Date post: | 02-Jun-2018 |
Category: |
Documents |
Upload: | raghavendrarao-gaddipati |
View: | 251 times |
Download: | 1 times |
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 1/51
Virus Scan Interface
As of SAP NetWeaver 7 .0
H
E
L P
. B
C
S
E
C
_ V
S
C
A
N
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 2/51
SAP Online Help 18.08.2008
Virus Scan Interface 2
Copyright
© Copyright 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may bechanged without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,
PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBMCorporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessByDesign, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany and in several othercountries all over the world. All other product and service names mentioned are thetrademarks of their respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products andservices are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 3/51
SAP Online Help 18.08.2008
Virus Scan Interface 3
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of
information at a glance. For more information, see Help on Help → General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library .
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.
EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 4/51
SAP Online Help 18.08.2008
Virus Scan Interface 4
Virus Scan Interface .................................................................................................................. 5
Architecture of the Virus Scan Interface ................................................................................ 6
Configuration of the Virus Scan Interface.............................................................................. 7
ABAP-Specific Configuration.............................................................................................. 8
ABAP Transaction Overview for Virus Scan Interface ................................................... 8
Setting Up Virus Scan Providers (ABAP) ....................................................................... 8
Defining Scanner Groups............................................................................................ 8
Defining Virus Scan Providers .................................................................................... 9
Defining Virus Scan Profiles ..................................................................................... 15
Delivered Virus Scan Profiles................................................................................ 19
Delivered Parameters............................................................................................ 20
Problem Analysis for the Virus Scan Server................................................................. 21
Testing the Installation of the Virus Scan Provider....................................................... 22
Integrating the Virus Scan Interface into Customer Developments.............................. 23
Commented Example Program .................................................................................... 27
Java-Specific Configuration.............................................................................................. 31
Setting Up Virus Scan Providers (Java) ....................................................................... 31
Defining Scanner Groups.......................................................................................... 32
Defining Virus Scan Providers .................................................................................. 33
Defining Virus Scan Profiles ..................................................................................... 35
Delivered Virus Scan Profiles................................................................................ 37
Delivered Parameters............................................................................................ 37
Problem Analysis for the Virus Scan Provider.............................................................. 38
Testing the Installation of the Virus Scan Provider....................................................... 39
Using the Virus Scan Provider API............................................................................... 39
Example Program for the Virus Scan Provider............................................................. 42
Virus Scan Server ............................................................................................................ 43
Application-Server-Starter or Self-Starter..................................................................... 44
Virus Scan Provider as an Application-Server-Starter.............................................. 45
Installing a Virus Scan Server as a Self-Starter........................................................ 46
Operating the Self-Starter...................................................................................... 50
Configuring the Self-Starter................................................................................... 50
Using Signals to Control the Virus Scan Server........................................................... 51
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 5/51
SAP Online Help 18.08.2008
Virus Scan Interface 5
Virus Scan Interface
You can use the Virus Scan Interface to include external virus scanners in the SAP system toincrease the security of your system. This means that you can use a high-performance
integration solution to scan files or documents that are processed by applications for viruses.This applies both for applications delivered by SAP and for customer developments, forexample, during data transfers across networks or when documents are exchanged throughinterfaces.
The interface consists of two parts: an external part for the certified anti-virus products of thevarious vendors and an internal part, with which you can integrate the virus scan functionsinto your own applications.
A list of the certified products for the interface (VSI) is available in the SAPService Marketplace at http://service.sap.com/securitypartners (see
also SAP Note 786179).
The graphic below shows an integrated ABAP-Java installation. You can, however, also usethe Virus Scan Interface for purely-ABAP or purely-Java installations.
In the graphic, application A uses virus scan profile A to access group X in the first step,group Y in the second step, and group Z in the third step. Each group in the figure representsthe anti-virus software of a particular vendor. In the case of group Z, one of the Virus ScanProviders in the group delivered by SAP is selected by load balancing using the Virus ScanServer and uses the external vendor’s certified Virus Scan Adapter to access the vendor’santi-virus software. This software then scans the data transferred by application A for viruses.In the case of group Y, there are Virus Scan Providers with and without Virus Scan Servers,which all access the anti-virus software of the external vendor using the vendor’s certifiedVirus Scan Adapter. In the case of group Z, the Virus Scan Providers simply combine thecertified Virus Scan Adapters of the external vendor with which the anti-virus software is
accessed.
Virus Scan Interface
Virus Scan Server 2
Virus Scan Provider 3Virus Scan Provider 2
Virus Scan Profile n Application B
Application A
Config.
Config.
Config.
Virus Scan Profile BVirus Scan Profile A
1
2
3
Group ZConfig.
Virus Scan Server 1
Virus Scan Adapter
Scan Engine C
Driver Driver Driver
n
Virus Scan Provider 1
Virus Scan Provider 3Virus Scan Provider 2
Group XConfig.
Virus Scan Adapter
Scan Engine A
Driver Driver Driver
Virus Scan Provider 1
Virus Scan Provider 3Virus Scan Provider 2
Group YConfig.
Virus Scan Adapter
Scan Engine B
Driver Driver Driver
Virus Scan Provider 1
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 6/51
SAP Online Help 18.08.2008
Virus Scan Interface 6
Architecture of the Virus Scan Interface
The structure of the Virus Scan Interface allows you to combine different products, systems,and platforms to scan your applications for viruses. This is possible, since SAP provides acertified interface for the virus scan products of other vendors.
The partners’ virus scan engines can, for example, have completely different architectures.However, by integrating an adapter using a proprietary connection, any partner can, however,connect any existing virus scan product to the Virus Scan Interface.
On the SAP side, different VSI layers are used to include the ABAP and Java worlds, and todeal with platform dependencies (of operating systems and processors, that is, 32 or 64 bit) inthe integration of the Virus Scan Interface.
The graphic below shows, on the left, the possible integration of external products using theadapter. Depending on whether the interface of the external product is public or proprietary,
the adapter can either be integrated into the external product itself, or use the public interfaceof the external product and provide the Virus Scan Interface for the SAP side.
Elements of the Virus Scan Interface
Remote Function Call
(RFC) with TCP/IP V i r u s S c a n I n t e r f a c e ( N W
- V S I )
DB and OS Abstraction Layer
AS ABAP AS Java
SAP NetWeaver
Virus Scan
Engine + VSA
1st
DEF 2nd
DEF nth
DEF
Virus Scan Daemon
VSA
1st
DEF2nd
DEF nth
DEF
Virus Scan
Engine(Multiple OS system
libraries)
VSAVirus Scan Server
vscan_rfcDEF = Definition, pattern, or signature files (DATs),
and so on
S h a r e d l i b r a r y
t h a t s u p p o r t s
N W - V S I
The graphic below clarifies the layer structure of the Virus Scan Interface (SAP VSI API) andshows which parts are delivered by SAP, and which by the relevant partner.
The partner products either access the SAP VSI API directly with the scan engine or indirectlyusing a separate Virus Scan Adapter.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 7/51
SAP Online Help 18.08.2008
Virus Scan Interface 7
The SAP VSI API contains the functions required to configure and to initialize the partner’sscan engine. It also provides the parameters and data for every virus scan and processes thecheck result.
The SAP VSI library loads the certified partner products as a shared library.
ABAP or Java application programs start virus scans with dedicated classes and methods of
the SAP Virus Scan Interface, which either make direct calls in the AS ABAP or AS Java, oruse a Virus Scan Server using RFC. If you are using the Virus Scan Server using your ownRFC client programs, refer to SAP Note 964305, which contains a Software Development Kit.
Software Layers of the Virus Scan Interface
ABAP Code
Remote Function Call
(RFC)
Internal API of the Scan Engine (optional)
Virus Scan Adapter
SAP-NW-VSI
Scan API (ABAP)
Scan Engine
Internal VSI-API from SAP
Partner Part C Interface
Virus Scan Server JAVA
ABAPInterface
JavaInterface
Virus ScanProvider
ABAP
Virus ScanProvider
JAVA CodeRFC ClientCode
o p t i o n a l
SAP-VSI Library
SAP Part
o p t i o n a l
Scan API (Java)
Configuration of the Virus Scan Interface
In principle the configuration of the Virus Scan Interface is the same in AS ABAP and AS
Java. Both configurations primarily use the Virus Scan Adapter. However, specific proceduresare required in each case. You should only fall back on the Virus Scan Server in exceptionalcases.
● ABAP-Specific Configuration [Page 8]
● Java-Specific Configuration [Page 30]
● Virus Scan Server [Page 43]
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 8/51
SAP Online Help 18.08.2008
Virus Scan Interface 8
ABAP-Specific Configuration
The following contains the configuration description for the virus scan interface for ABAPsystems.
ABAP Transaction Overview for Virus ScanInterface
Transaction Overview
Transaction Notes
VSCAN Configuration of the Virus Scan Provider [Page9]
VSCANGROUP Configuration of the Virus Scan Groups [Page8]
VSCANPROFILE Configuration of the Virus Scan Profiles [Page15]
VSCANTEST Test for the Virus Scan Interface [Page 22]
VSCANTRACE Memory Trace for the Virus Scan Server [Page20]
Setting Up Virus Scan Providers (ABAP)
To be able to use a virus scan provider, you need to maintain data in the implementationguide (IMG) or the relevant transactions.
To do this, perform the following steps:...
1. Define scanner groups [Page 8]
2. Define a virus scan provider [Page 9]
3. Define virus scan profiles [Page 15]
Defining Scanner Groups
Use
A scanner group combines multiple virus scanners of the same type to allow load balancing.Since you select the virus scanner using the scanner group when maintaining the virus scanprofile, you must assign each virus scan provider to a scanner group.
