. Define Virus Scan Servers

For performance reasons, it is recommended that you set up at least one Virus Scan Server on each application server. To place RFC calls from an ABAP or Java application program, an RFC destination must first be defined in the calling SAP system. The RFC destination requires activation type "Registered Server Program" and the SAP gateway address, where the Virus Scan Server will register. Then, back in the IMG, choose SAP Web Application Server -> System Administration -> Virus Scan Interface, and choose the Execute option next to Define Virus Scan Server.

To define a Virus Scan Server instance, the following data needs to be supplied:

  • Name of the scanner group the Virus Scan Server should belong to

  • Operating mode that defines if and how this Virus Scan Server will be started, monitored, and stopped from CCMS

  • Application server on which the Virus Scan Server should be run

  • Trace level

  • Re-initialization interval

  • Path to the Virus Scan Adapter library of the partner product that the Virus Scan Server should load

3. Starting the Virus Scan Server

Then, depending on the operating mode that was chosen, the Virus Scan Server is either started by CCMS with the specified configuration parameters (Application-Server-Starter) or it needs to be configured and started on a separate host using the command line interface of the Virus Scan Server executable (Self-Starter).4

Using transaction VSCAN from either the IMG or the SAP system, you can configure Virus Scan Servers and display information about and status of all available Virus Scan Servers. Figure 4 shows an example of the display. To test the function of a particular Virus Scan Server, use transaction VSCANTEST. For problem analysis with a Virus Scan Server, transaction VSCANTRACE is provided.

Figure 4
Examples of SAP Transaction VSCAN for Status Checks of a Virus Scan Server

Using the Virus Scan Interface from ABAP Programs

ABAP application developers use the Virus Scan Interface through a single ABAP OO class (CL_VSI), which offers methods for configuration and virus scanning on a per-application basis. To perform a virus scan, an application first needs to define a Virus Scan Profile. A Virus Scan Profile specifies the steps that are executed during a virus scan. It contains a list of scanner groups and assigned configuration parameters for virus scans using this profile. Defined Virus Scan Profiles can be activated and deactivated separately.

For each SAP application that performs a virus scan, SAP delivers a default Virus Scan Profile. You'll find that the names of these default Virus Scan Profiles are constructed as: //.

If you want to create your own Virus Scan Profiles, use the IMG.

To perform a virus scan from an ABAP application program, you:

  1. Create a scanner instance using method get_instance of the ABAP OO class CL_VSI.

  2. Call method scan_bytes.

Figure 5 provides a coding example.

* Get scanner instance
DATA:
  lo_vsi TYPE REF TO cl_vsi.

CALL METHOD cl_vsi=>get_instance
  EXPORTING
    if_profile          = profile
  IMPORTING
    eo_instance         = lo_vsi
  EXCEPTIONS
    configuration_error = 1
    profile_not_active  = 2
    internal_error      = 3
    OTHERS              = 4.

CASE sy-subrc.
 ...
ENDCASE.


* Perform virus scan
DATA:
  lf_scanrc TYPE vscan_scanrc.

CALL METHOD lo_vsi=>scan_bytes
  EXPORTING
    if_data             = lf_data
  IMPORTING
    ef_scanrc           = lf_scanrc
  EXCEPTIONS
    not_available       = 1
    configuration_error = 2
    internal_error      = 3
    OTHERS              = 4.

* All exceptions here are errors
IF sy-subrc <> 0.
 ...
ENDIF.
Figure 5
Performing a Virus Scan from an ABAP Program

Using the Virus Scan Interface from Java Programs

For Java application developers using the SAP Web Application Server, the Virus Scan Provider is realized as a service for the Java runtime environment. It is configured using the Visual Administrator, the administration tool for the SAP J2EE Engine.

