Integrating a virus scan in your own SAP applications

This note provides information about integrating a virus scan interface (VSI) into SAP applications.

A check should be made as to whether the virus scan interface must be implemented again, or if you can use the SAP standard integration to exchange the file (GUI or HTTP).


    1. Question: Where is documentation about the interface available?

              Answer: The virus scan API is the same from SAP R/3 Enterprise up to the current releases. New features will gradually be made available in old releases. Therefore, we can refer you to the following:

              Secure Programming Guide ABAP: http://help.sap.com/saphelp_nw2004s/helpdata/en/6d/e6c3076f1243d0a133d1b5fb991412/frameset.htm

              Secure Programming Guide Java:
http://help.sap.com/saphelp_nw2004s/helpdata/en/30/42c13a38b44d5e8d1b140794e8e850/frameset.htm

    2. Question: As of when can I use the virus scan in SAP applications?

              Answer: As of SAP NetWeaver, from a technology point of view, you can use the virus scan as of SAP_BASIS 640 for ABAP and J2EE with feature pack (which corresponds to Support Package 7). From an application point of view this means: The virus scan function is available for all SAP solutions that are based on SAP NetWeaver (for example, SAP Business Suite, SAP Business ByDesign).

              Before SAP NetWeaver, the virus scan is available in SAP R/3 Enterprise as of Support Package 63. From a technology point of view, it is available as of SAP_BASIS 620, SAPKB62063.

    3. Question: When is the anti-virus routine integrated into the standard upload?

              Answer:

        a) ABAP:

                       As of SAP_BASIS 620 Support Package 64 (see Note 1058031).

                       As of SAP_BASIS 640 Support Package 11 (see Note 1058032) or higher (that is, in all subsequent versions).

        b) JAVA: As of SAP J2EE Support Package 13 (see Note 848189) or higher.

    4. Question: Which functions in ABAP were enhanced with SAP_BASIS 620 Support Package 64 or SAP_BASIS 640 Support Package 11?

              Answer:  1. The function module 'GUI_UPLOAD'
          2. The class method 'CL_FRONTEND_SERVICES=>GUI_UPLOAD'
          3. The class 'CL_HTTP_ENTITY=>GET_DATA' (ICF framework, BSP, Web Dynpro ABAP, REST and so on)

    5. Question: Which functions in JAVA were extended with NW'04 Support Package 13?

              Answer:  The WebDynpro for JAVA control 'FileUpload', meaning uploading using WebDynpro for JAVA.

    6. Question: As an application developer, how I can see whether the integrated anti-virus routine works in my application?

              Answer: To check this, you must use one of the listed functions for the UPLOAD. In general, the virus scan in the Internet Communication Framework (ICF), in the Business Server Page (BSP) or in Web Dynpro for ABAP can 'always' be carried out because the scan was integrated in the ICF layer for the Internet Communication Manager (ICM).
To be certain, and to test the availability of the scan, you must activate the virus scan, that is, activate the relevant profile. Note the following: If you activate a virus scan profile without having configured a real virus scanner, an error message is displayed during the upload because this configuration is incorrect. As a result, you can test whether or not file upload is possible after you activate the profile in a system that does not have virus scanners. If the file upload results in an error, the integrated anti-virus routine is executed and this proves that the virus scan function is called.

    7. Question: Where do I obtain the interface package for Java?

              Answer: The JAR package with the Java interfaces is included in each SAP Application Server (AS) Java and also in the interface set of SAP NetWeaver Developer Studio. The JAR package contained in this note is provided in case you use a different development tool or if no SAP J2EE Engine is locally available.

              When you include the virus scan in your own Java library, which is also used in your own applications, you require a reference to the J2EE interface "Virus Scan Interface" when using the virus scan. If you cannot use this reference, you can also use the attached sample code in the package VSIService.zip to call the functions using "Reflection". In this case, you do not require a reference to SAP components, that is, you can include the virus scan in your own applications independent of SAP components.

    8. Question: Where can I find the JavaDoc documentation for the Java interface?

              Answer: The virus scan application programming interface (API) is available in the SAP Help Portal at:

                http://help.sap. com/javadocs/NW04S/current/se/index.html

             

    9. Question: How do I test the virus scan if a virus scanner is installed?

              Answer: To do this, you must activate the virus scan, then you can test using transaction 'VSCANTEST' (ABAP) or the test application 'http://hostname:port/vscantest' (J2EE). For further information, see the SAP tutor documentation.

        a) RFC destination setup:

                    http://service.sap.com/~sapidb/011000358700003298652004E.sim

        b) Configuring the interface:

                    http://service.sap.com/~sapidb/011000358700003298672004E.sim

        c) Testing the interface:

                    http://service.sap.com/~sapidb/011000358700003298692004E.sim

    10. Question: Which product for the virus scan should be used for development or testing?

              Answer: There is a Software Development Kit (SDK) for certifying the NW-VSI interface at:

                       ftp://ftp.sap.com/pub/icc/nw-vsi/VSA-SDK-1.0.zip

              or in Note 786179, there is also a sample adapter "vssap" which finds the EICAR test virus (Note 666568). You do not need to install any further anti-virus products for this. However, this adapter is only for testing during development and is not a substitute for an actual antivirus product.

    11. Question: How is the virus scan activated or deactivated?

              Answer:

        a) ABAP:

        (a) In transaction VSCANPROFILE, you can use the 'Active' indicator to activate or deactivate a profile.

        (b) You can use the viewcluster maintenance (transaction SM34) to configure the delivered virus scan profiles. The name of the viewcluster is 'VSCAN_PROFILE_VC'. You can activate or deactivate a profile here using the 'Active' indicator.

        b) Java up to 70x:

                       You can configure a virus scan profile, and activate/deactivate it in administration by choosing 'Visual Administrator Service'-> 'Virus Scan Provider' -> 'Profiles'.

        c) Java Enterprise (JEE) as of 710 and higher:

                       The configuration for the Virus Scan provider is contained in the NetWeaver Administrator (NWA).


                       You must at least create a default profile. Delivered profiles refer to a default profile. If you do not define a default profile, the virus scan does not work.

    12. Question: Which applications are supposed to use their own profile?

              Answer: Applications that use virus protection as a feature should use a customized profile. The reason for this is the independent nature of the basis settings. The virus scan is always performed when the profile used is active, that is, if the delivered base profiles have been deactivated for performance reasons, the scan can nevertheless be executed if a specific profile name is assigned to the upload module (GUI or HTTP). Another reason for specific virus scan profiles is they enable configuration option within the profile, that is, if an application has different scenarios with the anti-virus routine (uploading from the Internet or intranet, for example), it must also include several profiles that can be used to configure and manage the anti-virus routine.