Create a scanner group for each product class of virus scanners that are connected to thesystem using the virus scan provider. If you include your own virus scanners with the BAdI
VSCAN_INSTANCE, create a scanner group for each implementation of your own scannerand identify these as BAdI implementations.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 9/51
SAP Online Help 18.08.2008
Virus Scan Interface 9
We recommend that you no longer use BAdIs. Use the Virus Scan Adapterinstead.
You can store configuration parameters for each scanner group. These are divided intoinitialization parameters and scan parameters:
● Initialization parameters are transferred to the virus scan server when it is started, andare required to be able to start the virus scan provider. If you use the Business Add-In,these parameters for the method of creating the scan instance are transferred. Theparameters contain, for example, the path to the virus signatures.
● Scan parameters are transferred for each scan process and control the behavior of theindividual request, such as yes/no for activating the scanning of macros.
For information about which configuration parameters are required or supported by theproduct that you use, see the documentation for the product.
SAP does not deliver any scanner groups.
Procedure...
1. In the Implementation Guide, choose SAP NetWeaver → Application Server → System
Administration → Virus Scan Interface (transaction VSCANGROUP), and, if necessary,switch to change mode.
The screen View: Change "Scanner Groups": Overview appears.
2. Choose New Entries.
The screen New Entries: Overview of Added Entries appears.
3. Specify the data for the scanner group.
Data for the Definition of a Scanner Group
Field Notes
Scanner Group Freely definable name of thescanner group.
Business Add-In Do not use BAdIs any more.
Group Text Explanation for the scannergroup.
4. Save your entries.
Defining Virus Scan Providers
Use
The Virus Scan Provider defines either a Virus Scan Adapter or a Virus Scan Server.
The Virus Scan Adapter is a library that integrates virus scanners from certified vendors usingan interface. The Virus Scan Adapter is loaded in AS ABAP, AS Java, or the Virus ScanServer.
The Virus Scan Server is an executable program that includes virus scanners from certifiedvendors using an interface and provides scan services to the application servers of thesystem as a registered RFC server.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 10/51
SAP Online Help 18.08.2008
Virus Scan Interface 10
The application server controls tasks such as starting, stopping, and monitoring the VirusScan Server. You configure the data required to do this in this step.
Use this procedure to create an entry for each Virus Scan Provider that youwant to set up. For performance reasons, we recommend that, if possible, youload a Virus Scan Adapter directly in the application server. If this is notpossible, you should set up at least one Virus Scan Server on every applicationserver.
SAP does not provide any configuration data for Virus Scan Providers.
As soon as you can use a Virus Scan Adapter, you should stop using the Virus Scan Server.You can use the Virus Scan Providers to integrate a Virus Scan Adapter into the applicationserver, that is, into the kernel. This means that the document does not have to be copied tothe RFC server, meaning that this is the fastest scan variant. The AS ABAP scans thedocument directly for viruses. You can also administer the adapter more easily. You do notrequire, for example, the following administration tools:
● CCMS monitoring: the adapter runs in the work process and returns a CORE dump inthe ABAP kernel if problems occur. The system then automatically restarts the workprocess and loads a new adapter.
● Load balancing: with an adapter, you do not need to explicitly attend to load balancing,since this is determined using the work processes.
● RFC destination: you do not need to create an RFC destination for adapters.
Prerequisites
● You have created at least one scanner group.
● You have decided whether you are creating the virus scan provider as an application-
server-starter or as a self-starter (see Application-Server-Starter or Self-Starter [Page43]).
Defining Virus Scan Servers...
1. In transaction SM59, create an RFC connection with the connection type T .
Since the configuration of the Virus Scan Server requires the following namingconvention, you must use it for the RFC destination of a Virus Scan Server:
● VSCAN_<host name>, if you only want to start one Virus ScanServer on the host.
● VSCAN_<host name>-<number>, if you want to start multipleVirus Scan Servers on the host. The number is a sequencenumber, which is separated from the host name with a hyphen.
Examples of possible names would therefore be VSCAN_HOST123,VSCAN_HOST345-1, VSCAN_HOST345-2.
a. Select Registered server program as activation type.
b. Use the name of the RFC destination as the program ID.
c. Enter the address of the gateway of the system as the gateway host andgateway service. If you are starting the Virus Scan Server on an applicationserver using the Computing Center Management System, choose the gateway
of that application server.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 11/51
SAP Online Help 18.08.2008
Virus Scan Interface 11
2. In the Implementation Guide, choose SAP NetWeaver → Application Server → System
Administration → Virus Scan Interface (transaction VSCAN), and, if necessary, switchto change mode.
The screen View: Change "Virus Scan Provider Definition": Overview appears.
3. Choose New Entries.
The system displays the New Entries: Details of Added Entries screen.
4. Enter the data for the Virus Scan Server.
Data for the Virus Scan Server Definition
Field Possible Values Notes
Provider Type Server (Virus Scan Server)
<empty>(Virus Scan Server)
If you want to set up a VirusScan Server, choose server(Virus Scan Server). Youcannot select the value<empty> Virus Scan Server. Itis used only to display older
Virus Scan Servers.
Provider Name VSCAN_<RFC Destination>
The input help displays allVSCAN_RFC destinations thatexist.
The name of a Virus ScanServer must be the same asthe name of the RFCdestination that contains thetechnical connection to theVirus Scan Server.
Scanner Group All previously created scannergroups, which you can displayusing the input help.
The scanner group combinesmultiple Virus Scan Servers orallows the use of a BAdIimplementation.
If you create multiple VirusScan Servers in a scannergroup, you achieve loadbalancing.
All of the Virus Scan Serversof a scanner group have thesame set of configurationparameters and will thereforeuse the same scan engine.
Status● ACTS (Active as a self-
starter): Although theCCMS monitors the
Virus Scan Server (if itis not available, anerror status istriggered), it does notstart or stop the VirusScan Server. Thisstatus is suitable forVirus Scan Servers thatare, for example,started as a service atoperating system level.
● ACTV: Active
(Application Server)The CCMS monitors
Monitoring status of the VirusScan Server in the CCMS.
In the cases of the statusesNONE and INAC, the system’sautomatic server selection canno longer find this Virus ScanServer.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 12/51
SAP Online Help 18.08.2008
Virus Scan Interface 12
the Virus Scan Serverand, if necessary, startsit on the specifiedapplication server.
● INAC (Inactive on an
Application Server) TheCCMS monitors theVirus Scan Server ismonitored and, ifnecessary, stops it onthe specifiedapplication server.
● NONE: No monitoring:The CCMS does notmonitor the Virus ScanServer.
Server The input help provides a list
of the existing servers. Do notspecify a different servername.
Application server on which
the Virus Scan Server is to bestarted and/or monitored.
Trace Level● Errors only
● Errors and warnings
● Errors, warnings, andinformation
● Maximum output
Specifies the trace level for theVirus Scan Server, which is tobe transferred to the CCMS atoperating system level whenthe Virus Scan Server isstarted.
We recommend that you onlyuse one of the first two levelsErrors Only or Errors andWarnings in productionsystems. The two other tracelevels are available for findingerrors during test operation inthe test system.
ReinitInterv. 0 or <empty> : no automatic
reinitialization
If the vendor of your virusscanner uses the interface
provided by SAP with whichan initialization from outsidethe system can be performed,you can leave the field empty.This interface is available tocertified vendors of virusscanners.
<n> : Interval in hours
Specifies the number of hoursafter which the Virus ScanServer is to be regularlyreinitialized.
For the Virus Scan Server toload new virus definitions fromthe Virus Scan Server, youmust reinitialize it.
The automatic reinitialization isperformed during the periodicmonitoring of the Virus ScanServers by the CCMS.
Adapter Path Full path of the library thatcontains the Virus Scan Adapter
Specifies the full path of theVirus Scan Adapter.
If you do not fill the field, the
Virus Scan Server uses thecontent of the environmentvariable VSA_LIB.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 13/51
SAP Online Help 18.08.2008
Virus Scan Interface 13
Configuration Full path to the configurationfile of the Virus Scan Server
Specifies the full path to theconfiguration file of the VirusScan Server
The configuration file cancontain optional parameters of
the Virus Scan Server.For externally-started VirusScan Servers, theconfiguration file has alreadybeen defined at the Virus ScanServer command line and youcannot therefore change ithere.
Instance Name V<system number> Use this field if the externalvirus scan product fulfills theplatform criteria (it is, forexample, available for Linux),
but not the processor criteria(there is, for example, only a32 bit variant, and theapplication server is runningunder Linuxx86_64).
A separate directory isnecessary since the kerneldirectory cannot contain amixture of 32 and 64 bitsoftware due to the fact thatsome programs have thesame names.
Max. Instances Specifies the maximumnumber of scan instancesprovided by the Virus ScanServer.
A Virus Scan Server mayprovide multiple scaninstances.
You can use the maximumnumber specified here todetermine how many of theseinstances are provided. If thisnumber is exceeded, the virus
scanner is no longer availablefor scan requests. The numberof instances shouldcorrespond to the number ofwork processes.
Code Page Enter the codepage valid forthe Virus Scan Server. It mustcorrespond to the codepage ofthe application server that iscommunicating with the VirusScan Server:
●
If you are only usingone codepage in yourapplication servers,
Codepage that the CCMS setswhen the Virus Scan Server isstarted
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 14/51
SAP Online Help 18.08.2008
Virus Scan Interface 14
enter this codepage.
● If you have applicationservers in differentcodepages, set up aVirus Scan Server on
each application serverand specify the validcodepage in each case.
● If your system usesUNICODE, do not enteranything.
5. Save your entries.
Defining Virus Scan Adapters...
