Virus scanning in SAP - yes or no? and why?

Former Member · ‎08-12-2010

I'm performing an investigating regarding virus scanning for SAP environments. Question is: is there significant risk of getting harmed by viruses and malware? I'm making a list of risks and mitigating controls that can be (have been) implemented, but it's difficult to support a pro- or con-statement with hard figures and statistics.

Just some thoughts about the subject:

There have been incidents where SAP/Linux environments were infected with a virus. With the strict governance model that is generally implemented on Production it is not likely to happen there. There are a lot of firewalls between our SAP systems and the intra- and internet; virus scanners are running on all front-ends, email and file servers, it is not possible to install something on our production system without very quickly being detected and very difficult to bypass the change process due to authorization setup, etc, etc. But then: how strict is the governance on sandbox, development & QA environments? It doesn't have to start on Production to affect Production.

Then maybe a crucial question: why someone would want to attack servers? What could someone gain from infecting systems and what attack is then likely to be the most successfull? If you want to damage a brand or if you want to steal information, then social engineering gives a lot more chance of success. Accidental viruses that just happen to end up in our global network are quite likely to be captured by either virus scanners on front-ends and email and file servers.

Looking at the costs of implementing the virus scanning: they will be high: interfaces should be installed on all SAP systems, extra processing power is required to prevent performance degradation and then people should monitor the results of the logging of the virus scanner. Does the cost of implementation weigh up to the risk that should be mitigated?

What are your thoughts? Is virus scanning on SAP required? And why?

Former Member · ‎08-12-2010

Hi,

Our SAP servers run on Windows OS. The virus risk is therefore higher than on Unix servers.

The security policy in my company says that it is mandatory to have an antivirus always active on each Windows server.

In 10 years of SAP usage, we never had a virus problem (each workstation is protected by antivirus) but we had several times serious problems due to the antivirus and specially because of "on access scan".

Performance wise, we also found out that a SAP Netweaver J2EE system is twice slower to startup with on access antivirus scan activated. We speak about 20 minutes against 10 minutes...

My personal opinion (which I cannot apply) is that we should keep the antivirus on the SAP servers but deactivate on access scan and just program a periodic scan each weekend just to be safe.

At least we were able to negotiate a list of exceptions for on access scans where we put the database files : this is very important for I/O performance.

Regards,

Olivier

Former Member · ‎08-13-2010

Hi Olivier,

I liked your answer but did not get a clear idea on

"startup with on access antivirus scan activated"

Does it mean whenever a user (Dialogue) logs in scanning has to be done?

Former Member · ‎08-16-2010

Hi Franklin,

"On access scan" means that the antivirus scans every file which is read or written by the operating system.

For a SAP J2EE system, it means that every sca, sda or jar files is uncompressed and scanned at SAP J2EE startup and there fore the SAP system tkaes ages to startup.

This is called a filter driver and it is recommended by SAP to NOT use it but in some companies the security team does not care about SAP performance problems....

Regards,

Olivier

Former Member · ‎08-17-2010

Hi Olivier,

Thank you very much for a very good answer, I got some New information.

of course after reading it sounds easy.

Former Member · ‎08-16-2010

Hi Olivier

Thanks for your reply. We had two Windows environments too and we had similar problems: we had more issues with the virus scanner then with viruses themselves. However, we haven't had good enough reasons and other controls in place to safely switch off virus scanning.

Do you also do virus scanning in SAP itself? SAP has delivered an interface which allows you to for instance connect McAffee to SAP itself. We're not sure about the added valiue and are wondering if there are other companies who have consiously made the decisions to (not) implement it.

Kind regards

Maaike

Former Member · ‎08-16-2010

Hi Maaike,

We don't virus scan the content of SAP database because we don't see the point of it. Even if a virus file is stored in SAP database, so what ? it cannot be executed.

Regards,

Olivier

Former Member · ‎08-17-2010

Hi Olivier,

Just to be devil's advocate:

Apparently the virus scan interface allows scanning of ABAP and Java code, which could be a good quality check in your change management process. However, there are other (maybe even more suitable) tools to do this.

Other purpose could be to protect the front-end systems from viruses that are contained and can be dowloaded from the SAP database. However, then you should be receiving documents from insecure sources to make it legitimate.

It all depends on the reason you are virus scanning of course.

Thanks for your feedback. It's nice to hear our other companies handle this.

Kind regards

Maaike

Former Member · ‎08-17-2010

> Apparently the virus scan interface allows scanning of ABAP and Java code, which could be a good quality check in your change management process. However, there are other (maybe even more suitable) tools to do this.

The bugger with this is always that a scan is static and cannot know the call-stack and evaluate parameters sent to function modules, forms, implementation of methods, selection screens, etc.

There are some tools which however get close to this and automate the initial analysis of lots of code to find the "entry points" to look deeper.

To my knowledge the ABAP related "virus" interface is a BADI in the transport release events. It is not checked in the import events and is anyway optional.

Code reviews and controls on the quality of the coding is much easier - but still a task which goes beyond tick-marks on paper forms...

Cheers,

Julius