VSCAN_EN

8/10/2019 VSCAN_EN

http://slidepdf.com/reader/full/vscanen 1/51

Virus Scan Interface

As of SAP NetWeaver 7 .0

H

E

L P

. B

C

S

E

C

_ V

S

C

A

N

8/10/2019 VSCAN_EN


SAP Online Help 18.08.2008

Virus Scan Interface 2

Copyright

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP AG. The information contained herein may bechanged without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,

PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBMCorporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessByDesign, and other SAP products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany and in several othercountries all over the world. All other product and service names mentioned are thetrademarks of their respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products andservices are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.

8/10/2019 VSCAN_EN




Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of

information at a glance. For more information, see Help on Help → General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library .

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.

EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

8/10/2019 VSCAN_EN




Virus Scan Interface .................................................................................................................. 5

Architecture of the Virus Scan Interface ................................................................................ 6

Configuration of the Virus Scan Interface.............................................................................. 7

ABAP-Specific Configuration.............................................................................................. 8

ABAP Transaction Overview for Virus Scan Interface ................................................... 8

Setting Up Virus Scan Providers (ABAP) ....................................................................... 8

Defining Scanner Groups............................................................................................ 8

Defining Virus Scan Providers .................................................................................... 9

Defining Virus Scan Profiles ..................................................................................... 15

Delivered Virus Scan Profiles................................................................................ 19

Delivered Parameters............................................................................................ 20

Problem Analysis for the Virus Scan Server................................................................. 21

Testing the Installation of the Virus Scan Provider....................................................... 22

Integrating the Virus Scan Interface into Customer Developments.............................. 23

Commented Example Program .................................................................................... 27

Java-Specific Configuration.............................................................................................. 31

Setting Up Virus Scan Providers (Java) ....................................................................... 31

Defining Scanner Groups.......................................................................................... 32

Defining Virus Scan Providers .................................................................................. 33

Defining Virus Scan Profiles ..................................................................................... 35

Delivered Virus Scan Profiles................................................................................ 37

Delivered Parameters............................................................................................ 37

Problem Analysis for the Virus Scan Provider.............................................................. 38

Testing the Installation of the Virus Scan Provider....................................................... 39

Using the Virus Scan Provider API............................................................................... 39

Example Program for the Virus Scan Provider............................................................. 42

Virus Scan Server ............................................................................................................ 43

Application-Server-Starter or Self-Starter..................................................................... 44

Virus Scan Provider as an Application-Server-Starter.............................................. 45

Installing a Virus Scan Server as a Self-Starter........................................................ 46

Operating the Self-Starter...................................................................................... 50

Configuring the Self-Starter................................................................................... 50

Using Signals to Control the Virus Scan Server........................................................... 51

8/10/2019 VSCAN_EN





You can use the Virus Scan Interface to include external virus scanners in the SAP system toincrease the security of your system. This means that you can use a high-performance

integration solution to scan files or documents that are processed by applications for viruses.This applies both for applications delivered by SAP and for customer developments, forexample, during data transfers across networks or when documents are exchanged throughinterfaces.

The interface consists of two parts: an external part for the certified anti-virus products of thevarious vendors and an internal part, with which you can integrate the virus scan functionsinto your own applications.

A list of the certified products for the interface (VSI) is available in the SAPService Marketplace at http://service.sap.com/securitypartners (see

also SAP Note 786179).

The graphic below shows an integrated ABAP-Java installation. You can, however, also usethe Virus Scan Interface for purely-ABAP or purely-Java installations.

In the graphic, application A uses virus scan profile A to access group X in the first step,group Y in the second step, and group Z in the third step. Each group in the figure representsthe anti-virus software of a particular vendor. In the case of group Z, one of the Virus ScanProviders in the group delivered by SAP is selected by load balancing using the Virus ScanServer and uses the external vendor’s certified Virus Scan Adapter to access the vendor’santi-virus software. This software then scans the data transferred by application A for viruses.In the case of group Y, there are Virus Scan Providers with and without Virus Scan Servers,which all access the anti-virus software of the external vendor using the vendor’s certifiedVirus Scan Adapter. In the case of group Z, the Virus Scan Providers simply combine thecertified Virus Scan Adapters of the external vendor with which the anti-virus software is

accessed.


Virus Scan Server 2

Virus Scan Provider 3Virus Scan Provider 2

Virus Scan Profile n Application B

Application A

Config.

Config.

Config.

Virus Scan Profile BVirus Scan Profile A

1

2

3

Group ZConfig.

Virus Scan Server 1

Virus Scan Adapter

Scan Engine C

Driver Driver Driver

n

Virus Scan Provider 1


Group XConfig.

Virus Scan Adapter

Scan Engine A




Group YConfig.

Virus Scan Adapter

Scan Engine B



8/10/2019 VSCAN_EN




Architecture of the Virus Scan Interface

The structure of the Virus Scan Interface allows you to combine different products, systems,and platforms to scan your applications for viruses. This is possible, since SAP provides acertified interface for the virus scan products of other vendors.

The partners’ virus scan engines can, for example, have completely different architectures.However, by integrating an adapter using a proprietary connection, any partner can, however,connect any existing virus scan product to the Virus Scan Interface.

On the SAP side, different VSI layers are used to include the ABAP and Java worlds, and todeal with platform dependencies (of operating systems and processors, that is, 32 or 64 bit) inthe integration of the Virus Scan Interface.

The graphic below shows, on the left, the possible integration of external products using theadapter. Depending on whether the interface of the external product is public or proprietary,

the adapter can either be integrated into the external product itself, or use the public interfaceof the external product and provide the Virus Scan Interface for the SAP side.

Elements of the Virus Scan Interface

Remote Function Call

(RFC) with TCP/IP V i r u s S c a n I n t e r f a c e ( N W

- V S I )

DB and OS Abstraction Layer

AS ABAP AS Java

SAP NetWeaver

Virus Scan

Engine + VSA

1st

DEF 2nd

DEF nth

DEF

Virus Scan Daemon

VSA

1st

DEF2nd

DEF nth

DEF

Virus Scan

Engine(Multiple OS system

libraries)

VSAVirus Scan Server

vscan_rfcDEF = Definition, pattern, or signature files (DATs),

and so on

S h a r e d l i b r a r y

t h a t s u p p o r t s

N W - V S I

The graphic below clarifies the layer structure of the Virus Scan Interface (SAP VSI API) andshows which parts are delivered by SAP, and which by the relevant partner.

The partner products either access the SAP VSI API directly with the scan engine or indirectlyusing a separate Virus Scan Adapter.

8/10/2019 VSCAN_EN




The SAP VSI API contains the functions required to configure and to initialize the partner’sscan engine. It also provides the parameters and data for every virus scan and processes thecheck result.

The SAP VSI library loads the certified partner products as a shared library.

ABAP or Java application programs start virus scans with dedicated classes and methods of

the SAP Virus Scan Interface, which either make direct calls in the AS ABAP or AS Java, oruse a Virus Scan Server using RFC. If you are using the Virus Scan Server using your ownRFC client programs, refer to SAP Note 964305, which contains a Software Development Kit.

Software Layers of the Virus Scan Interface

ABAP Code

Remote Function Call

(RFC)

Internal API of the Scan Engine (optional)

Virus Scan Adapter

SAP-NW-VSI

Scan API (ABAP)

Scan Engine

Internal VSI-API from SAP

Partner Part C Interface

Virus Scan Server JAVA

ABAPInterface

JavaInterface

Virus ScanProvider

ABAP

Virus ScanProvider

JAVA CodeRFC ClientCode

o p t i o n a l

SAP-VSI Library

SAP Part

o p t i o n a l

Scan API (Java)

Configuration of the Virus Scan Interface

In principle the configuration of the Virus Scan Interface is the same in AS ABAP and AS

Java. Both configurations primarily use the Virus Scan Adapter. However, specific proceduresare required in each case. You should only fall back on the Virus Scan Server in exceptionalcases.

● ABAP-Specific Configuration [Page 8]

● Java-Specific Configuration [Page 30]

● Virus Scan Server [Page 43]

8/10/2019 VSCAN_EN




ABAP-Specific Configuration

The following contains the configuration description for the virus scan interface for ABAPsystems.

ABAP Transaction Overview for Virus ScanInterface

Transaction Overview

Transaction Notes

VSCAN Configuration of the Virus Scan Provider [Page9]

VSCANGROUP Configuration of the Virus Scan Groups [Page8]

VSCANPROFILE Configuration of the Virus Scan Profiles [Page15]

VSCANTEST Test for the Virus Scan Interface [Page 22]

VSCANTRACE Memory Trace for the Virus Scan Server [Page20]

Setting Up Virus Scan Providers (ABAP)

To be able to use a virus scan provider, you need to maintain data in the implementationguide (IMG) or the relevant transactions.

To do this, perform the following steps:...

1. Define scanner groups [Page 8]

2. Define a virus scan provider [Page 9]

3. Define virus scan profiles [Page 15]

Defining Scanner Groups

Use

A scanner group combines multiple virus scanners of the same type to allow load balancing.Since you select the virus scanner using the scanner group when maintaining the virus scanprofile, you must assign each virus scan provider to a scanner group.

Create a scanner group for each product class of virus scanners that are connected to thesystem using the virus scan provider. If you include your own virus scanners with the BAdI

VSCAN_INSTANCE, create a scanner group for each implementation of your own scannerand identify these as BAdI implementations.