1. In the Implementation Guide, choose SAP NetWeaver → Application Server → System
Administration → Virus Scan Interface (transaction VSCAN), and, if necessary, switch
to change mode.
The screen View: Change "Virus Scan Provider Definition": Overview appears.
2. Choose New Entries.
The system displays the New Entries: Details of Added Entries screen.
3. Enter the data for the Virus Scan Adapter.
Data for the Virus Scan Adapter Definition
Field Possible Values Notes
Provider Type ADAPTER (Virus Scan Adapter)
The vendor’s Virus Scan Adapter runs in the work
process of the applicationserver, that is, the externalproduct must match thearchitecture of the SAPsystem (64 bit).
Provider Name VSA_<Name>
Default value: VSA_<hostname>
You can overwrite the hostname with any name.However, you must retain theVSA_ prefix.
Scanner Group All previously created scannergroups, which you can displayusing the input help.
The scanner group combinesmultiple Virus Scan Providersor allows the use of a BAdI
implementation.
If you create multiple VirusScan Providers in a scannergroup, you achieve loadbalancing.
All of the Virus Scan Providersin a scanner group have thesame set of configurationparameters and will thereforeuse the same scan engine.
Status● Active
(Application server)
The values active and inactive
indicate whether the adapter isto be activated when the
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 15/51
SAP Online Help 18.08.2008
Virus Scan Interface 15
● Inactive(Application server)
application server or a workprocess is restarted.
Active: An adapter is loadedfor the work process.
Inactive: No adapter is loaded
for the work process.
Server The input help provides a listof the existing servers. Do notspecify a different servername.
Application server on whichthe Virus Scan Adapter is tobe started and/or monitored.
ReinitInterval 0 or <empty> : no automatic
reinitialization
If the vendor of your virusscanner uses the interfaceprovided by SAP with whichan initialization from outside
the system can be performed,you can leave the field empty.This interface is available tocertified vendors of virusscanners.
<n> : Interval in hours
Specifies the number of hoursafter which the Virus Scan Adapter is to be regularlyreinitialized.
You need to reinitialize theVirus Scan Adapter so that it
loads new virus definitions.The automatic reinitialization isperformed during the periodicmonitoring of the Virus ScanProviders by the CCMS.
Adapter Path Full path of the library thatcontains the Virus Scan Adapter
Specifies the full path of theVirus Scan Adapter.
If you do not fill the field, theVirus Scan Server uses thecontent of the environment
variable VSA_LIB.
Defining Virus Scan Profiles
Use
Application programs use virus scan profiles to check data for viruses. A virus scan profilecontains a list of scanner groups that check a document. You can also use a virus scan profileto assign configuration parameters for the virus scanner. If you scan for viruses with this virus
scan profile, the virus scanner receives the parameters.
A virus scan profile specifies steps that are to be run during a virus scan. A step is either avirus scanner, which is found using the scanner group, or a step specifies, in turn, a virusscan profile, which is then performed as part of the enclosing virus scan profile.
A virus scan is performed under the name of a virus scan profile. The system administratorcan use the profile to activate or deactivate the virus scan for each component.
By default, each SAP application that integrates a virus scan provides a virus scan profile.
The names of these virus scan profiles is constructed as follows /<Name of the package
of the application>/<Name of the function>. Check the virus scan profiles
delivered by SAP (for example, using Delivered Virus Scan Profiles [Page 19]), and determinefor which components you are activating or deactivating the virus scan.
If you want to create your own virus scan profiles, you can use the namespaces Y* and Z*.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 16/51
SAP Online Help 18.08.2008
Virus Scan Interface 16
Prerequisites
● You have created scanner groups.
Procedure...
1. In the Implementation Guide, choose SAP NetWeaver → Application Server → System Administration → Virus Scan Interface (transaction VSCANPROFILE), and, ifnecessary, switch to change mode.
The screen View: Change "Virus Scan Profile": Overview appears.
2. Choose New Entries.
The screen New Entries: Overview of Added Entries appears.
3. Specify the data for the scanner profile.
Data for the Virus Scan Profile Definition
Field Possible Values Notes
Scan Profile Specifies the name of a virusscan profile.
Profile Text Explanatory text for a virusscan profile.
Active Specifies that this virus scanprofile is active.
The virus scan profile can onlybe used if this indicator is set.
SAP applications can usedfixed profile names that aredelivered. By default, these
profiles are not active,meaning that the applicationprogram works without a virusscan.
You can activate the virusscan for each application bysetting this indicator.
Default Profile Indicator that this virus scanprofile is the default profile.
You can set this indicator for amaximum of one virus scan
profile. This virus scan profileis used in the following cases:
● If an applicationrequests a virusscanner withoutspecifying a virus scanprofile
● If a virus scan profile isrequested for which theUse Reference Profile indicator is set, and the
Reference Profile isempty
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 17/51
SAP Online Help 18.08.2008
Virus Scan Interface 17
Use Reference To operate multipleapplications using the samevirus scan profile, set the UseReference indicator andspecify the reference profile.
Reference Profile The input help provides a listof all of the profiles that havealready been defined.
If you leave the field empty,the system uses the defaultprofile.
Specifies the name of thereference profile.
Since a virus scan profile canuse another virus scan profileas a reference profile, you canoperate multiple applicationsusing the same virus scanprofile.
If the Use Reference Profileindicator is set in the virusscan profile, this field specifiesthe name of the reference
profile to be used. Instead ofthe settings of the current virusscan profile, the settings of thereference profile are thenused. This means that severalvirus scan profiles can use thesettings of a shared referenceprofile, such as the scannergroups to be used.
Linkage All steps successful:
The virus scan must haveperformed all steps without
errors.At least one step
successful: It is sufficient if
one step of the virus scan wassuccessfully performed.
Specifies the type of logicallinkage for the steps in thevirus scan profile.
If multiple steps that are to beperformed during the virusscan with a virus scan profileare defined for a profile, youcan use this field to controlhow the overall result of thevirus scan is to be evaluated.
Using multiple steps allowsyou to scan documents withscan engines from differentvendors at the same time.
The program interprets a virus
scan as error-free only if thescan engine returns the return
value Check performed
successfully or (in the
case of cleanups) Cleanup
performed successfully.
All other return values areregarded as unsuccessfulvirus scans. This also includessituations such as:
● The program did not
check the documentbecause the file name
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 18/51
SAP Online Help 18.08.2008
Virus Scan Interface 18
extension iscategorized as non-critical.
● The program could notcheck the document,
because the documentis a password-protectedarchive.
● The scan engine isobsolete.
4. Save your entries.
5. To define steps for the profile, select the Steps node in the Dialog Structure by double-clicking it.
6. Choose New Entries.
7. Enter the following data for the definition of the step:
Data for the Definition of a Step of the Virus Scan Profile
Field Possible Values Notes
Position <integer value> Specifies the position of thescanner group in the virusscan profile.
If a virus scan profile usesmultiple scanner groups, placethese in the desired sequenceby assigning a positionnumber.
Type Group or Profile Specifies whether a step in thevirus scan profile refers to ascanner group or another virusscan profile.
If you choose Group, thesystem uses a virus scanprovider from this group (or aBAdI implementation) for thevirus scan. If you chooseProfile, the program processesthe specified virus scan profileinstead of this step.
You can define any conditionsby combining the steps of thevirus scan profile with thelinkage type of the steps(AND/OR).
Scanner Group The input help provides a listof all existing scanner groups.
Combines multiple virus scanproviders or allows the use ofa BAdI implementation.
All of the Virus Scan Providersin a scanner group have thesame set of configurationparameters and will therefore
use the same scan engine.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 19/51
SAP Online Help 18.08.2008
Virus Scan Interface 19
Virus Scan Profile The input help provides a listof all existing profiles.
Specifies the name of a virusscan profile that you caninclude as a step in the profilethat you are currentlyprocessing.
8. Save your entries.9. To create configuration parameters for a step, double-click the Configuration
Parameters node.
10. Choose New Entries.
11. Enter the following data for the definition of the configuration parameters:
Data for the Definition of Configuration Parameters
Field Possible Values Notes
Parameter The input help provides a listof all existing constants.
Specifies the key of aconfiguration parameter.
A virus scanner requiresconfiguration data. The set ofpossible configurationparameters is defined by SAPas a predetermined set ofsymbolic constants.
Value <Value> Specifies the value specifiedby the vendor for aconfiguration parameter.
12. Save your entries.
Result
You have defined a virus scan profile and therefore performed the last configuration step forthe virus scan provider. You can, finally, check the configuration [Page 20].
Delivered Virus Scan Profiles
As of SAP NetWeaver ’04, SAP delivers the following virus scan profiles for ABAP withSupport Package 11 (see SAP Note 797108):
● /SCET/GUI_UPLOAD
This profile is used by the front end upload module GUI_UPLOAD, which is also usedby the class method CL_GUI_FRONTEND_SERVICES=>GUI_UPLOAD.
For example: upload of a local file using SAP GUI in an SAP application.
● /SIHTTP/HTTP_UPLOAD
This profile is used by the BSP framework [External], that is, by all SAP applicationsthat are based on the BSP framework.
For example: Upload of a local file using BSP class CL_HTMLB_MANAGER.
● /SARC/ARCHIVING_ADK
Virus protection using the Archive Development Kit (ADK) archive interface.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 20/51
SAP Online Help 18.08.2008
Virus Scan Interface 20
The profiles are deactivated when delivered. To activate them, first create at least one basisprofile that you save as the default profile. You can then activate one of the delivered profiles.By default, it links to a reference profile, which is the default profile.
