7 Ways to Improve SAP S4/HANA Security With Virus Scanning

7 Ways to Improve SAP S4/HANA Security With Virus Scanning

Feb 28, '23 by Joerg Schneider-Simon

Talk to your average hacker, and they’ll tell you they prefer to target networks and applications that host mission-critical data.

The more valuable the data, the more attractive the target.

This is why plenty of cybercriminals have their sights set on SAP S4/HANA, the ERP software designed to run mission-critical operations in real time from anywhere.

To protect your mission-critical data, you must protect SAP S4/HANA. And to improve your SAP S4/HANA security, you must deploy robust virus scanning at the SAP layer. SAP dedicates an entire chapter to Virus Scanning for SAP applications in the S/4 HANA security guide. Here are the steps you must take.

Step 1: Install a VSI 2.x-Compliant Virus Scanner

The first step in protecting SAP S4/HANA is installing and running a VSI 2.x-compliant virus scanner (such as bowbridge Anti-Virus for SAP Solutions) in your landscape.

The SAP Virus Scan Interface (SAP VSI API) contains the functions required to configure and to initialize the scan engine, and it provides the parameters and data for every virus scan. The SAP S/4HANA code calls this scanner using a dedicated interface during multiple stages of processing, including during uploads, downloads, and passage through the Gateway.

Step 2: Customize the SAP VSI API With Scan Profiles

If you have business scenarios that require uploading attachments to SAP S4/HANA modules (Finance, Sales, Supply Chain, and so on), SAP recommends that you activate the Virus Scan Interface in your system to prevent files with viruses from being uploaded to the application server. Then you must create Scan Profiles that define sufficiently restrictive policies to prevent the uploading of malicious content.

Your virus scanner will reject all documents that aren’t compliant with the rules defined in the settings of the scan profile. These rules typically need to disallow unneeded MIME types and documents with active content like HTML or JavaScript. SAP S4/HANA checks all uploads against a scan profile before being stored.

You can customize the pre-delivered scan profiles according to your needs. At runtime, the virus scanner rejects all uploads that aren’t compliant with the rules you’ve specified in the scan profile.

Step 3: Scan for Viruses at Upload Time

One central feature of SAP S4/HANA is that it allows users to upload files, typically as attachments to business documents. But if a document contains malicious content, unintended actions could be triggered when the item is downloaded or displayed. This creates vulnerabilities and can lead to attacks, such as file-based cross-site scripting.

This is why proper virus scanning at upload time is essential. Scanning as soon as files are uploaded provides a first line of defense against stored cross-site scripting attacks and other attacks.

Step 4: Use Best Practices for Virus Scan Profiles

SAP S4/HANA ships with what the company calls “predelivered scan profiles.” You should enable all of these scan profiles. Then, look for performance issues to decide which scan profiles you may want to disable.

Remember that some scan profiles take effect at download time. This has major benefits, because if a virus signature was updated since upload, malware that was not detected at upload time gets caught at download time. Also, files that have been stored in the system before the virus scanner was implemented are scanned as they leave the system. Administrators are in full control of what file transfer vector they would like to scan at download by maintaining settings in download-specific virus scan profiles, such as:


Step 5: Use the Allowlisting/Whitelisting Wherever Possible

Allowlists, aka whitelists, are an effective way to control files that flow into (and out of) your SAP applications. The list of allowed MIME-types (or file extensions) should be as restrictive as possible and should contain only MIME types from the IANA List. VSI-compliant virus scanners will determine the MIME-type based on the actual content of the file.

Step 6: Protect Against Active Content

Active content is content that’s typically embedded in files that trigger some action whenever the file is displayed. Active content includes macros, which have regained popularity in the malware-writing scene, especially as a popular way to propagate ransomware. Defend your organization against active content by performing virus scanning to prevent the uploading of malicious content in the first place.

Step 7: Use SAP WebDispatcher or the Internet Communication Manager

SAP WebDispatcher or the Internet Communication Manager protects you against malicious active content being executed at the front end. They use HTTP-response headers to instruct browsers to behave in a specific way. SAP WebDispatcher and ICM both allow you to modify HTTP-response headers.

SAP recommends adding the following headers:

  • SetResponseHeader X-Content-Type-Options “nosniff.”
    This tells the browser not to try reading the attached file with the assumed MIME type.
  • SetResponseHeader X-XSS-Protection "1; mode=block."
    This provides some protection against cross-site scripting.


Remember that enterprise-level anti-virus solutions on the market today fail to protect SAP S4/HANA for two basic reasons:

  1. Files uploaded to SAP are encrypted in transit and then stored in an SAP-proprietary repository. Neither anti-virus products at the network-level nor the Operating System anti-virus programs can scan those files for threats. Uploads into SAP applications effectively bypass any non-SAP-specific anti-malware solution.
  2. While SAP has an anti-virus interface, (NW-VSI), regular anti-virus software isn’t compatible with it.

If you need to improve your SAP S4/HANA security with virus scanning, your scanner should be built solely for SAP. Our Anti-Virus for SAP Solutions is built on expertise in SAP and information technology. It delivers robust protection against cyberattacks while working seamlessly with SAP’s unique internal architecture.

Learn more about Protecting SAP Applications from Content-Based Attacks.

New call-to-action