8/10/2019 VSCAN_EN




We recommend that you no longer use BAdIs. Use the Virus Scan Adapterinstead.

You can store configuration parameters for each scanner group. These are divided intoinitialization parameters and scan parameters:

● Initialization parameters are transferred to the virus scan server when it is started, andare required to be able to start the virus scan provider. If you use the Business Add-In,these parameters for the method of creating the scan instance are transferred. Theparameters contain, for example, the path to the virus signatures.

● Scan parameters are transferred for each scan process and control the behavior of theindividual request, such as yes/no for activating the scanning of macros.

For information about which configuration parameters are required or supported by theproduct that you use, see the documentation for the product.

SAP does not deliver any scanner groups.

Procedure...

1. In the Implementation Guide, choose SAP NetWeaver → Application Server → System

Administration → Virus Scan Interface (transaction VSCANGROUP), and, if necessary,switch to change mode.

The screen View: Change "Scanner Groups": Overview appears.

2. Choose New Entries.

The screen New Entries: Overview of Added Entries appears.

3. Specify the data for the scanner group.

Data for the Definition of a Scanner Group

Field Notes

Scanner Group Freely definable name of thescanner group.

Business Add-In Do not use BAdIs any more.

Group Text Explanation for the scannergroup.

4. Save your entries.

Defining Virus Scan Providers

Use

The Virus Scan Provider defines either a Virus Scan Adapter or a Virus Scan Server.

The Virus Scan Adapter is a library that integrates virus scanners from certified vendors usingan interface. The Virus Scan Adapter is loaded in AS ABAP, AS Java, or the Virus ScanServer.

The Virus Scan Server is an executable program that includes virus scanners from certifiedvendors using an interface and provides scan services to the application servers of thesystem as a registered RFC server.

8/10/2019 VSCAN_EN




The application server controls tasks such as starting, stopping, and monitoring the VirusScan Server. You configure the data required to do this in this step.

Use this procedure to create an entry for each Virus Scan Provider that youwant to set up. For performance reasons, we recommend that, if possible, youload a Virus Scan Adapter directly in the application server. If this is notpossible, you should set up at least one Virus Scan Server on every applicationserver.

SAP does not provide any configuration data for Virus Scan Providers.

As soon as you can use a Virus Scan Adapter, you should stop using the Virus Scan Server.You can use the Virus Scan Providers to integrate a Virus Scan Adapter into the applicationserver, that is, into the kernel. This means that the document does not have to be copied tothe RFC server, meaning that this is the fastest scan variant. The AS ABAP scans thedocument directly for viruses. You can also administer the adapter more easily. You do notrequire, for example, the following administration tools:

● CCMS monitoring: the adapter runs in the work process and returns a CORE dump inthe ABAP kernel if problems occur. The system then automatically restarts the workprocess and loads a new adapter.

● Load balancing: with an adapter, you do not need to explicitly attend to load balancing,since this is determined using the work processes.

● RFC destination: you do not need to create an RFC destination for adapters.

Prerequisites

● You have created at least one scanner group.

● You have decided whether you are creating the virus scan provider as an application-

server-starter or as a self-starter (see Application-Server-Starter or Self-Starter [Page43]).

Defining Virus Scan Servers...

1. In transaction SM59, create an RFC connection with the connection type T .

Since the configuration of the Virus Scan Server requires the following namingconvention, you must use it for the RFC destination of a Virus Scan Server:

● VSCAN_<host name>, if you only want to start one Virus ScanServer on the host.

● VSCAN_<host name>-<number>, if you want to start multipleVirus Scan Servers on the host. The number is a sequencenumber, which is separated from the host name with a hyphen.

Examples of possible names would therefore be VSCAN_HOST123,VSCAN_HOST345-1, VSCAN_HOST345-2.

a. Select Registered server program as activation type.

b. Use the name of the RFC destination as the program ID.

c. Enter the address of the gateway of the system as the gateway host andgateway service. If you are starting the Virus Scan Server on an applicationserver using the Computing Center Management System, choose the gateway

of that application server.

8/10/2019 VSCAN_EN





Administration → Virus Scan Interface (transaction VSCAN), and, if necessary, switchto change mode.

The screen View: Change "Virus Scan Provider Definition": Overview appears.


The system displays the New Entries: Details of Added Entries screen.

4. Enter the data for the Virus Scan Server.

Data for the Virus Scan Server Definition

Field Possible Values Notes

Provider Type Server (Virus Scan Server)

<empty>(Virus Scan Server)

If you want to set up a VirusScan Server, choose server(Virus Scan Server). Youcannot select the value<empty> Virus Scan Server. Itis used only to display older

Virus Scan Servers.

Provider Name VSCAN_<RFC Destination>

The input help displays allVSCAN_RFC destinations thatexist.

The name of a Virus ScanServer must be the same asthe name of the RFCdestination that contains thetechnical connection to theVirus Scan Server.

Scanner Group All previously created scannergroups, which you can displayusing the input help.

The scanner group combinesmultiple Virus Scan Servers orallows the use of a BAdIimplementation.

If you create multiple VirusScan Servers in a scannergroup, you achieve loadbalancing.

All of the Virus Scan Serversof a scanner group have thesame set of configurationparameters and will thereforeuse the same scan engine.

Status● ACTS (Active as a self-

starter): Although theCCMS monitors the

Virus Scan Server (if itis not available, anerror status istriggered), it does notstart or stop the VirusScan Server. Thisstatus is suitable forVirus Scan Servers thatare, for example,started as a service atoperating system level.

● ACTV: Active

(Application Server)The CCMS monitors

Monitoring status of the VirusScan Server in the CCMS.

In the cases of the statusesNONE and INAC, the system’sautomatic server selection canno longer find this Virus ScanServer.

8/10/2019 VSCAN_EN




the Virus Scan Serverand, if necessary, startsit on the specifiedapplication server.

● INAC (Inactive on an

Application Server) TheCCMS monitors theVirus Scan Server ismonitored and, ifnecessary, stops it onthe specifiedapplication server.

● NONE: No monitoring:The CCMS does notmonitor the Virus ScanServer.

Server The input help provides a list

of the existing servers. Do notspecify a different servername.

Application server on which

the Virus Scan Server is to bestarted and/or monitored.

Trace Level● Errors only

● Errors and warnings

● Errors, warnings, andinformation

● Maximum output

Specifies the trace level for theVirus Scan Server, which is tobe transferred to the CCMS atoperating system level whenthe Virus Scan Server isstarted.

We recommend that you onlyuse one of the first two levelsErrors Only or Errors andWarnings in productionsystems. The two other tracelevels are available for findingerrors during test operation inthe test system.

ReinitInterv. 0 or <empty> : no automatic

reinitialization

If the vendor of your virusscanner uses the interface

provided by SAP with whichan initialization from outsidethe system can be performed,you can leave the field empty.This interface is available tocertified vendors of virusscanners.

<n> : Interval in hours

Specifies the number of hoursafter which the Virus ScanServer is to be regularlyreinitialized.

For the Virus Scan Server toload new virus definitions fromthe Virus Scan Server, youmust reinitialize it.

The automatic reinitialization isperformed during the periodicmonitoring of the Virus ScanServers by the CCMS.

Adapter Path Full path of the library thatcontains the Virus Scan Adapter

Specifies the full path of theVirus Scan Adapter.

If you do not fill the field, the

Virus Scan Server uses thecontent of the environmentvariable VSA_LIB.

8/10/2019 VSCAN_EN




Configuration Full path to the configurationfile of the Virus Scan Server

Specifies the full path to theconfiguration file of the VirusScan Server

The configuration file cancontain optional parameters of

the Virus Scan Server.For externally-started VirusScan Servers, theconfiguration file has alreadybeen defined at the Virus ScanServer command line and youcannot therefore change ithere.

Instance Name V<system number> Use this field if the externalvirus scan product fulfills theplatform criteria (it is, forexample, available for Linux),

but not the processor criteria(there is, for example, only a32 bit variant, and theapplication server is runningunder Linuxx86_64).

A separate directory isnecessary since the kerneldirectory cannot contain amixture of 32 and 64 bitsoftware due to the fact thatsome programs have thesame names.

Max. Instances Specifies the maximumnumber of scan instancesprovided by the Virus ScanServer.

A Virus Scan Server mayprovide multiple scaninstances.

You can use the maximumnumber specified here todetermine how many of theseinstances are provided. If thisnumber is exceeded, the virus

scanner is no longer availablefor scan requests. The numberof instances shouldcorrespond to the number ofwork processes.

Code Page Enter the codepage valid forthe Virus Scan Server. It mustcorrespond to the codepage ofthe application server that iscommunicating with the VirusScan Server:

●

If you are only usingone codepage in yourapplication servers,

Codepage that the CCMS setswhen the Virus Scan Server isstarted

8/10/2019 VSCAN_EN




enter this codepage.

● If you have applicationservers in differentcodepages, set up aVirus Scan Server on

each application serverand specify the validcodepage in each case.

● If your system usesUNICODE, do not enteranything.


Defining Virus Scan Adapters...


Administration → Virus Scan Interface (transaction VSCAN), and, if necessary, switch

to change mode.

The screen View: Change "Virus Scan Provider Definition": Overview appears.