Delivered Parameters
There are INIT, SCAN, CLEAN, and CUST parameters, of which INIT, SCAN, and CLEANparameters are passed to the external product. For more information about which parametersexist and their effect, see the documentation for the external product. The default values ofthe parameter configuration show all parameters. An external product usually only supports asubset of the parameters.
It is mandatory that the parameter SCANBESTEFFORT exists for every certified virus scanproduct. If you set this parameter to 1, the most stringent security settings of the externalproduct are selected. For more information about which settings these are and how theyaffect the performance of the product, see the documentation of the external product.
CUST parameters are used by the virus scan profiles delivered by SAP and are not forwardedas an external product. The following parameters exist:
● CUST_NOT_SCANNED_AS_WARNING
Parameter that defines whether processing of the file to be checked is terminated if thereturn code CON_SCANRC_NOT_SCANNED is returned (default value). If the value ofthe parameter is 1, processing is continued. This return code is output, for example, ifthe file type is unknown, or the file to be checked is an encrypted archive file.
● CUST_CLEAN
Parameter that defines whether a repair is to be attempted using profile selectionduring the virus scan.
The external program may not be able to repair all infections.
● CUST_NO_SCANINFO
This parameter specifies to the external virus scanner that no detailed information isdesired about infections. This parameter means that less memory is used andprocessing is faster, but means that no detailed information about infections issupplied.
● CUST_ACTIVE_CONTENT
This parameter only affects external virus scanners that support this feature. It means
that active content, such as JavaScript in HTML or VBA in Microsoft Word files isregarded as a virus. The program therefore rejects documents with content of this type.
Parameters relate to each profile that contains a definition.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 21/51
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 22/51
SAP Online Help 18.08.2008
Virus Scan Interface 22
○ Status: Displays the current status of the virus scan server used, even if thememory trace is deactivated. In addition to technical information about the virusscan server, this output also contains the configuration of the virus scan serverand information about the loaded virus scan adapter including the anti-virusengine.
○
Stop: Stops the virus scan server.
○ Configuration: Branches to the display mode of the IMG activity Define VirusScan Servers.
○ Test: Branches to the transaction VSCANTEST.
Testing the Installation of the Virus Scan Provider
Use
You can use this procedure to check that your configured virus scan provider is functioningcorrectly.
Procedure...
1. Start transaction VSCANTEST.
2. Specify the object to be checked, using either the test data provided or your own localfile.
3. Select the virus scan profile, scanner group, or the virus scan provider to be tested.
4. Select an action.○ If you choose Check Only , the anti-virus product that you specified scans the
data for viruses and displays a result.
○ If you choose Check and Clean, the product also attempts to clean the data if avirus infection is diagnosed.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 23/51
SAP Online Help 18.08.2008
Virus Scan Interface 23
Integrating the Virus Scan Interface into CustomerDevelopments
UseSo that you can also integrate the virus scan interface into applications that you developyourself, its class CL_VSI is described below.
The naming convention /<Name of the package>/<Name of the function> applies for
the virus scan profiles delivered by SAP. The Active indicator is not set for these virus scanprofiles; on the other hand, the Use Reference Profile indicator is set, although the fieldReference Profile remains empty.
Description of the Class CL_VSI of the Virus Scan Interface
The class CL_VSI provides methods that are required for the implementation of a virus scan.
All triggered exceptions are assigned an ABAP message, that is, the SY fields have beenfilled with a message appropriate for the error situation.
● Generate Scanner Instance (GET_INSTANCE)
This static method generates an instance of the virus scan interface, which is based ona given virus scan profile.
You can generate the scanner instance once for each program and then use theobtained scanner repeatedly. The load balancing between different virus scan serversin the same scanner group is performed only during the execution of a virus scan.
○ Parameters
IF_PROFILE
The name of the virus scan profile that is to be used.
If you leave the field empty, the default profile is used. You should only do this inapplication programs for test purposes and in justified exceptional cases.
EO_INSTANCE
The generated instance that can be used for scanning.
○ Exceptions
PROFILE_NOT_ACTIVE
This exception is triggered if the Active indicator is not set in Customizing for thespecified virus scan profile. This means that the system administrator does not
want a virus scan for this virus scan profile.The application must react as follows to this exception:
■ If the virus scan is an optional function of the application, this exceptionmust be ignored and the application function can be performed.
■ If the virus scan is a mandatory function of the application, this exceptionmust be reported to the user and the application function must not beperformed.
CONFIGURATION_ERROR
There is a configuration error in the Customizing of the virus scan interface. Thiserror must always be corrected, and this exception must therefore always be
reported.
INTERNAL_ERROR
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 24/51
SAP Online Help 18.08.2008
Virus Scan Interface 24
An unexpected error occurred.
● Set Scan Parameters (SET_PARAMETER)
You can use this method to set scan parameters for the scan instance. These aretransferred to the scanner for all subsequent scan requests. You can also set localscan parameters for each scan request.
If a profile consists of multiple steps, the parameters set here are transferred to everystep and may overwrite data entered in the scanner group there.
○ Parameters
IF_KEY: The name of the configuration parameter. You can only setconfiguration parameters delivered by SAP (table VSCAN_PARAM).
IF_VALUE: The value to be set.
○ Exceptions
WRONG_KEY
Wrong name of the configuration parameter or the parameter is not permitted inthis context.
WRONG_VALUE_SYNTAX
The value is not permitted for this type of parameter.
● Perform Virus Scan (SCAN_FILE)
The virus scan is performed with this method.
○ Parameters
IF_JOB_ID
This parameter can be freely specified by the calling application. It can, for
example, be used to specify the object to be checked (file name) or to allowunique identification.
If you leave this field empty, the scan engine transfers the name of the virusscan profile used.
IF_FILENAME
File name of the local file to be scanned. The file must exist locally on theapplication server.
IF_DO_CLEAN
If this parameter has the value ABAP_TRUE, a cleanup is to be performed. If noinfection is found or the cleanup was successful (return value of EF_SCANRC iseither CL_VSI=>CON_SCANRC_OK orCL_VSI=>CON_SCANRC_CLEAN_OK), the result is made available using theparameter EF_DATA.
If the parameter has the value ABAP_FALSE, only a check is to be performed.
IT_SCAN_PARAMETER
A table of scan parameters. The evaluation of the scan parameters is left to thescan engine. If you are using a profile with multiple steps, these parameters aretransferred to each step.
EF_SCANRC
The result of the check or cleanup. You can use the constantsCON_SCANRC_... from the interface IF_VSCAN_INSTANCE for error situations
that occur frequently.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 25/51
SAP Online Help 18.08.2008
Virus Scan Interface 25
The return values CON_SCANRC_OK and CON_SCANRC_CLEAN_OK areregarded as success, all other values as failure. There is also the return valueCON_SCANRC_NOT_SCANNED, which outputs a warning.
ET_BAPIRET
ABAP messages are transferred using this table parameter.
The content of this table has no influence on the evaluation of the method call.
ET_SCANERROR
Information about scan errors is transferred using this table parameter. There isa scan error, for example, if the transferred file is a password-protected archive,which the scan engine therefore cannot check.
The content of this table has no influence on the evaluation of the method call.
ET_INFECTION
Information about infections found is transferred using this table parameter.
The content of this table has no influence on the evaluation of the method call.
○
Exceptions
NOT_AVAILABLE
The instance is temporarily unavailable. This exception is triggered if events thatmean that the scanner is not available (such as an update of the virussignatures) occur between the generation of the instance and the performanceof a scan request.
CONFIGURATION_ERROR
There is a configuration error. This exception is triggered if the scan cannot beperformed not due to the inbound data, but rather due to the configurationsettings.
INTERNAL_ERROR
This exception is triggered in other exception situations.
DIFFERENT_HOSTS
Virus scan server and application server are different.
● Perform Virus Scan (SCAN_BYTES)
The virus scan is performed with this method.
○ Parameters
IF_JOB_ID
This parameter can be freely specified by the calling application. It can, forexample, be used to specify the object to be checked (file name) or to allowunique identification.
If you leave this field empty, the scan engine transfers the name of the virusscan profile used.
IF_DATA
The byte sequence to be checked.
IF_DO_CLEAN
If this parameter has the value ABAP_TRUE, a cleanup is to be performed. If noinfection is found or the cleanup was successful (return value of EF_SCANRC is
either CL_VSI=>CON_SCANRC_OK orCL_VSI=>CON_SCANRC_CLEAN_OK), the result is made available using theparameter EF_DATA.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 26/51
SAP Online Help 18.08.2008
Virus Scan Interface 26
If the parameter has the value ABAP_FALSE, only a check is to be performed.
IT_SCAN_PARAMETER
A table of scan parameters. The evaluation of the scan parameters is left to thescan engine. If you are using a profile with multiple steps, these parameters aretransferred to each step.
EF_SCANRC
The result of the check or cleanup. You can use the constantsCON_SCANRC_... from the interface IF_VSCAN_INSTANCE for error situationsthat occur frequently.
The return values CON_SCANRC_OK and CON_SCANRC_CLEAN_OK areregarded as success, all other values as failure. There is also the return valueCON_SCANRC_NOT_SCANNED, which outputs a warning.
EF_DATA
If IF_DO_CLEAN has the value ABAP_TRUE and the cleanup was successful(EF_SCANRC = CON_SCANRC_CLEAN_OK), the cleaned byte sequence is
returned using this parameter.ET_BAPIRET
ABAP messages are transferred using this table parameter.
The content of this table has no influence on the evaluation of the method call.
ET_SCANERROR
Information about scan errors is transferred using this table parameter. There isa scan error, for example, if the transferred file is a password-protected archive,which the scan engine therefore cannot check.
The content of this table has no influence on the evaluation of the method call.