To perform virus scans from a Java application program, the required steps are:

  1. Perform a lookup in the Java Naming and Directory Interface (JNDI) service for the Virus Scan Interface service.

  2. Retrieve a scanner instance from the service using the method call getInstance.

  3. If the call in step 2 returns successfully, perform a virus scan by invoking the method scanBytes with the input data to be scanned. The results of the scan are available using the method call getInfections.

Figure 6 provides a coding example.

import javax.naming.*;
import com.sap.security.core.server.vsi.api.*;
import com.sap.security.core.server.vsi.api.exception.*;

 /* Virus Scan Interface example */

public class VsiTestScan ... {
...
try {
    /* Lookup the VSI service. */
    
    Context ctx = new InitialContext();
    VSIService vsiService = (VSIService)ctx.lookup(VSIService.JNDI_NAME);
   
    if (vsiService != null) {
        /* get scan instance */

       Instance myInstance = null;
       try {
          myInstance = vsiService.getInstance();
       
         /* perform virus scan */

         if (myInstance.scanBytes(Virus.EICAR) == true) {
            /*
             * true means no infection and no scan error:
             * Scanning the EICAR test pattern virus
             * must either return false or throw an Exception, 
             * otherwise the underlying scan engine has
             * not recognized the EICAR pattern.
             */
            /* not expected error */
          }
       }
       catch (VirusInfectionException vse) {

           Infection[] myInfections = vse.getInfections();

     if (myInfections.length == 1) {
              /* the scan engine has found the infection */            
               ...
           }
           else {
              /* not expected error */
               ...
           }    
       }
       catch (Exception e) {
         /* catch all other Exceptions,
          * including VirusScanException and
          * VSIServiceException here as not
          * expected error
          */
          ...
       }
       finally {
         /* release the scan instance */
         vsiService.releaseInstance(myInstance);
       }
    }
    else {
       /* Virus Scan Provider service is not started */
       ...
    }
    ...
}
 
Figure 6
Performing a Virus Scan from a Java Program

Summary

At SAP, we are driving the process of integrating virus scanning at all appropriate code locations in the SAP NetWeaver runtime. This applies not only to document uploads and content management in the SAP Enterprise Portal and the SAP Web Application Server, but also to content verification of discussion forums and other collaboration tools.

With this in mind, the Virus Scan Interface is included in SAP NetWeaver for performing virus scans and for keeping your SAP systems and applications free of infections. This new partner interface can be used from both ABAP and Java programs, and we encourage you to make use of this new functionality provided with the SAP NetWeaver platform for your custom developments so that all your programs can work to stop viruses early on, preventing related data loss and downtime.

Readers can look for virus scan products certified by SAP for the Virus Scan Interface. These will be part of the upcoming partner certification program for VSI. For the most recent news about the SAP Virus Scan Interface and available partner products, please check the public information provided at www.sap.com/partners/icc or visit the SAP Service Marketplace at http://service.sap.com/security.


1 A malicious program is called a virus if it requires the "help" of a user to become active and expose its malicious behavior, whereas a worm replicates without user intervention. For more elaborate details, see http://www.trendmicro.com/en/security/general/virus/overview.htm.

2 For additional information on what viruses are and how to combat them, see www.cert.org/other_sources/ viruses.html. For recent data concerning damage caused by viruses and how viruses evolved, visit www.cert.org/congressional_testimony/Pethia-Testimony-9-10-2003/#intro.

3 For more on SAP's upcoming partner certification program for virus scan products, see the URLs in the "Summary" section above.

4 For the Self-Starter operating mode of the Virus Scan Server, there are a number of command line parameter options to configure and start the RFC Server program. The Self-Starter uses an XML configuration file that can be maintained using these command line options. Please review the official SAP documentation at http://help.sap.com for details.


Dr. Jürgen Schneider has been involved in the design and implementation of SAP security functions since 1996. From 1998 on, he was the Development Manager for SAP Web Application Server Security in SAP's Technology Development. In 2003, he was appointed Vice President for Security and Identity Management in the SAP NetWeaver foundation. You can reach him at j.schneider@sap.com.

 

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