The system displays the New Entries: Details of Added Entries screen.

3. Enter the data for the Virus Scan Adapter.

Data for the Virus Scan Adapter Definition


Provider Type ADAPTER (Virus Scan Adapter)

The vendor’s Virus Scan Adapter runs in the work

process of the applicationserver, that is, the externalproduct must match thearchitecture of the SAPsystem (64 bit).

Provider Name VSA_<Name>

Default value: VSA_<hostname>

You can overwrite the hostname with any name.However, you must retain theVSA_ prefix.

Scanner Group All previously created scannergroups, which you can displayusing the input help.

The scanner group combinesmultiple Virus Scan Providersor allows the use of a BAdI

implementation.

If you create multiple VirusScan Providers in a scannergroup, you achieve loadbalancing.

All of the Virus Scan Providersin a scanner group have thesame set of configurationparameters and will thereforeuse the same scan engine.

Status● Active

(Application server)

The values active and inactive

indicate whether the adapter isto be activated when the

8/10/2019 VSCAN_EN




● Inactive(Application server)

application server or a workprocess is restarted.

Active: An adapter is loadedfor the work process.

Inactive: No adapter is loaded

for the work process.

Server The input help provides a listof the existing servers. Do notspecify a different servername.

Application server on whichthe Virus Scan Adapter is tobe started and/or monitored.

ReinitInterval 0 or <empty> : no automatic

reinitialization

If the vendor of your virusscanner uses the interfaceprovided by SAP with whichan initialization from outside

the system can be performed,you can leave the field empty.This interface is available tocertified vendors of virusscanners.

<n> : Interval in hours

Specifies the number of hoursafter which the Virus Scan Adapter is to be regularlyreinitialized.

You need to reinitialize theVirus Scan Adapter so that it

loads new virus definitions.The automatic reinitialization isperformed during the periodicmonitoring of the Virus ScanProviders by the CCMS.

Adapter Path Full path of the library thatcontains the Virus Scan Adapter

Specifies the full path of theVirus Scan Adapter.

If you do not fill the field, theVirus Scan Server uses thecontent of the environment

variable VSA_LIB.

Defining Virus Scan Profiles

Use

Application programs use virus scan profiles to check data for viruses. A virus scan profilecontains a list of scanner groups that check a document. You can also use a virus scan profileto assign configuration parameters for the virus scanner. If you scan for viruses with this virus

scan profile, the virus scanner receives the parameters.

A virus scan profile specifies steps that are to be run during a virus scan. A step is either avirus scanner, which is found using the scanner group, or a step specifies, in turn, a virusscan profile, which is then performed as part of the enclosing virus scan profile.

A virus scan is performed under the name of a virus scan profile. The system administratorcan use the profile to activate or deactivate the virus scan for each component.

By default, each SAP application that integrates a virus scan provides a virus scan profile.

The names of these virus scan profiles is constructed as follows /<Name of the package

of the application>/<Name of the function>. Check the virus scan profiles

delivered by SAP (for example, using Delivered Virus Scan Profiles [Page 19]), and determinefor which components you are activating or deactivating the virus scan.

If you want to create your own virus scan profiles, you can use the namespaces Y* and Z*.

8/10/2019 VSCAN_EN




Prerequisites

● You have created scanner groups.

Procedure...

1. In the Implementation Guide, choose SAP NetWeaver → Application Server → System Administration → Virus Scan Interface (transaction VSCANPROFILE), and, ifnecessary, switch to change mode.

The screen View: Change "Virus Scan Profile": Overview appears.


The screen New Entries: Overview of Added Entries appears.

3. Specify the data for the scanner profile.

Data for the Virus Scan Profile Definition


Scan Profile Specifies the name of a virusscan profile.

Profile Text Explanatory text for a virusscan profile.

Active Specifies that this virus scanprofile is active.

The virus scan profile can onlybe used if this indicator is set.

SAP applications can usedfixed profile names that aredelivered. By default, these

profiles are not active,meaning that the applicationprogram works without a virusscan.

You can activate the virusscan for each application bysetting this indicator.

Default Profile Indicator that this virus scanprofile is the default profile.

You can set this indicator for amaximum of one virus scan

profile. This virus scan profileis used in the following cases:

● If an applicationrequests a virusscanner withoutspecifying a virus scanprofile

● If a virus scan profile isrequested for which theUse Reference Profile indicator is set, and the

Reference Profile isempty

8/10/2019 VSCAN_EN




Use Reference To operate multipleapplications using the samevirus scan profile, set the UseReference indicator andspecify the reference profile.

Reference Profile The input help provides a listof all of the profiles that havealready been defined.

If you leave the field empty,the system uses the defaultprofile.

Specifies the name of thereference profile.

Since a virus scan profile canuse another virus scan profileas a reference profile, you canoperate multiple applicationsusing the same virus scanprofile.

If the Use Reference Profileindicator is set in the virusscan profile, this field specifiesthe name of the reference

profile to be used. Instead ofthe settings of the current virusscan profile, the settings of thereference profile are thenused. This means that severalvirus scan profiles can use thesettings of a shared referenceprofile, such as the scannergroups to be used.

Linkage All steps successful:

The virus scan must haveperformed all steps without

errors.At least one step

successful: It is sufficient if

one step of the virus scan wassuccessfully performed.

Specifies the type of logicallinkage for the steps in thevirus scan profile.

If multiple steps that are to beperformed during the virusscan with a virus scan profileare defined for a profile, youcan use this field to controlhow the overall result of thevirus scan is to be evaluated.

Using multiple steps allowsyou to scan documents withscan engines from differentvendors at the same time.

The program interprets a virus

scan as error-free only if thescan engine returns the return

value Check performed

successfully or (in the

case of cleanups) Cleanup

performed successfully.

All other return values areregarded as unsuccessfulvirus scans. This also includessituations such as:

● The program did not

check the documentbecause the file name

8/10/2019 VSCAN_EN




extension iscategorized as non-critical.

● The program could notcheck the document,

because the documentis a password-protectedarchive.

● The scan engine isobsolete.


5. To define steps for the profile, select the Steps node in the Dialog Structure by double-clicking it.


7. Enter the following data for the definition of the step:

Data for the Definition of a Step of the Virus Scan Profile


Position <integer value> Specifies the position of thescanner group in the virusscan profile.

If a virus scan profile usesmultiple scanner groups, placethese in the desired sequenceby assigning a positionnumber.

Type Group or Profile Specifies whether a step in thevirus scan profile refers to ascanner group or another virusscan profile.

If you choose Group, thesystem uses a virus scanprovider from this group (or aBAdI implementation) for thevirus scan. If you chooseProfile, the program processesthe specified virus scan profileinstead of this step.

You can define any conditionsby combining the steps of thevirus scan profile with thelinkage type of the steps(AND/OR).

Scanner Group The input help provides a listof all existing scanner groups.

Combines multiple virus scanproviders or allows the use ofa BAdI implementation.

All of the Virus Scan Providersin a scanner group have thesame set of configurationparameters and will therefore

use the same scan engine.

8/10/2019 VSCAN_EN




Virus Scan Profile The input help provides a listof all existing profiles.

Specifies the name of a virusscan profile that you caninclude as a step in the profilethat you are currentlyprocessing.

8. Save your entries.9. To create configuration parameters for a step, double-click the Configuration

Parameters node.


11. Enter the following data for the definition of the configuration parameters:

Data for the Definition of Configuration Parameters


Parameter The input help provides a listof all existing constants.

Specifies the key of aconfiguration parameter.

A virus scanner requiresconfiguration data. The set ofpossible configurationparameters is defined by SAPas a predetermined set ofsymbolic constants.

Value <Value> Specifies the value specifiedby the vendor for aconfiguration parameter.


Result

You have defined a virus scan profile and therefore performed the last configuration step forthe virus scan provider. You can, finally, check the configuration [Page 20].

Delivered Virus Scan Profiles

As of SAP NetWeaver ’04, SAP delivers the following virus scan profiles for ABAP withSupport Package 11 (see SAP Note 797108):

● /SCET/GUI_UPLOAD

This profile is used by the front end upload module GUI_UPLOAD, which is also usedby the class method CL_GUI_FRONTEND_SERVICES=>GUI_UPLOAD.

For example: upload of a local file using SAP GUI in an SAP application.

● /SIHTTP/HTTP_UPLOAD

This profile is used by the BSP framework [External], that is, by all SAP applicationsthat are based on the BSP framework.

For example: Upload of a local file using BSP class CL_HTMLB_MANAGER.

● /SARC/ARCHIVING_ADK

Virus protection using the Archive Development Kit (ADK) archive interface.

8/10/2019 VSCAN_EN




The profiles are deactivated when delivered. To activate them, first create at least one basisprofile that you save as the default profile. You can then activate one of the delivered profiles.By default, it links to a reference profile, which is the default profile.

Delivered Parameters

There are INIT, SCAN, CLEAN, and CUST parameters, of which INIT, SCAN, and CLEANparameters are passed to the external product. For more information about which parametersexist and their effect, see the documentation for the external product. The default values ofthe parameter configuration show all parameters. An external product usually only supports asubset of the parameters.

It is mandatory that the parameter SCANBESTEFFORT exists for every certified virus scanproduct. If you set this parameter to 1, the most stringent security settings of the externalproduct are selected. For more information about which settings these are and how theyaffect the performance of the product, see the documentation of the external product.