ET_INFECTION
Information about infections found is transferred using this table parameter.
The content of this table has no influence on the evaluation of the method call.
○ Exceptions
NOT_AVAILABLE
The instance is temporarily unavailable. This exception is triggered if events thatmean that the scanner is not available (such as an update of the virussignatures) occur between the generation of the instance and the performanceof a scan request.
CONFIGURATION_ERROR
There is a configuration error. This exception is triggered if the scan cannot beperformed not due to the inbound data, but rather due to the configurationsettings.
INTERNAL_ERROR
This exception is triggered in other exception situations.
● Perform Virus Scan (SCAN_ITAB)
The virus scan is performed with this method.
The meanings of the parameters are documented for the method SCAN_BYTES. Thedata to be checked is transferred using the parameter IT_ITAB.
The internal table must fulfill the following conditions:
○ It is a STANDARD or SORTED table.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 27/51
SAP Online Help 18.08.2008
Virus Scan Interface 27
○ The row type of the table is either flat of type X or C, or a structure with exactlyone field of type X or C.
You can optionally specify the total length of the data (for X tables in bytes, for C tablesin characters) using the parameter IF_DATALENGTH (this is only meaningful for Xtables for the reasons explained below). If the parameter is not filled, the entire data
object is checked.The content of C tables is first concatenated by rows into a character string, whereconcluding spaces in the individual table rows are removed, in accordance with ABAPsemantics. The length restriction (see above) is applied to this character string, and theresult is converted to UTF-8 format. This value is transferred to the scanner.
● Get Error Text (GET_SCANRC_TEXT)
Returns a short explanatory text for a return code of the scanner (constantsCON_SCANRC_...).
○ Parameters
IF_SCANRC
The error code of the scanner.
EF_TEXT
A string with the explanatory text.
○ Exceptions
Unknown error codes do not return an exception, but rather a correspondingtext.
If the function that you have developed is a standard function that can be usedby other developer groups, you should allow in your interface the possibility forcallers to assign a profile name. Only if this was not transferred should you usethe name of your own virus scan profile.
This ensures that not all users of your function are processed using the samevirus scan profile, meaning that the separate activation and deactivation of thevirus scan remains possible.
Commented Example Program
The commented source code below demonstrates the application of the virus scan interface
for scanning files that are uploaded from a workstation.The output of the result is performed in the simplest way. The report RSVSCANTESTcontained in the system performs this task in an appropriate form and can also be used as ademonstration object.
************************************************************************* Minimal demo report for Virus Scan Interface.* For a functionally more complete example see report RSVSCANTEST.************************************************************************REPORT zvscandemo.
************************************************************************* Selection screen
************************************************************************PARAMETERS:
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 28/51
SAP Online Help 18.08.2008
Virus Scan Interface 28
profile TYPE vscan_prof-profile,file TYPE localfile.
************************************************************************* Events************************************************************************AT SELECTION-SCREEN ON VALUE-REQUEST FOR file.
PERFORM file_f4.
START-OF-SELECTION.PERFORM main.
************************************************************************* Main program************************************************************************FORM main.
IF file IS INITIAL.MESSAGE s058(vscan) DISPLAY LIKE 'E'.EXIT. " =================== EXIT =====================
ENDIF.
* Access file and create XSTRINGTYPES:ty_xline(1024) TYPE x.
DATA:lf_file TYPE string,lf_filelength TYPE i,lt_datatab TYPE STANDARD TABLE OF ty_xline.
lf_file = file.
CALL METHOD cl_gui_frontend_services=>gui_uploadEXPORTING
filename = lf_file
filetype = 'BIN'IMPORTING
filelength = lf_filelengthCHANGING
data_tab = lt_datatabEXCEPTIONS
OTHERS = 1.
IF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno
DISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT. " =================== EXIT =====================ENDIF.
* Recombine binary dataDATA:lf_tabline TYPE ty_xline,lf_data TYPE xstring.
LOOP AT lt_datatab INTO lf_tabline.CONCATENATE
lf_datalf_tabline
INTOlf_data
IN BYTE MODE.ENDLOOP.
lf_data = lf_data(lf_filelength).
* Get scanner instance
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 29/51
SAP Online Help 18.08.2008
Virus Scan Interface 29
DATA:lo_vsi TYPE REF TO cl_vsi.
CALL METHOD cl_vsi=>get_instanceEXPORTING
if_profile = profileIMPORTING
eo_instance = lo_vsiEXCEPTIONS
configuration_error = 1profile_not_active = 2internal_error = 3OTHERS = 4.
CASE sy-subrc.
* No error.WHEN 0.
" Nothing to do
* Profile not active. For this report, this is an information message.WHEN 2.
MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgnoDISPLAY LIKE 'I'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT. " =================== EXIT =====================
* All other exceptions are issued as errors.WHEN OTHERS.
MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgnoDISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT. " =================== EXIT =====================
ENDCASE.
* Perform virus scanDATA:lf_scanrc TYPE vscan_scanrc.
CALL METHOD lo_vsi->scan_bytesEXPORTING
if_data = lf_dataIMPORTING
ef_scanrc = lf_scanrcEXCEPTIONS
not_available = 1configuration_error = 2internal_error = 3OTHERS = 4.
* All exceptions here are errorsIF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno
DISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT. " =================== EXIT =====================ENDIF.
* Print return code and textDATA:lf_text TYPE string.
lf_text = cl_vsi=>get_scanrc_text( lf_scanrc ).
WRITE: / 'Result of virus scan: ', lf_scanrc, '(', lf_text, ')'.
IF lf_scanrc = cl_vsi=>con_scanrc_ok.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 30/51
SAP Online Help 18.08.2008
Virus Scan Interface 30
WRITE: / 'File is clean'.ELSE.WRITE: / 'File was either infected',
'or could not be scanned','or was ignored'.'Or another problem occurred'.
ENDIF.
ENDFORM.
************************************************************************* F4-help for filename************************************************************************FORM file_f4.
DATA:lt_filetable TYPE filetable,lf_rc TYPE i.
CALL METHOD cl_gui_frontend_services=>file_open_dialogEXPORTING
multiselection = abap_falseCHANGING
file_table = lt_filetablerc = lf_rc
EXCEPTIONSfile_open_dialog_failed = 1cntl_error = 2error_no_gui = 3not_supported_by_gui = 4OTHERS = 5.
IF sy-subrc <> 0.MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno
DISPLAY LIKE 'E'WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT.ENDIF.
* Number of selected filed must be equal to one.CHECK lf_rc = 1.
* Access selected fileDATA:ls_file TYPE file_table.
READ TABLE lt_filetable INTO ls_file INDEX 1.CHECK sy-subrc = 0.
file = ls_file-filename.
ENDFORM.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 31/51
SAP Online Help 18.08.2008
Virus Scan Interface 31
Java-Specific Configuration
The following contains the configuration description for the virus scan interface for Javasystems.
Setting Up Virus Scan Providers (Java)
Use
The virus scan provider is the service of the AS Java that makes the
tc/sec/vsi/interface interface available to the SAP applications of the AS Java.
Select an installation type for the Virus Scan Provider, depending on your systemprerequisites:
●
Virus Scan Adapter for a Purely-Java Installation
This procedure describes the normal case in which you are using a local Virus Scan Adapter. The virus scan adapter is a native dynamic library from a third-party vendor,which can be loaded directly into the process environment of the AS Java. This meansthat you can check memory contents directly for viruses, which achieves a higherperformance.
● Virus Scan Server for a Purely-Java Installation
This procedure describes the special case, in which the platform or processarchitecture does not allow the direct inclusion of a Virus Scan Adapter. This is thecase, for example, if the required operating system for SAP NetWeaver is notcompatible with the external anti-virus product. In this case, use a Virus Scan Server.
The virus scan server communicates with the AS Java using TCP/IP (SAP RFCprotocol) and accesses the external anti-virus product using a virus scan adapter.
Both purely-Java installations provide the same interface to instancejava from the packagecom.sap.security.core.server.vsi.api .
The configuration of the virus scan provider service is stored in the Configuration Manager ofthe AS Java. A Web Dynpro application is available to you as a configuration tool.
Prerequisites
You are an administrator of the AS Java.
Virus Scan Server for a Purely-Java Installation...
1. Start the standalone gateway [Extern].
2. Start the virus Scan server with the options -a, -x, and -g, as described in Installing
a Virus Scan Server as a Self-Starter [Page 46]. For option -a, specify the program ID
using the naming convention (case-sensitive; prefix VSCAN_ ).
3. In the SAP NetWeaver Administrator, set up the virus scan provider as a virus scanserver, as described in Defining Virus Scan Providers [Page 33].
a. For the name, specify exactly the program ID that you defined above using
option –a. However, you must leave off the name prefix VSCAN_ , since this is
automatically added.
b. Specify server settings that match those of the provider defined above. Specify-g and -x as defined under step 2.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 32/51
SAP Online Help 18.08.2008
Virus Scan Interface 32
Virus Scan Adapter for a Purely-Java Installation
After you have installed an external anti-virus product including a certified adapter, you onlyneed to enter the path to the adapter specified in the documentation for the partner product inthe VSA_LIB field....
1. Start the SAP NetWeaver Administrator (NWA) with the following URLhttp://<Host>:<Port>/nwa.
2. Log in as administrator of the AS Java.
3. Choose Configuration Management → Security Management → Virus Scan Provider .
4. Proceed as follows:...
a. Define a Scanner Group [Page 32]
b. Define a Virus Scan Provider. [Page 33]
c. Define a Virus Scan Profile [Page 35]
Defining Scanner Groups
Use
A scanner group combines multiple virus scanners of the same type. You require the groupsto specify virus scan profiles later.
For information about which configuration parameters are required or supported by theproduct that you use, see the documentation for the product.
SAP does not deliver any scanner groups.
Procedure...
1. In change mode, on the Groups tab page, create a scanner group by choosing Add .
a. To do this, enter the name of the group in the in Group Name field, and chooseContinue.
This adds a new row in the Virus Scan Groups group box.
b. On the Settings tab page, in the Virus Scan Group Details group box, enter adescription of the group in the Description field.
c. So that this group is used as the default group, set the Default scan group indicator.
2. On the Parameters tab page, set the configuration parameters required for the productthat you are using.
a. Choose Add.
b. In the Name field, you can use the input help to change the proposed name.
c. In the Type field, use the input help to specify the parameter type.
d. Enter the parameter value in the Value field.
If the Valid column does not contain an icon, you have not yet saved. If it contains agreen icon, the parameter has been recognized. If it contains a red icon, the parameterhas not been accepted by at least one adapter or server that is configured for thisgroup. You can find a more detailed error message in the message area of theapplication.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 33/51
SAP Online Help 18.08.2008
Virus Scan Interface 33
Result
You have created a scanner group with the associated parameters. As the next step, define aVirus Scan Provider [Page 33].
Defining Virus Scan Providers
Use
You can use either a Virus Scan Adapter or a Virus Scan Server as a Virus Scan Provider.The Virus Scan Server is an alternative, if you cannot use the better-performing Virus Scan Adapter, such as in the following cases:
● The SAP NetWeaver AS kernel uses 64 bits and the external anti-virus product or theexternal virus scan adapter (VSA) uses 32 bits.
● The SAP NetWeaver AS and the external anti-virus product support differentarchitectures. For example, the SAP NetWeaver AS is installed on an AIX platform, butthe anti-virus product is only available for Microsoft Windows.
In these cases, use the Virus Scan Server as a self-starter (see Installing a Virus Scan Serveras a Self-Starter [Page 46]).
Procedure...
1. In change mode, create the virus scan provider either as a virus scan adapter on the Adapters tab page or as a virus scan server on the Servers tab page.
To do this, choose the Add button in change mode.
○ To create a virus scan adapter, add the rest of the name after the predefined
prefix in the Adapter Name field, and choose Continue. This adds a new row inthe Virus Scan Adapters group box.
Enter the following data in the Virus Scan Adapter Details group box on theSettings tab page:
Settings for the Virus Scan Adapter
Field Entry
Default Scan Provider Indicator that this Virus Scan Provider is thedefault provider.
You can set this indicator for a maximum ofone Virus Scan Provider. This Virus ScanProvider is used if an application requests avirus scanner without specifying a Virus ScanProvider.
Adapter Name The name of the virus scan adapter isdisplayed. The name entered is automaticallysaved with the prefix “VSA_”.
Adapter Description Description of the current adapter
Scan Group The input help provides a list of the availablegroups to which you can assign the currentadapter.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 34/51
SAP Online Help 18.08.2008
Virus Scan Interface 34
Init. Interval (hours) Reinitialization interval of the Virus Scan Adapter in hours. This specifies the number ofhours after which the Virus Scan Adapter is tobe reinitialized.
If you receive new virus definitions at regular
intervals that the Virus Scan Adapter is to load,a reinitialization is required for this.
If you enter the value 0, the virus scan adapteris not automatically reinitialized. Default = 0
Max. Instances Specifies the maximum number of scaninstances provided by the Virus Scan Server,with which you define how many of theseinstances are provided. If this number isexceeded, the virus scanner is no longeravailable for scan requests. Default = 20
VSA Library Path Complete path to the storage location of theadapter, as specified in the documentation ofthe partner product. If you leave this fieldempty, the environment variable VSA_LIB isset.
○ To create a virus scan server, use the input help to select one of the existingRFC destinations as the name of the server. The system automatically onlyshows RFC destinations with the prefix VSCAN_. Choose Continue.
Enter the following data in the Virus Scan Server Details group box on theSettings tab page:
Settings for the Virus Scan Server
Field EntryDefault Scan Provider Indicator that this Virus Scan Provider is the
default provider.
You can set this indicator for a maximum ofone Virus Scan Provider. This Virus ScanProvider is used if an application requests avirus scanner without specifying a Virus ScanProvider.
Server Name The name of the virus scan server is displayed.The destination under which the virus scanserver has registered itself at the SAP Gatewayor the name of the RFC destination in theDestinations service is displayed.
Server Description Description of the current server
Scan Group The input help provides a list of the availablegroups to which you can assign the currentserver.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 35/51
SAP Online Help 18.08.2008
Virus Scan Interface 35
Init. Interval (hours) Reinitialization interval of the Virus ScanServer in hours. This specifies the number ofhours after which the Virus Scan Server is tobe reinitialized.
If you receive new virus definitions at regular
intervals that the Virus Scan Server is to load,a reinitialization is required for this.
If you enter the value 0, the virus scan server isnot automatically reinitialized. Default = 0
2. To activate a trace output [Page 38] for this Virus Scan Provider, set the desiredindicator on the Trace tab page.
3. On the Parameters tab page, set the parameters required for the product that you areusing.
a. Choose Add . You can use the input help to change the proposed name in theName field.
b. In the Type field, use the input help to specify the parameter type.
c. Enter the parameter value in the Value field.
4. To activate the virus scan provider, save your entries. Then, in the Virus Scan Adapters or Virus Scan Servers group box, select the appropriate entry and choose Activate.
Result
You have defined a Virus Scan Provider and can define virus scan profiles [Page 35] in thenext step.
Defining Virus Scan Profiles
Use
Application programs use virus scan profiles to check data for viruses. A virus scan profilecontains a list of scanner groups that check a document. You can also use a virus scan profileto assign configuration parameters for the virus scanner. If you scan for viruses with this virusscan profile, the virus scanner receives the parameters.
A virus scan profile specifies steps that are to be run during a scan. A step is either a virusscanner, which is found using the scanner group, or a step specifies, in turn, a virus scanprofile, which is then performed as part of the enclosing virus scan profile.
A virus scan is performed under the name of a virus scan profile. The system administratorcan use the profile to activate or deactivate the virus scan for each component.
By default, a virus scan profile is provided for each SAP application that integrates a virusscan.
Prerequisites
You have created scanner groups.
Procedure...
1. On the Profiles tab page, create a virus scan profile in change mode by choosing the Add button.
In the Profile Name field, enter the rest of the name after the predefined prefix, andchoose Continue. This adds a new row in the Virus Scan Profiles group box.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 36/51
SAP Online Help 18.08.2008
Virus Scan Interface 36
2. In the Virus Scan Profile Details group box, you have the following options on theSettings tab page:
○ Select the profile to be edited as a reference profile by setting the Default ScanProfile indicator.
○ Use the default profile.
i. In the Reference Profile field, use the input help to select the <DefaultProfile>.
○ Use a reference profile
Since a virus scan profile can use another virus scan profile as a referenceprofile, it is possible to operate multiple applications using the same virus scanprofile.
This creates a link to an existing reference profile. To do this, use the input helpfor the Reference Profile field to select a reference profile.
○ Define a new profile...
i. Choose Add and enter the following data:
Data for a Self-Configured Profile
Field Notes
Profile Name The name of the new profile is displayed.
Profile Description Description of the new profile
Reference Profile This indicator must not be set, since the otherinput fields would otherwise be hidden.
Step Linkage Linkage of the steps of this profile:
All steps successful : AND linkage, with whichevery step must be successful for the overallresult to be successful.
At least one Step successful : OR linkage, withwhich only one step needs to be successful forthe overall result to be successful.
Profile Steps Use the input help to select profile steps.
ii. Specify the profile steps in the Profile Steps group box.
● Choose Add.
● Use the input help to specify in the Type field whether a group oranother profile is to be used.
● Use input help to specify the value of the group or profile.
● Configure the list with the buttons Move up, Move down, andRemove.
When checking for viruses, the list is processed from top to bottom withthe linkage from the Linkage Strategy field.
3. To activate the profile, save your entries. Then select the profile in the Virus ScanProfiles group box and choose Activate.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 37/51
SAP Online Help 18.08.2008
Virus Scan Interface 37
Result
You have defined a virus scan profile and therefore performed the last configuration step forthe virus scan provider. You can, finally, check the configuration [Page 39].
Delivered Virus Scan Profiles
The profiles are deactivated when delivered. To activate them, first create at least one basisprofile that you save as the default profile. You can then activate one of the delivered profiles.By default, it links to a reference profile, which is the default profile. See also SAP Note848189
● webdynpro_FileUpload
Web Dynpro uses this virus scan profile for the Java component FileUpload.
Example: uploading a local file using a Web Dynpro application.
●
visualcomposer
If you develop Java interfaces with the Visual Composer Server, you can use thisprofile to scan the uploaded interface components for viruses.
● htmlb_FileUpload
This profile is used to scan the layout components of HTML Business for Java(HTMLB) of a Web site for viruses. This profile must be activated, for example, forKnowledge Management and Collaboration (KMC).
● kmc_Default
Default profile for Knowledge Management and Collaboration (KMC) for uploading ordownloading files (see Virus Scanner Service [External]).
Delivered ParametersThere are INIT, SCAN, CLEAN, and CUST parameters, of which INIT, SCAN, and CLEANparameters are passed to the external product. For more information about which parametersexist and their effect, see the documentation for the external product. The default values ofthe parameter configuration show all parameters. An external product usually only supports asubset of the parameters.
It is mandatory that the parameter SCANBESTEFFORT exists for every certified virus scan
product. If you set this parameter to 1, the most stringent security settings of the externalproduct are selected. For more information about which settings these are and how theyaffect the performance of the product, see the documentation of the external product.