CUST parameters are used by the virus scan profiles delivered by SAP and are not forwardedas an external product. The following parameters exist:

● CUST_NOT_SCANNED_AS_WARNING

Parameter that defines whether processing of the file to be checked is terminated if thereturn code CON_SCANRC_NOT_SCANNED is returned (default value). If the value ofthe parameter is 1, processing is continued. This return code is output, for example, ifthe file type is unknown, or the file to be checked is an encrypted archive file.

● CUST_CLEAN

Parameter that defines whether a repair is to be attempted using profile selectionduring the virus scan.

The external program may not be able to repair all infections.

● CUST_NO_SCANINFO

This parameter specifies to the external virus scanner that no detailed information isdesired about infections. This parameter means that less memory is used andprocessing is faster, but means that no detailed information about infections issupplied.

● CUST_ACTIVE_CONTENT

This parameter only affects external virus scanners that support this feature. It means

that active content, such as JavaScript in HTML or VBA in Microsoft Word files isregarded as a virus. The program therefore rejects documents with content of this type.

Parameters relate to each profile that contains a definition.

8/10/2019 VSCAN_EN


8/10/2019 VSCAN_EN




○ Status: Displays the current status of the virus scan server used, even if thememory trace is deactivated. In addition to technical information about the virusscan server, this output also contains the configuration of the virus scan serverand information about the loaded virus scan adapter including the anti-virusengine.

○

Stop: Stops the virus scan server.

○ Configuration: Branches to the display mode of the IMG activity Define VirusScan Servers.

○ Test: Branches to the transaction VSCANTEST.

Testing the Installation of the Virus Scan Provider

Use

You can use this procedure to check that your configured virus scan provider is functioningcorrectly.

Procedure...

1. Start transaction VSCANTEST.

2. Specify the object to be checked, using either the test data provided or your own localfile.

3. Select the virus scan profile, scanner group, or the virus scan provider to be tested.

4. Select an action.○ If you choose Check Only , the anti-virus product that you specified scans the

data for viruses and displays a result.

○ If you choose Check and Clean, the product also attempts to clean the data if avirus infection is diagnosed.

8/10/2019 VSCAN_EN




Integrating the Virus Scan Interface into CustomerDevelopments

UseSo that you can also integrate the virus scan interface into applications that you developyourself, its class CL_VSI is described below.

The naming convention /<Name of the package>/<Name of the function> applies for

the virus scan profiles delivered by SAP. The Active indicator is not set for these virus scanprofiles; on the other hand, the Use Reference Profile indicator is set, although the fieldReference Profile remains empty.

Description of the Class CL_VSI of the Virus Scan Interface

The class CL_VSI provides methods that are required for the implementation of a virus scan.

All triggered exceptions are assigned an ABAP message, that is, the SY fields have beenfilled with a message appropriate for the error situation.

● Generate Scanner Instance (GET_INSTANCE)

This static method generates an instance of the virus scan interface, which is based ona given virus scan profile.

You can generate the scanner instance once for each program and then use theobtained scanner repeatedly. The load balancing between different virus scan serversin the same scanner group is performed only during the execution of a virus scan.

○ Parameters

IF_PROFILE

The name of the virus scan profile that is to be used.

If you leave the field empty, the default profile is used. You should only do this inapplication programs for test purposes and in justified exceptional cases.

EO_INSTANCE

The generated instance that can be used for scanning.

○ Exceptions

PROFILE_NOT_ACTIVE

This exception is triggered if the Active indicator is not set in Customizing for thespecified virus scan profile. This means that the system administrator does not

want a virus scan for this virus scan profile.The application must react as follows to this exception:

■ If the virus scan is an optional function of the application, this exceptionmust be ignored and the application function can be performed.

■ If the virus scan is a mandatory function of the application, this exceptionmust be reported to the user and the application function must not beperformed.

CONFIGURATION_ERROR

There is a configuration error in the Customizing of the virus scan interface. Thiserror must always be corrected, and this exception must therefore always be

reported.

INTERNAL_ERROR

8/10/2019 VSCAN_EN




An unexpected error occurred.

● Set Scan Parameters (SET_PARAMETER)

You can use this method to set scan parameters for the scan instance. These aretransferred to the scanner for all subsequent scan requests. You can also set localscan parameters for each scan request.

If a profile consists of multiple steps, the parameters set here are transferred to everystep and may overwrite data entered in the scanner group there.

○ Parameters

IF_KEY: The name of the configuration parameter. You can only setconfiguration parameters delivered by SAP (table VSCAN_PARAM).

IF_VALUE: The value to be set.

○ Exceptions

WRONG_KEY

Wrong name of the configuration parameter or the parameter is not permitted inthis context.

WRONG_VALUE_SYNTAX

The value is not permitted for this type of parameter.

● Perform Virus Scan (SCAN_FILE)

The virus scan is performed with this method.

○ Parameters

IF_JOB_ID

This parameter can be freely specified by the calling application. It can, for

example, be used to specify the object to be checked (file name) or to allowunique identification.

If you leave this field empty, the scan engine transfers the name of the virusscan profile used.

IF_FILENAME

File name of the local file to be scanned. The file must exist locally on theapplication server.

IF_DO_CLEAN

If this parameter has the value ABAP_TRUE, a cleanup is to be performed. If noinfection is found or the cleanup was successful (return value of EF_SCANRC iseither CL_VSI=>CON_SCANRC_OK orCL_VSI=>CON_SCANRC_CLEAN_OK), the result is made available using theparameter EF_DATA.

If the parameter has the value ABAP_FALSE, only a check is to be performed.

IT_SCAN_PARAMETER

A table of scan parameters. The evaluation of the scan parameters is left to thescan engine. If you are using a profile with multiple steps, these parameters aretransferred to each step.

EF_SCANRC

The result of the check or cleanup. You can use the constantsCON_SCANRC_... from the interface IF_VSCAN_INSTANCE for error situations

that occur frequently.

8/10/2019 VSCAN_EN




The return values CON_SCANRC_OK and CON_SCANRC_CLEAN_OK areregarded as success, all other values as failure. There is also the return valueCON_SCANRC_NOT_SCANNED, which outputs a warning.

ET_BAPIRET

ABAP messages are transferred using this table parameter.

The content of this table has no influence on the evaluation of the method call.

ET_SCANERROR

Information about scan errors is transferred using this table parameter. There isa scan error, for example, if the transferred file is a password-protected archive,which the scan engine therefore cannot check.


ET_INFECTION

Information about infections found is transferred using this table parameter.


○

Exceptions

NOT_AVAILABLE

The instance is temporarily unavailable. This exception is triggered if events thatmean that the scanner is not available (such as an update of the virussignatures) occur between the generation of the instance and the performanceof a scan request.

CONFIGURATION_ERROR

There is a configuration error. This exception is triggered if the scan cannot beperformed not due to the inbound data, but rather due to the configurationsettings.

INTERNAL_ERROR

This exception is triggered in other exception situations.

DIFFERENT_HOSTS

Virus scan server and application server are different.

● Perform Virus Scan (SCAN_BYTES)


○ Parameters

IF_JOB_ID

This parameter can be freely specified by the calling application. It can, forexample, be used to specify the object to be checked (file name) or to allowunique identification.

If you leave this field empty, the scan engine transfers the name of the virusscan profile used.

IF_DATA

The byte sequence to be checked.

IF_DO_CLEAN

If this parameter has the value ABAP_TRUE, a cleanup is to be performed. If noinfection is found or the cleanup was successful (return value of EF_SCANRC is

either CL_VSI=>CON_SCANRC_OK orCL_VSI=>CON_SCANRC_CLEAN_OK), the result is made available using theparameter EF_DATA.

8/10/2019 VSCAN_EN




If the parameter has the value ABAP_FALSE, only a check is to be performed.

IT_SCAN_PARAMETER

A table of scan parameters. The evaluation of the scan parameters is left to thescan engine. If you are using a profile with multiple steps, these parameters aretransferred to each step.

EF_SCANRC

The result of the check or cleanup. You can use the constantsCON_SCANRC_... from the interface IF_VSCAN_INSTANCE for error situationsthat occur frequently.

The return values CON_SCANRC_OK and CON_SCANRC_CLEAN_OK areregarded as success, all other values as failure. There is also the return valueCON_SCANRC_NOT_SCANNED, which outputs a warning.

EF_DATA

If IF_DO_CLEAN has the value ABAP_TRUE and the cleanup was successful(EF_SCANRC = CON_SCANRC_CLEAN_OK), the cleaned byte sequence is

returned using this parameter.ET_BAPIRET

ABAP messages are transferred using this table parameter.


ET_SCANERROR

Information about scan errors is transferred using this table parameter. There isa scan error, for example, if the transferred file is a password-protected archive,which the scan engine therefore cannot check.


ET_INFECTION

Information about infections found is transferred using this table parameter.


○ Exceptions

NOT_AVAILABLE

The instance is temporarily unavailable. This exception is triggered if events thatmean that the scanner is not available (such as an update of the virussignatures) occur between the generation of the instance and the performanceof a scan request.

CONFIGURATION_ERROR

There is a configuration error. This exception is triggered if the scan cannot beperformed not due to the inbound data, but rather due to the configurationsettings.