CUST parameters are used by the virus scan profiles delivered by SAP and are not forwardedas an external product. The following parameters exist:
● CUST_NOT_SCANNED_AS_WARNING
Parameter that defines whether processing of the file to be checked is terminated if thereturn code VSI_E_NOT_SCANNED is returned by the exception
VirusScanException (default value). If the value of the parameter is 1, processing
is continued. This return code is output, for example, if the file type is unknown, or thefile to be checked is an encrypted archive file.
Parameters relate to each profile that contains a definition.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 38/51
SAP Online Help 18.08.2008
Virus Scan Interface 38
In the case of Java installations, unknown parameters are displayed in red, andrecognized parameters are displayed in blue.
Problem Analysis for the Virus Scan Provider
Use
You define data for the log output of the virus scan provider with trace indicators. You can usethis data to investigate any errors that occur.
Prerequisites
You have defined at least one virus scan provider.
Procedure...
1. Choose the Adapters or Servers tab page, depending on whether you defined the virusscan provider as an adapter or as a server.
2. In the Virus Scan Adapter or Virus Scan Server group box, select the provider for whichyou want to display the trace.
3. Set the desired indicators on the Trace tab page.
In the case of adapters, changes to the trace settings affect all adapters.
Trace Indicators
Indicator Meaning
Errors Serious errors in the virus scan server or withinthe Virus Scan Interface.
Virus Infections Virus infections reported by the externaladapter. These are displayed for scan and alsofor clean calls. Therefore, if a virus wassuccessfully removed, the trace also specifiesthe infection
Parameter Operations in the Adapter Additional information about the virus scanserver or the Virus Scan Interface.
Thread Operations Thread operations (generation or termination)within the virus scan server.
Warnings Possible errors or warnings in the virus scanserver or within the Virus Scan Interface.
Virus Scan Adapter Functions Function calls within the Virus Scan Interface.Contains the parameters with which theinternal API was called and, at the end of eachfunction, the return values.
RFC Functions to the Virus ScanServer
Function calls to the virus scan server
Trace Memory Memory reservation or release of the virusscan server.
Information Additional information about the virus scanserver or the Virus Scan Interface.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 39/51
SAP Online Help 18.08.2008
Virus Scan Interface 39
Virus Scan Interface API NativeFunctions
Function calls within the Virus Scan Interface.Contains the parameters with which theinternal API was called and, at the end of eachfunction, the return values.
RFC Parameters and/or Table
Contents of Virus Scan Server
RFC parameters and/or table contents of the
virus scan server4. Choose Save.
Result
You have activated the trace output for the virus scan provider.
With Microsoft Windows NT, the path is:
\usr\sap\<SAP system name>\<instance>\work\dev_server<ID>, such as
C:\usr\sap\C11\JC00\work\dev_server0.
With UNIX, the path is:
/usr/sap/<SAP system name>/<instance name>/work/dev_server<ID>.
Testing the Installation of the Virus Scan Provider
Use
You can use this procedure to check that your configured virus scan provider is functioningcorrectly.
Procedure...
1. Start the test application under the path /vscantest.
2. Specify the object to be checked, using either the test data provided or your own localfile.
a. Select the virus scan profile, scanner group, or the virus scan provider to betested.
b. Select an action.
If you choose Check Only , the anti-virus product that you specified scans thedata for viruses and displays a result.
If you choose Check and Clean, the product also attempts to clean the data if avirus infection is diagnosed.
3. Start the test by choosing Execute the action.
Using the Virus Scan Provider API
The interfaces and classes of the Virus Scan Provider API are in the packagecom.sap.security.core.server.vsi.api of the facade tc~bl~vis~api.
In the development environment (IDE), you need to set a runtime reference to the facade
tc~bl~vis~api in the development project.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 40/51
SAP Online Help 18.08.2008
Virus Scan Interface 40
To use the Virus Scan Provider, you need to set this up.
The four most frequently used objects are presented below. These are also contained in theExample Program for the Virus Scan Provider .
The most important interfaces of the Virus Scan Provider API are VSIService and
Instance. You can use the methods of VSIService to access external virus scan productsthat are certified by SAP. The available methods of the VSIService interface include:
• getGroup
• getGroups
• getInstance
• getInstanceByGroup
• getInstanceByProvider
• getProfile
• getProfiles
• getProvider
• getProviders
• releaseInstance
External users of this API can use the methods of the Instance interface to return one of the
following instances: profile, group, or provider (adapter or server). The available methods ofthe Instance interface include:
• cleanBytes
• cleanFile
• getCleanedLength
• getJobID
• getLastErrorRC
• getParameter
• getParameters
• scanBytes
• scanBytesEx
• scanFile
• scanStream
• setDefaultConfig
• setJobID
• setParameter
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 41/51
SAP Online Help 18.08.2008
Virus Scan Interface 41
• setScanInfo
The most important classes of the Virus Scan Provider API are Infection and ScanError.
The class Infection contains the characteristics of a virus infection that has occurred.
Since this information is returned by the external anti-virus software, it depends on therespective product. The available methods include:
• getFreeTextInfo
• getObjectName
• getObjectSize
• getVirusId
• getVirusName
• isRepairable
The ScanError class contains the characteristics of an error that has occurred during a viruscheck. Since this information is returned by the external anti-virus software, it depends on therespective product. The available methods include:
• getErrorRC
• getErrorText
• getObjectName
• getObjectSize
For more information, see the JavaDocs for the relevant interfaces and classes.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 42/51
SAP Online Help 18.08.2008
Virus Scan Interface 42
Example Program for the Virus Scan Provider
The source code below demonstrates the use of the virus scan provider.
You cannot execute this example program as is, since it is only a fragment. However, theindividual parts can be used.
import javax.naming.*;import com.sap.security.core.server.vsi.api.*;import com.sap.security.core.server.vsi.api.exception.*;
/* Virus Scan Interface example */
public class VsiTestScan ... {...try {
/* Lookup the VSI service. */
Context ctx = new InitialContext();VSIService vsiService =
(VSIService)ctx.lookup(VSIService.JNDI_NAME);
if (vsiService != null) {/* get scan instance */
Instance myInstance = null;try {
myInstance = vsiService.getInstance();
if (myInstance != null) {/* perform virus scan */if (myInstance.scanBytes(Virus.EICAR) == true) {
/** true means no infection and no scan error:* Scanning the EICAR test pattern virus* must either return false or throw an Exception,* otherwise the underlying scan engine has* not recognized the EICAR pattern.
*//* not expected error */
}
}
else {
/* The returned instance was null:
* This means, the virus scan profile is not active
* => do here nothing to allow the scan switch on/off
*/
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 43/51
SAP Online Help 18.08.2008
Virus Scan Interface 43
}}catch (VirusInfectionException vse) {
Infection[] myInfections = vse.getInfections();
String errorText = vse.getLocalizedMessage();
/* print out only the locale error text */
if (myInfections.length == 1) {/* the scan engine has found the infection *//* ... */
}else {
/* not expected error *//* ... */
}
}catch (Exception e) {/* catch all other Exceptions,* including VirusScanException and* VSIServiceException here as not* expected error*/
String errorText = e.getLocalizedMessage();
/* print out only the locale error text *//* ... */
}
finally {
/* release the scan instance */vsiService.releaseInstance(myInstance);
}}else {
/* Virus Scan Provider service is not started *//* ... */
}/* ... */
}
Virus Scan Server
The virus scan server is an executable program that includes virus scanners from certifiedvendors using an interface and provides scan services to the application servers of thesystem as a registered RFC server.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 44/51
SAP Online Help 18.08.2008
Virus Scan Interface 44
Application-Server-Starter or Self-Starter
When configuring a Virus Scan Server for ABAP systems, instead of an application-server-starter (started by the application server) you can install a self-starter (for example, started
externally as a service under Microsoft Windows NT or a daemon under UNIX). In the case ofapplication-server-starters, all components are on the same host. On the other hand, in thecase of self-starters, the virus scan server and the SAP NetWeaver Application Server (SAPNW AS) can be on different hosts. This means that you can use a virus scan server that isonly available for a particular platform, even if the SAP NW AS is installed on a differentplatform.
Virus Scan Server on One or Two Hosts
Work Process
Work Process
Work Process
Work Process
Work Process
Work Process
SAP System
RFC ClientVirus Scan Server
Anti-Virus Product
SAP
Gateway
Host 1
Work Process
Work Process
Work Process
Work Process
Work Process
Work Process
SAP System
RFC Client
Host 1
Virus Scan Server
Anti-Virus Product
SAP
Gateway(On host 1
or host 2)
Host 2
During operation, this division into application-server-starters and self-starters primarilyaffects the Computing Center Management System (CCMS). You can monitor the virusscanners in the CCMS (transaction RZ20), in the monitor Virus Scan Servers in the monitorset SAP CCMS Monitors for Optional Components [External]. The following differences existin this case:
● Application-Server-Starters
In this case, the CCMS data collector automatically checks whether a configured VirusScan Server is available. If this is not the case, the CCMS triggers an alert, and startsthe Virus Scan Server again as an auto-reaction.
● Self-Starters
In this case, although the processes are monitored by CCMS, they are notautomatically stopped or started. There is, however, a separate MTE class in CCMS forthese self-starters. You can assign an auto-reaction method to this MTE class yourselfto react to alerts. You can, for example, use the MTE class CCMS_OnAlert_Email tosend an e-mail or an SMS (see Defining Automatic Alert Notification [External] andForwarding Alerts to Alert Management (ALM) [External]).
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 45/51
SAP Online Help 18.08.2008
Virus Scan Interface 45
Ensure that you secure your RFC connections with Secure NetworkCommunications (SNC) as described in the SNC manual [External].
For more information about application-server-starters and self-starters, see:
●
Virus Scan Provider as an Application-Server-Starter [Page 45]
In the following case, you can use the application-server-starter as a self-starter:
The SAP Web AS kernel uses 64 bits and the external anti-virus product or the externalVirus Scan Adapter (VSA) uses 32 bits.
To do this, use the field Instance Name, and create the 32 bit Virus Scan Serverin a separate instance directory. More information: SAP Note 964305.
● Installing a Virus Scan Server as a Self-Starter [Page 46]
The self-starter is available to you as an alternative if you cannot use the application-server-starter.
Virus Scan Provider as an Application-Server-Starter
Use
Virus Scan Adapter
The vendor’s virus scan adapter must match the architecture of the application server. If youare using it under Sun Solaris 9, the adapter must therefore be 64 bit compatible, since theSAP application server only supports 64 bit for this operating system.
There are no other dependencies on other components, meaning that you do not needvscan_rfc.exe, xmlXXd.dll, sapcppXX.dll, or librfc32.dll.
Virus Scan Server
If you use the virus scan server, all required components are in the working directory of theSAP NW AS kernel on one host. The Virus Scan Server is included in the standard system.This means that you only have to ensure that the prerequisites for the operation of theapplication-server-starter are fulfilled.
Prerequisites● You have installed the external anti-virus product and the associated Virus Scan
Adapter in accordance with the instructions provided by the vendor.
● The kernel directory contains the following components:
○ vscan_rfc.exe (Microsoft Windows NT) or vscan_rfc (UNIX)
○ The current RFC library or LIBRFC (see SAP Note 413708)
○ sapcpp<XX>.dll (Microsoft Windows NT) or sapcpp<XX>.<shared ext.> (UNIX)
where XX stands for the version and follows the release
○
xml<XX>d.dll (Microsoft Windows NT) or xml<XX>d<shared ext> (UNIX)
where XX stands for the version
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 46/51
SAP Online Help 18.08.2008
Virus Scan Interface 46
These components are available to you as a package in the Product andProduction Management System at service.sap.com/swdc .
Installing a Virus Scan Server as a Self-Starter
Use
The self-starter is available to you as an alternative if you cannot use the application-server-starter. If, for example, you are using a SAP NetWeaver AS under UNIX, but the externalvirus scan product or the external adapter is only available for Microsoft Windows.
Prerequisites
The self-starter starts the virus scan engine using a local XML configuration file. This is
usually the file vscan_rfc.xml, which contains the parameters required by the virus scanadapter (The installation package available at service.sap.com/swdc contains a
default configuration file.). The server must be started, or, if necessary, restarted usingoperating system resources.
Procedure...
1. Copy the relevant variant of the virus scan server from the CD or the SAP ServiceMarketplace to a start directory.
2. Create the configuration file using the commands listed in the table below, with whichyou can later also change the existing configuration.
In this example, the following call generates both the server and the VSAconfiguration for antivirvsa.dll (antivir):
vscan_rfc get_config –V <drive:>\vsa\antivirvsa.dll –cfg <drive:>\vsa\vscan_rfc.xml
To set new parameters to overwrite existing parameters, execute additionalcommands and options in a new call. These are then set in the XMLconfiguration.
In this example, you can change the call as follows::
vscan_rfc get_config –V <drive>:\vsa\antivirvsa.dll –cfg <drive:>\vsa\vscan_rfc.xml –a VSCAN_LOCAL –g <host name of theSAP Gateway> –x <Service name of the SAP Gateway> –c <SAPCodepage>
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 47/51
SAP Online Help 18.08.2008
Virus Scan Interface 47
Configuration Commands for the Self-Starter
Command Platform Notes
help All Calls the online help for thecommands and options.
version All Shows the internal versioninformation of the virus scanserver. You must use at leastinternal version 1.5 (see SAPNote 782963).
regonly All Registers the virus scanserver only at the gatewaywithout starting the underlyingengine. The CCMS uses thiscommand to then call the RFCfunction VSCAN_RFC_INIT.
Note that if you use thiscommand outside the CCMSthat the server is not ready foruse.
get_config All Receives the CSA andseparate server configurationand stores them in a localXML configuration. (Option-cfg <file> is mandatory forthis). The options receivedusing the command line arestored as the serverconfiguration in this case. If
you do not specify anycommand line options, thepredefined values are set.
Use this command to start thesetup of a self-starter. If thefile specified using the option -cfg does not exist, a new file iscreated.
install NT Installs a “new” VSCAN_XXservice in the MicrosoftWindows NT Service ControlManager (SCM).
The -cfg option with aspecification of a localconfiguration is mandatory forthis command. The service isinstalled if the VSA issuccessfully initialized. If youspecify additional options,these are only stored in theXML file used. The -srvcoption specifies the number ofthe service; that is, you caninstall up to 100 services on a
host. The default value for-srvc is 00.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 48/51
SAP Online Help 18.08.2008
Virus Scan Interface 48
remove NT Deletes an existingVSCAN_XX service in theMicrosoft Windows NT ServiceControl Manager (SCM).
You can specify the service
more exactly using the -srvcoption. Example: vscan_rfcremove -srvc 1 deletes theexisting service VSCAN_01.
start NT Starts an installed VSCAN_XXservice. This command startsthe service with the specifiedoptions.
The Microsoft Windows NTcommand "net startVSCAN_XX“ starts thepreviously installed service
only if the local configuration isused.
stop NT Stops a running VSCAN_XXservice. This commandcorresponds to the MicrosoftWindows NT command “netstop ...”.
In addition to the commands, you can specify the following options.
Options for Self-Starters
Option Platform Notes
-a All Program ID of the RFCdestination, such asVSCAN_LOCAL
-g All Host name of the SAPgateway
-x All Service name of the SAPgateway, such as sapgw00
-cfg All Complete path specification ofthe XML configuration file
-f All Path specification of the tracefile to be used
-l All Trace level of the trace file:
0 := Errors
1 := Errors and warnings (suchas virus infections)
2 := Errors, warnings, andvirus scan engine calls
3 := Additional information, allRFC calls, and memory
operations
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 49/51
SAP Online Help 18.08.2008
Virus Scan Interface 49
-c All SAP codepage for NON-UNICODE virus scan servers
-V All Path specification of the virusscan adapter to be used. Ifyou do not set this option, the
environment variable VSA_LIBis used.
-p All Profile name (Default:VSA_CONFIG) for the currentVSA configuration. This optionallows differentiation if you areusing multiple (different) VSAconfigurations in one XML file.
-T All Maximum number of threadsthat the server can use.Possible values: 1 to 999.
-m All Minimum number of threadsthat the server should use.
Note: The mean value of -mand -T is always used for thenumber of threads that areheld open.
-L All Path specification for an SNClibrary
-S All The SNC name of thisinstance.
Note: Setting -L, -S, or -Q
activates SNC for the server.
-Q All SNC security level. Possiblevalues:
1:=Authentication
2:=Integrity protection
3:=Encryption
7:=Minimum level
8:=DEFAULT
9:=Maximum level
-P All The SNC name of the SAPinstance.
Caution: If you set this name,only requests from SAPinstances with this SNCidentity are accepted
-I All Timeout in seconds for theinternal instances operationsRELOAD and SHUTDOWN.
-n All Maximum number of tracelines for the memory trace.
Default: 10000
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 50/51
SAP Online Help 18.08.2008
Virus Scan Interface 50
-h All Retention period in secondsfor the memory trace: Defaultvalue: 86400 seconds
-srvc NT Service number of theMicrosoft Windows NT
commands install | remove |start | stop
-daemon UNIX Starts the virus scan server asa daemon process with fork().
Operating the Self-Starter
● Operation as a Service in the SAP Microsoft Management Console (SAPMMC)
You can start and stop the virus scan server within the SAPMMC. The virus scan
server runs as a Microsoft Windows service within the operating system.
● Operation as a Daemon
You can start the virus scan server as a daemon directly at the operation system start.
Starting a daemon:
vscan_rfc -cfg /vsa/vscan_rfc.xml –daemon
You can monitor the daemon with operating system resources (CRONTAB, INITTAB).
The components required to operate the self-starter are available to you as a package in the
Product and Production Management System at service.sap.com/swdc .
Configuring the Self-Starter
You have the following options for configuring the self-starter:
● Call get_config again and use additional Commands and Options [Page 46].
● Edit the XML configuration file directly.
● Synchronize the settings using the IMG activity Define Virus Scan Servers [Page 9]
(transaction VSCAN).
With this configuration option, the parameters for trace level (option -I), codepage(option -c), max. threads or max. instances (option -T), and VSA_LIB (option -V) aresaved to the specified configuration using the Local button. If you leave theConfiguration field empty for a self-starter, the values are saved to the XMLconfiguration in use.
The values are only saved if an XML file already exists.
8/10/2019 VSCAN_EN
http://slidepdf.com/reader/full/vscanen 51/51
SAP Online Help 18.08.2008
Using Signals to Control the Virus Scan Server
Use
You can send the virus scan server operating system signals so that it performs functions.
This is useful if, for example, you want to administrate the virus scan server from a shellscript.
Procedure
The table below lists the signals and their effect on the virus scan server.
Signals and Their Actions
Signal Action
SIGINT Downloads
SIGUSR1 Reduces trace level
SIGUSR2 Increases trace level
SIGHUP Reinitializes virus scan instances within thevirus scan server.
After an update of the external product, youcan use this signal to prompt the virus scanserver to reinitialize itself, so that it has an up-to-date status.