INTERNAL_ERROR

This exception is triggered in other exception situations.

● Perform Virus Scan (SCAN_ITAB)


The meanings of the parameters are documented for the method SCAN_BYTES. Thedata to be checked is transferred using the parameter IT_ITAB.

The internal table must fulfill the following conditions:

○ It is a STANDARD or SORTED table.

8/10/2019 VSCAN_EN




○ The row type of the table is either flat of type X or C, or a structure with exactlyone field of type X or C.

You can optionally specify the total length of the data (for X tables in bytes, for C tablesin characters) using the parameter IF_DATALENGTH (this is only meaningful for Xtables for the reasons explained below). If the parameter is not filled, the entire data

object is checked.The content of C tables is first concatenated by rows into a character string, whereconcluding spaces in the individual table rows are removed, in accordance with ABAPsemantics. The length restriction (see above) is applied to this character string, and theresult is converted to UTF-8 format. This value is transferred to the scanner.

● Get Error Text (GET_SCANRC_TEXT)

Returns a short explanatory text for a return code of the scanner (constantsCON_SCANRC_...).

○ Parameters

IF_SCANRC

The error code of the scanner.

EF_TEXT

A string with the explanatory text.

○ Exceptions

Unknown error codes do not return an exception, but rather a correspondingtext.

If the function that you have developed is a standard function that can be usedby other developer groups, you should allow in your interface the possibility forcallers to assign a profile name. Only if this was not transferred should you usethe name of your own virus scan profile.

This ensures that not all users of your function are processed using the samevirus scan profile, meaning that the separate activation and deactivation of thevirus scan remains possible.

Commented Example Program

The commented source code below demonstrates the application of the virus scan interface

for scanning files that are uploaded from a workstation.The output of the result is performed in the simplest way. The report RSVSCANTESTcontained in the system performs this task in an appropriate form and can also be used as ademonstration object.

************************************************************************* Minimal demo report for Virus Scan Interface.* For a functionally more complete example see report RSVSCANTEST.************************************************************************REPORT zvscandemo.

************************************************************************* Selection screen

************************************************************************PARAMETERS:

8/10/2019 VSCAN_EN




profile TYPE vscan_prof-profile,file TYPE localfile.

************************************************************************* Events************************************************************************AT SELECTION-SCREEN ON VALUE-REQUEST FOR file.

PERFORM file_f4.

START-OF-SELECTION.PERFORM main.

************************************************************************* Main program************************************************************************FORM main.

IF file IS INITIAL.MESSAGE s058(vscan) DISPLAY LIKE 'E'.EXIT. " =================== EXIT =====================

ENDIF.

* Access file and create XSTRINGTYPES:ty_xline(1024) TYPE x.

DATA:lf_file TYPE string,lf_filelength TYPE i,lt_datatab TYPE STANDARD TABLE OF ty_xline.

lf_file = file.

CALL METHOD cl_gui_frontend_services=>gui_uploadEXPORTING

filename = lf_file

filetype = 'BIN'IMPORTING

filelength = lf_filelengthCHANGING

data_tab = lt_datatabEXCEPTIONS

OTHERS = 1.

IF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno

DISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

EXIT. " =================== EXIT =====================ENDIF.

* Recombine binary dataDATA:lf_tabline TYPE ty_xline,lf_data TYPE xstring.

LOOP AT lt_datatab INTO lf_tabline.CONCATENATE

lf_datalf_tabline

INTOlf_data

IN BYTE MODE.ENDLOOP.

lf_data = lf_data(lf_filelength).

* Get scanner instance

8/10/2019 VSCAN_EN




DATA:lo_vsi TYPE REF TO cl_vsi.

CALL METHOD cl_vsi=>get_instanceEXPORTING

if_profile = profileIMPORTING

eo_instance = lo_vsiEXCEPTIONS

configuration_error = 1profile_not_active = 2internal_error = 3OTHERS = 4.

CASE sy-subrc.

* No error.WHEN 0.

" Nothing to do

* Profile not active. For this report, this is an information message.WHEN 2.

MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgnoDISPLAY LIKE 'I'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

EXIT. " =================== EXIT =====================

* All other exceptions are issued as errors.WHEN OTHERS.

MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgnoDISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

EXIT. " =================== EXIT =====================

ENDCASE.

* Perform virus scanDATA:lf_scanrc TYPE vscan_scanrc.

CALL METHOD lo_vsi->scan_bytesEXPORTING

if_data = lf_dataIMPORTING

ef_scanrc = lf_scanrcEXCEPTIONS

not_available = 1configuration_error = 2internal_error = 3OTHERS = 4.

* All exceptions here are errorsIF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno


EXIT. " =================== EXIT =====================ENDIF.

* Print return code and textDATA:lf_text TYPE string.

lf_text = cl_vsi=>get_scanrc_text( lf_scanrc ).

WRITE: / 'Result of virus scan: ', lf_scanrc, '(', lf_text, ')'.

IF lf_scanrc = cl_vsi=>con_scanrc_ok.

8/10/2019 VSCAN_EN




WRITE: / 'File is clean'.ELSE.WRITE: / 'File was either infected',

'or could not be scanned','or was ignored'.'Or another problem occurred'.

ENDIF.

ENDFORM.

************************************************************************* F4-help for filename************************************************************************FORM file_f4.

DATA:lt_filetable TYPE filetable,lf_rc TYPE i.

CALL METHOD cl_gui_frontend_services=>file_open_dialogEXPORTING

multiselection = abap_falseCHANGING

file_table = lt_filetablerc = lf_rc

EXCEPTIONSfile_open_dialog_failed = 1cntl_error = 2error_no_gui = 3not_supported_by_gui = 4OTHERS = 5.

IF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno


EXIT.ENDIF.

* Number of selected filed must be equal to one.CHECK lf_rc = 1.

* Access selected fileDATA:ls_file TYPE file_table.

READ TABLE lt_filetable INTO ls_file INDEX 1.CHECK sy-subrc = 0.

file = ls_file-filename.

ENDFORM.

8/10/2019 VSCAN_EN




Java-Specific Configuration

The following contains the configuration description for the virus scan interface for Javasystems.

Setting Up Virus Scan Providers (Java)

Use

The virus scan provider is the service of the AS Java that makes the

tc/sec/vsi/interface interface available to the SAP applications of the AS Java.

Select an installation type for the Virus Scan Provider, depending on your systemprerequisites:

●

Virus Scan Adapter for a Purely-Java Installation

This procedure describes the normal case in which you are using a local Virus Scan Adapter. The virus scan adapter is a native dynamic library from a third-party vendor,which can be loaded directly into the process environment of the AS Java. This meansthat you can check memory contents directly for viruses, which achieves a higherperformance.

● Virus Scan Server for a Purely-Java Installation

This procedure describes the special case, in which the platform or processarchitecture does not allow the direct inclusion of a Virus Scan Adapter. This is thecase, for example, if the required operating system for SAP NetWeaver is notcompatible with the external anti-virus product. In this case, use a Virus Scan Server.

The virus scan server communicates with the AS Java using TCP/IP (SAP RFCprotocol) and accesses the external anti-virus product using a virus scan adapter.

Both purely-Java installations provide the same interface to instancejava from the packagecom.sap.security.core.server.vsi.api .

The configuration of the virus scan provider service is stored in the Configuration Manager ofthe AS Java. A Web Dynpro application is available to you as a configuration tool.

Prerequisites

You are an administrator of the AS Java.

Virus Scan Server for a Purely-Java Installation...

1. Start the standalone gateway [Extern].

2. Start the virus Scan server with the options -a, -x, and -g, as described in Installing

a Virus Scan Server as a Self-Starter [Page 46]. For option -a, specify the program ID

using the naming convention (case-sensitive; prefix VSCAN_ ).

3. In the SAP NetWeaver Administrator, set up the virus scan provider as a virus scanserver, as described in Defining Virus Scan Providers [Page 33].

a. For the name, specify exactly the program ID that you defined above using

option –a. However, you must leave off the name prefix VSCAN_ , since this is

automatically added.

b. Specify server settings that match those of the provider defined above. Specify-g and -x as defined under step 2.

8/10/2019 VSCAN_EN




Virus Scan Adapter for a Purely-Java Installation

After you have installed an external anti-virus product including a certified adapter, you onlyneed to enter the path to the adapter specified in the documentation for the partner product inthe VSA_LIB field....

1. Start the SAP NetWeaver Administrator (NWA) with the following URLhttp://<Host>:<Port>/nwa.

2. Log in as administrator of the AS Java.

3. Choose Configuration Management → Security Management → Virus Scan Provider .

4. Proceed as follows:...

a. Define a Scanner Group [Page 32]

b. Define a Virus Scan Provider. [Page 33]

c. Define a Virus Scan Profile [Page 35]

Defining Scanner Groups

Use

A scanner group combines multiple virus scanners of the same type. You require the groupsto specify virus scan profiles later.

For information about which configuration parameters are required or supported by theproduct that you use, see the documentation for the product.

SAP does not deliver any scanner groups.

Procedure...

1. In change mode, on the Groups tab page, create a scanner group by choosing Add .

a. To do this, enter the name of the group in the in Group Name field, and chooseContinue.

This adds a new row in the Virus Scan Groups group box.

b. On the Settings tab page, in the Virus Scan Group Details group box, enter adescription of the group in the Description field.

c. So that this group is used as the default group, set the Default scan group indicator.

2. On the Parameters tab page, set the configuration parameters required for the productthat you are using.

a. Choose Add.

b. In the Name field, you can use the input help to change the proposed name.

c. In the Type field, use the input help to specify the parameter type.

d. Enter the parameter value in the Value field.

If the Valid column does not contain an icon, you have not yet saved. If it contains agreen icon, the parameter has been recognized. If it contains a red icon, the parameterhas not been accepted by at least one adapter or server that is configured for thisgroup. You can find a more detailed error message in the message area of theapplication.

8/10/2019 VSCAN_EN




Result

You have created a scanner group with the associated parameters. As the next step, define aVirus Scan Provider [Page 33].

Defining Virus Scan Providers

Use

You can use either a Virus Scan Adapter or a Virus Scan Server as a Virus Scan Provider.The Virus Scan Server is an alternative, if you cannot use the better-performing Virus Scan Adapter, such as in the following cases:

● The SAP NetWeaver AS kernel uses 64 bits and the external anti-virus product or theexternal virus scan adapter (VSA) uses 32 bits.

● The SAP NetWeaver AS and the external anti-virus product support differentarchitectures. For example, the SAP NetWeaver AS is installed on an AIX platform, butthe anti-virus product is only available for Microsoft Windows.

In these cases, use the Virus Scan Server as a self-starter (see Installing a Virus Scan Serveras a Self-Starter [Page 46]).

Procedure...

1. In change mode, create the virus scan provider either as a virus scan adapter on the Adapters tab page or as a virus scan server on the Servers tab page.

To do this, choose the Add button in change mode.

○ To create a virus scan adapter, add the rest of the name after the predefined

prefix in the Adapter Name field, and choose Continue. This adds a new row inthe Virus Scan Adapters group box.

Enter the following data in the Virus Scan Adapter Details group box on theSettings tab page:

Settings for the Virus Scan Adapter

Field Entry

Default Scan Provider Indicator that this Virus Scan Provider is thedefault provider.

You can set this indicator for a maximum ofone Virus Scan Provider. This Virus ScanProvider is used if an application requests avirus scanner without specifying a Virus ScanProvider.

Adapter Name The name of the virus scan adapter isdisplayed. The name entered is automaticallysaved with the prefix “VSA_”.

Adapter Description Description of the current adapter

Scan Group The input help provides a list of the availablegroups to which you can assign the currentadapter.

8/10/2019 VSCAN_EN




Init. Interval (hours) Reinitialization interval of the Virus Scan Adapter in hours. This specifies the number ofhours after which the Virus Scan Adapter is tobe reinitialized.

If you receive new virus definitions at regular

intervals that the Virus Scan Adapter is to load,a reinitialization is required for this.

If you enter the value 0, the virus scan adapteris not automatically reinitialized. Default = 0

Max. Instances Specifies the maximum number of scaninstances provided by the Virus Scan Server,with which you define how many of theseinstances are provided. If this number isexceeded, the virus scanner is no longeravailable for scan requests. Default = 20

VSA Library Path Complete path to the storage location of theadapter, as specified in the documentation ofthe partner product. If you leave this fieldempty, the environment variable VSA_LIB isset.

○ To create a virus scan server, use the input help to select one of the existingRFC destinations as the name of the server. The system automatically onlyshows RFC destinations with the prefix VSCAN_. Choose Continue.

Enter the following data in the Virus Scan Server Details group box on theSettings tab page:

Settings for the Virus Scan Server

Field EntryDefault Scan Provider Indicator that this Virus Scan Provider is the

default provider.

You can set this indicator for a maximum ofone Virus Scan Provider. This Virus ScanProvider is used if an application requests avirus scanner without specifying a Virus ScanProvider.

Server Name The name of the virus scan server is displayed.The destination under which the virus scanserver has registered itself at the SAP Gatewayor the name of the RFC destination in theDestinations service is displayed.

Server Description Description of the current server

Scan Group The input help provides a list of the availablegroups to which you can assign the currentserver.

8/10/2019 VSCAN_EN




Init. Interval (hours) Reinitialization interval of the Virus ScanServer in hours. This specifies the number ofhours after which the Virus Scan Server is tobe reinitialized.

If you receive new virus definitions at regular

intervals that the Virus Scan Server is to load,a reinitialization is required for this.

If you enter the value 0, the virus scan server isnot automatically reinitialized. Default = 0

2. To activate a trace output [Page 38] for this Virus Scan Provider, set the desiredindicator on the Trace tab page.

3. On the Parameters tab page, set the parameters required for the product that you areusing.

a. Choose Add . You can use the input help to change the proposed name in theName field.

b. In the Type field, use the input help to specify the parameter type.

c. Enter the parameter value in the Value field.

4. To activate the virus scan provider, save your entries. Then, in the Virus Scan Adapters or Virus Scan Servers group box, select the appropriate entry and choose Activate.

Result

You have defined a Virus Scan Provider and can define virus scan profiles [Page 35] in thenext step.

Defining Virus Scan Profiles

Use

Application programs use virus scan profiles to check data for viruses. A virus scan profilecontains a list of scanner groups that check a document. You can also use a virus scan profileto assign configuration parameters for the virus scanner. If you scan for viruses with this virusscan profile, the virus scanner receives the parameters.

A virus scan profile specifies steps that are to be run during a scan. A step is either a virusscanner, which is found using the scanner group, or a step specifies, in turn, a virus scanprofile, which is then performed as part of the enclosing virus scan profile.

A virus scan is performed under the name of a virus scan profile. The system administratorcan use the profile to activate or deactivate the virus scan for each component.

By default, a virus scan profile is provided for each SAP application that integrates a virusscan.

Prerequisites

You have created scanner groups.

Procedure...

1. On the Profiles tab page, create a virus scan profile in change mode by choosing the Add button.

In the Profile Name field, enter the rest of the name after the predefined prefix, andchoose Continue. This adds a new row in the Virus Scan Profiles group box.

8/10/2019 VSCAN_EN




2. In the Virus Scan Profile Details group box, you have the following options on theSettings tab page:

○ Select the profile to be edited as a reference profile by setting the Default ScanProfile indicator.

○ Use the default profile.

i. In the Reference Profile field, use the input help to select the <DefaultProfile>.

○ Use a reference profile

Since a virus scan profile can use another virus scan profile as a referenceprofile, it is possible to operate multiple applications using the same virus scanprofile.

This creates a link to an existing reference profile. To do this, use the input helpfor the Reference Profile field to select a reference profile.

○ Define a new profile...

i. Choose Add and enter the following data:

Data for a Self-Configured Profile

Field Notes

Profile Name The name of the new profile is displayed.

Profile Description Description of the new profile

Reference Profile This indicator must not be set, since the otherinput fields would otherwise be hidden.

Step Linkage Linkage of the steps of this profile:

All steps successful : AND linkage, with whichevery step must be successful for the overallresult to be successful.

At least one Step successful : OR linkage, withwhich only one step needs to be successful forthe overall result to be successful.

Profile Steps Use the input help to select profile steps.

ii. Specify the profile steps in the Profile Steps group box.

● Choose Add.

● Use the input help to specify in the Type field whether a group oranother profile is to be used.

● Use input help to specify the value of the group or profile.

● Configure the list with the buttons Move up, Move down, andRemove.

When checking for viruses, the list is processed from top to bottom withthe linkage from the Linkage Strategy field.

3. To activate the profile, save your entries. Then select the profile in the Virus ScanProfiles group box and choose Activate.

8/10/2019 VSCAN_EN




Result

You have defined a virus scan profile and therefore performed the last configuration step forthe virus scan provider. You can, finally, check the configuration [Page 39].

Delivered Virus Scan Profiles

The profiles are deactivated when delivered. To activate them, first create at least one basisprofile that you save as the default profile. You can then activate one of the delivered profiles.By default, it links to a reference profile, which is the default profile. See also SAP Note848189

● webdynpro_FileUpload

Web Dynpro uses this virus scan profile for the Java component FileUpload.

Example: uploading a local file using a Web Dynpro application.

●

visualcomposer

If you develop Java interfaces with the Visual Composer Server, you can use thisprofile to scan the uploaded interface components for viruses.

● htmlb_FileUpload

This profile is used to scan the layout components of HTML Business for Java(HTMLB) of a Web site for viruses. This profile must be activated, for example, forKnowledge Management and Collaboration (KMC).

● kmc_Default

Default profile for Knowledge Management and Collaboration (KMC) for uploading ordownloading files (see Virus Scanner Service [External]).

Delivered ParametersThere are INIT, SCAN, CLEAN, and CUST parameters, of which INIT, SCAN, and CLEANparameters are passed to the external product. For more information about which parametersexist and their effect, see the documentation for the external product. The default values ofthe parameter configuration show all parameters. An external product usually only supports asubset of the parameters.

It is mandatory that the parameter SCANBESTEFFORT exists for every certified virus scan

product. If you set this parameter to 1, the most stringent security settings of the externalproduct are selected. For more information about which settings these are and how theyaffect the performance of the product, see the documentation of the external product.

CUST parameters are used by the virus scan profiles delivered by SAP and are not forwardedas an external product. The following parameters exist:

● CUST_NOT_SCANNED_AS_WARNING

Parameter that defines whether processing of the file to be checked is terminated if thereturn code VSI_E_NOT_SCANNED is returned by the exception

VirusScanException (default value). If the value of the parameter is 1, processing

is continued. This return code is output, for example, if the file type is unknown, or thefile to be checked is an encrypted archive file.

Parameters relate to each profile that contains a definition.

8/10/2019 VSCAN_EN




In the case of Java installations, unknown parameters are displayed in red, andrecognized parameters are displayed in blue.

Problem Analysis for the Virus Scan Provider

Use

You define data for the log output of the virus scan provider with trace indicators. You can usethis data to investigate any errors that occur.

Prerequisites

You have defined at least one virus scan provider.

Procedure...

1. Choose the Adapters or Servers tab page, depending on whether you defined the virusscan provider as an adapter or as a server.

2. In the Virus Scan Adapter or Virus Scan Server group box, select the provider for whichyou want to display the trace.

3. Set the desired indicators on the Trace tab page.

In the case of adapters, changes to the trace settings affect all adapters.

Trace Indicators

Indicator Meaning

Errors Serious errors in the virus scan server or withinthe Virus Scan Interface.

Virus Infections Virus infections reported by the externaladapter. These are displayed for scan and alsofor clean calls. Therefore, if a virus wassuccessfully removed, the trace also specifiesthe infection

Parameter Operations in the Adapter Additional information about the virus scanserver or the Virus Scan Interface.

Thread Operations Thread operations (generation or termination)within the virus scan server.

Warnings Possible errors or warnings in the virus scanserver or within the Virus Scan Interface.

Virus Scan Adapter Functions Function calls within the Virus Scan Interface.Contains the parameters with which theinternal API was called and, at the end of eachfunction, the return values.

RFC Functions to the Virus ScanServer

Function calls to the virus scan server

Trace Memory Memory reservation or release of the virusscan server.

Information Additional information about the virus scanserver or the Virus Scan Interface.

8/10/2019 VSCAN_EN




Virus Scan Interface API NativeFunctions

Function calls within the Virus Scan Interface.Contains the parameters with which theinternal API was called and, at the end of eachfunction, the return values.

RFC Parameters and/or Table

Contents of Virus Scan Server

RFC parameters and/or table contents of the

virus scan server4. Choose Save.

Result

You have activated the trace output for the virus scan provider.

With Microsoft Windows NT, the path is:

\usr\sap\<SAP system name>\<instance>\work\dev_server<ID>, such as

C:\usr\sap\C11\JC00\work\dev_server0.

With UNIX, the path is:

/usr/sap/<SAP system name>/<instance name>/work/dev_server<ID>.

Testing the Installation of the Virus Scan Provider

Use

You can use this procedure to check that your configured virus scan provider is functioningcorrectly.

Procedure...

1. Start the test application under the path /vscantest.

2. Specify the object to be checked, using either the test data provided or your own localfile.

a. Select the virus scan profile, scanner group, or the virus scan provider to betested.

b. Select an action.

If you choose Check Only , the anti-virus product that you specified scans thedata for viruses and displays a result.

If you choose Check and Clean, the product also attempts to clean the data if avirus infection is diagnosed.

3. Start the test by choosing Execute the action.

Using the Virus Scan Provider API

The interfaces and classes of the Virus Scan Provider API are in the packagecom.sap.security.core.server.vsi.api of the facade tc~bl~vis~api.

In the development environment (IDE), you need to set a runtime reference to the facade

tc~bl~vis~api in the development project.

8/10/2019 VSCAN_EN




To use the Virus Scan Provider, you need to set this up.

The four most frequently used objects are presented below. These are also contained in theExample Program for the Virus Scan Provider .

The most important interfaces of the Virus Scan Provider API are VSIService and

Instance. You can use the methods of VSIService to access external virus scan productsthat are certified by SAP. The available methods of the VSIService interface include:

• getGroup

• getGroups

• getInstance

• getInstanceByGroup

• getInstanceByProvider

• getProfile

• getProfiles

• getProvider

• getProviders

• releaseInstance

External users of this API can use the methods of the Instance interface to return one of the

following instances: profile, group, or provider (adapter or server). The available methods ofthe Instance interface include:

• cleanBytes

• cleanFile

• getCleanedLength

• getJobID

• getLastErrorRC

• getParameter

• getParameters

• scanBytes

• scanBytesEx

• scanFile

• scanStream

• setDefaultConfig

• setJobID

• setParameter

8/10/2019 VSCAN_EN




• setScanInfo

The most important classes of the Virus Scan Provider API are Infection and ScanError.

The class Infection contains the characteristics of a virus infection that has occurred.

Since this information is returned by the external anti-virus software, it depends on therespective product. The available methods include:

• getFreeTextInfo

• getObjectName

• getObjectSize

• getVirusId

• getVirusName

• isRepairable

The ScanError class contains the characteristics of an error that has occurred during a viruscheck. Since this information is returned by the external anti-virus software, it depends on therespective product. The available methods include:

• getErrorRC

• getErrorText

• getObjectName

• getObjectSize

For more information, see the JavaDocs for the relevant interfaces and classes.

8/10/2019 VSCAN_EN




Example Program for the Virus Scan Provider

The source code below demonstrates the use of the virus scan provider.

You cannot execute this example program as is, since it is only a fragment. However, theindividual parts can be used.

import javax.naming.*;import com.sap.security.core.server.vsi.api.*;import com.sap.security.core.server.vsi.api.exception.*;

/* Virus Scan Interface example */

public class VsiTestScan ... {...try {

/* Lookup the VSI service. */

Context ctx = new InitialContext();VSIService vsiService =

(VSIService)ctx.lookup(VSIService.JNDI_NAME);

if (vsiService != null) {/* get scan instance */

Instance myInstance = null;try {

myInstance = vsiService.getInstance();

if (myInstance != null) {/* perform virus scan */if (myInstance.scanBytes(Virus.EICAR) == true) {

/** true means no infection and no scan error:* Scanning the EICAR test pattern virus* must either return false or throw an Exception,* otherwise the underlying scan engine has* not recognized the EICAR pattern.

*//* not expected error */

}

}

else {

/* The returned instance was null:

* This means, the virus scan profile is not active

* => do here nothing to allow the scan switch on/off

*/

8/10/2019 VSCAN_EN




}}catch (VirusInfectionException vse) {

Infection[] myInfections = vse.getInfections();

String errorText = vse.getLocalizedMessage();

/* print out only the locale error text */

if (myInfections.length == 1) {/* the scan engine has found the infection *//* ... */

}else {

/* not expected error *//* ... */

}

}catch (Exception e) {/* catch all other Exceptions,* including VirusScanException and* VSIServiceException here as not* expected error*/

String errorText = e.getLocalizedMessage();

/* print out only the locale error text *//* ... */

}

finally {

/* release the scan instance */vsiService.releaseInstance(myInstance);

}}else {

/* Virus Scan Provider service is not started *//* ... */

}/* ... */

}

Virus Scan Server

The virus scan server is an executable program that includes virus scanners from certifiedvendors using an interface and provides scan services to the application servers of thesystem as a registered RFC server.

8/10/2019 VSCAN_EN




Application-Server-Starter or Self-Starter

When configuring a Virus Scan Server for ABAP systems, instead of an application-server-starter (started by the application server) you can install a self-starter (for example, started

externally as a service under Microsoft Windows NT or a daemon under UNIX). In the case ofapplication-server-starters, all components are on the same host. On the other hand, in thecase of self-starters, the virus scan server and the SAP NetWeaver Application Server (SAPNW AS) can be on different hosts. This means that you can use a virus scan server that isonly available for a particular platform, even if the SAP NW AS is installed on a differentplatform.

Virus Scan Server on One or Two Hosts

Work Process

Work Process

Work Process

Work Process

Work Process

Work Process

SAP System

RFC ClientVirus Scan Server

Anti-Virus Product

SAP

Gateway

Host 1

Work Process

Work Process

Work Process

Work Process

Work Process

Work Process

SAP System

RFC Client

Host 1

Virus Scan Server

Anti-Virus Product

SAP

Gateway(On host 1

or host 2)

Host 2

During operation, this division into application-server-starters and self-starters primarilyaffects the Computing Center Management System (CCMS). You can monitor the virusscanners in the CCMS (transaction RZ20), in the monitor Virus Scan Servers in the monitorset SAP CCMS Monitors for Optional Components [External]. The following differences existin this case:

● Application-Server-Starters

In this case, the CCMS data collector automatically checks whether a configured VirusScan Server is available. If this is not the case, the CCMS triggers an alert, and startsthe Virus Scan Server again as an auto-reaction.

● Self-Starters

In this case, although the processes are monitored by CCMS, they are notautomatically stopped or started. There is, however, a separate MTE class in CCMS forthese self-starters. You can assign an auto-reaction method to this MTE class yourselfto react to alerts. You can, for example, use the MTE class CCMS_OnAlert_Email tosend an e-mail or an SMS (see Defining Automatic Alert Notification [External] andForwarding Alerts to Alert Management (ALM) [External]).

8/10/2019 VSCAN_EN




Ensure that you secure your RFC connections with Secure NetworkCommunications (SNC) as described in the SNC manual [External].

For more information about application-server-starters and self-starters, see:

●

Virus Scan Provider as an Application-Server-Starter [Page 45]

In the following case, you can use the application-server-starter as a self-starter:

The SAP Web AS kernel uses 64 bits and the external anti-virus product or the externalVirus Scan Adapter (VSA) uses 32 bits.

To do this, use the field Instance Name, and create the 32 bit Virus Scan Serverin a separate instance directory. More information: SAP Note 964305.

● Installing a Virus Scan Server as a Self-Starter [Page 46]

The self-starter is available to you as an alternative if you cannot use the application-server-starter.

Virus Scan Provider as an Application-Server-Starter

Use

Virus Scan Adapter

The vendor’s virus scan adapter must match the architecture of the application server. If youare using it under Sun Solaris 9, the adapter must therefore be 64 bit compatible, since theSAP application server only supports 64 bit for this operating system.

There are no other dependencies on other components, meaning that you do not needvscan_rfc.exe, xmlXXd.dll, sapcppXX.dll, or librfc32.dll.

Virus Scan Server

If you use the virus scan server, all required components are in the working directory of theSAP NW AS kernel on one host. The Virus Scan Server is included in the standard system.This means that you only have to ensure that the prerequisites for the operation of theapplication-server-starter are fulfilled.

Prerequisites● You have installed the external anti-virus product and the associated Virus Scan

Adapter in accordance with the instructions provided by the vendor.

● The kernel directory contains the following components:

○ vscan_rfc.exe (Microsoft Windows NT) or vscan_rfc (UNIX)

○ The current RFC library or LIBRFC (see SAP Note 413708)

○ sapcpp<XX>.dll (Microsoft Windows NT) or sapcpp<XX>.<shared ext.> (UNIX)

where XX stands for the version and follows the release

○

xml<XX>d.dll (Microsoft Windows NT) or xml<XX>d<shared ext> (UNIX)

where XX stands for the version

8/10/2019 VSCAN_EN




These components are available to you as a package in the Product andProduction Management System at service.sap.com/swdc .

Installing a Virus Scan Server as a Self-Starter

Use

The self-starter is available to you as an alternative if you cannot use the application-server-starter. If, for example, you are using a SAP NetWeaver AS under UNIX, but the externalvirus scan product or the external adapter is only available for Microsoft Windows.

Prerequisites

The self-starter starts the virus scan engine using a local XML configuration file. This is

usually the file vscan_rfc.xml, which contains the parameters required by the virus scanadapter (The installation package available at service.sap.com/swdc contains a

default configuration file.). The server must be started, or, if necessary, restarted usingoperating system resources.

Procedure...

1. Copy the relevant variant of the virus scan server from the CD or the SAP ServiceMarketplace to a start directory.

2. Create the configuration file using the commands listed in the table below, with whichyou can later also change the existing configuration.

In this example, the following call generates both the server and the VSAconfiguration for antivirvsa.dll (antivir):

vscan_rfc get_config –V <drive:>\vsa\antivirvsa.dll –cfg <drive:>\vsa\vscan_rfc.xml

To set new parameters to overwrite existing parameters, execute additionalcommands and options in a new call. These are then set in the XMLconfiguration.

In this example, you can change the call as follows::

vscan_rfc get_config –V <drive>:\vsa\antivirvsa.dll –cfg <drive:>\vsa\vscan_rfc.xml –a VSCAN_LOCAL –g <host name of theSAP Gateway> –x <Service name of the SAP Gateway> –c <SAPCodepage>

8/10/2019 VSCAN_EN




Configuration Commands for the Self-Starter

Command Platform Notes

help All Calls the online help for thecommands and options.

version All Shows the internal versioninformation of the virus scanserver. You must use at leastinternal version 1.5 (see SAPNote 782963).

regonly All Registers the virus scanserver only at the gatewaywithout starting the underlyingengine. The CCMS uses thiscommand to then call the RFCfunction VSCAN_RFC_INIT.

Note that if you use thiscommand outside the CCMSthat the server is not ready foruse.

get_config All Receives the CSA andseparate server configurationand stores them in a localXML configuration. (Option-cfg <file> is mandatory forthis). The options receivedusing the command line arestored as the serverconfiguration in this case. If

you do not specify anycommand line options, thepredefined values are set.

Use this command to start thesetup of a self-starter. If thefile specified using the option -cfg does not exist, a new file iscreated.

install NT Installs a “new” VSCAN_XXservice in the MicrosoftWindows NT Service ControlManager (SCM).

The -cfg option with aspecification of a localconfiguration is mandatory forthis command. The service isinstalled if the VSA issuccessfully initialized. If youspecify additional options,these are only stored in theXML file used. The -srvcoption specifies the number ofthe service; that is, you caninstall up to 100 services on a

host. The default value for-srvc is 00.

8/10/2019 VSCAN_EN




remove NT Deletes an existingVSCAN_XX service in theMicrosoft Windows NT ServiceControl Manager (SCM).

You can specify the service

more exactly using the -srvcoption. Example: vscan_rfcremove -srvc 1 deletes theexisting service VSCAN_01.

start NT Starts an installed VSCAN_XXservice. This command startsthe service with the specifiedoptions.

The Microsoft Windows NTcommand "net startVSCAN_XX“ starts thepreviously installed service

only if the local configuration isused.

stop NT Stops a running VSCAN_XXservice. This commandcorresponds to the MicrosoftWindows NT command “netstop ...”.

In addition to the commands, you can specify the following options.

Options for Self-Starters

Option Platform Notes

-a All Program ID of the RFCdestination, such asVSCAN_LOCAL

-g All Host name of the SAPgateway

-x All Service name of the SAPgateway, such as sapgw00

-cfg All Complete path specification ofthe XML configuration file

-f All Path specification of the tracefile to be used

-l All Trace level of the trace file:

0 := Errors

1 := Errors and warnings (suchas virus infections)

2 := Errors, warnings, andvirus scan engine calls

3 := Additional information, allRFC calls, and memory

operations

8/10/2019 VSCAN_EN




-c All SAP codepage for NON-UNICODE virus scan servers

-V All Path specification of the virusscan adapter to be used. Ifyou do not set this option, the

environment variable VSA_LIBis used.

-p All Profile name (Default:VSA_CONFIG) for the currentVSA configuration. This optionallows differentiation if you areusing multiple (different) VSAconfigurations in one XML file.

-T All Maximum number of threadsthat the server can use.Possible values: 1 to 999.

-m All Minimum number of threadsthat the server should use.

Note: The mean value of -mand -T is always used for thenumber of threads that areheld open.

-L All Path specification for an SNClibrary

-S All The SNC name of thisinstance.

Note: Setting -L, -S, or -Q

activates SNC for the server.

-Q All SNC security level. Possiblevalues:

1:=Authentication

2:=Integrity protection

3:=Encryption

7:=Minimum level

8:=DEFAULT

9:=Maximum level

-P All The SNC name of the SAPinstance.

Caution: If you set this name,only requests from SAPinstances with this SNCidentity are accepted

-I All Timeout in seconds for theinternal instances operationsRELOAD and SHUTDOWN.

-n All Maximum number of tracelines for the memory trace.

Default: 10000

8/10/2019 VSCAN_EN




-h All Retention period in secondsfor the memory trace: Defaultvalue: 86400 seconds

-srvc NT Service number of theMicrosoft Windows NT

commands install | remove |start | stop

-daemon UNIX Starts the virus scan server asa daemon process with fork().

Operating the Self-Starter

● Operation as a Service in the SAP Microsoft Management Console (SAPMMC)

You can start and stop the virus scan server within the SAPMMC. The virus scan

server runs as a Microsoft Windows service within the operating system.

● Operation as a Daemon

You can start the virus scan server as a daemon directly at the operation system start.

Starting a daemon:

vscan_rfc -cfg /vsa/vscan_rfc.xml –daemon

You can monitor the daemon with operating system resources (CRONTAB, INITTAB).

The components required to operate the self-starter are available to you as a package in the

Product and Production Management System at service.sap.com/swdc .

Configuring the Self-Starter

You have the following options for configuring the self-starter:

● Call get_config again and use additional Commands and Options [Page 46].

● Edit the XML configuration file directly.

● Synchronize the settings using the IMG activity Define Virus Scan Servers [Page 9]

(transaction VSCAN).

With this configuration option, the parameters for trace level (option -I), codepage(option -c), max. threads or max. instances (option -T), and VSA_LIB (option -V) aresaved to the specified configuration using the Local button. If you leave theConfiguration field empty for a self-starter, the values are saved to the XMLconfiguration in use.

The values are only saved if an XML file already exists.

8/10/2019 VSCAN_EN



Using Signals to Control the Virus Scan Server

Use

You can send the virus scan server operating system signals so that it performs functions.

This is useful if, for example, you want to administrate the virus scan server from a shellscript.

Procedure

The table below lists the signals and their effect on the virus scan server.

Signals and Their Actions

Signal Action

SIGINT Downloads

SIGUSR1 Reduces trace level

SIGUSR2 Increases trace level

SIGHUP Reinitializes virus scan instances within thevirus scan server.

After an update of the external product, youcan use this signal to prompt the virus scanserver to reinitialize itself, so that it has an up-to-date status.

Date post:	02-Jun-2018
Category:	Documents
Upload:	raghavendrarao-gaddipati
View:	251 times
Download:	1 times

VSCAN_EN

Documents