Malware Detection for SAP Applications
Sep 9, '21 by Joerg Schneider-Simon
If your organization runs any SAP applications, you likely have a problem with malware...and malware detection.
Why? Because most enterprise anti-virus software doesn’t protect SAP applications against malware.
If you need malware detection for SAP applications, you must first understand SAP’s shortcomings in malware detection, and then find anti-virus software that protects your SAP systems from malware attacks.
Why Standard Malware Detection Software Doesn’t Protect SAP
When we talk about malware, we are talking about malicious software that deliberately disrupts or manipulates the normal operation of an electronic device, whether that device is a server, desktop or laptop computer, tablet or smartphone. Malware includes ransomware, viruses, trojan horses, worms, spyware and logic bombs.
You need to understand that even the best anti-virus program can’t protect SAP systems.
This is because standard malware detection software is designed to detect basic attacks (such as malware in an email), and advanced attacks (such as attempts to exploit unpatched vulnerabilities or modify system configurations).
But standard malware-detection software isn’t designed to work with SAP’s unique ways of handling files. In particular, it doesn’t work seamlessly with SAP’s encryption and storage facilities.
Problem 1: Encryption and proprietary protocols
The problem you face with malware detection is that SAP applications, even the SAP-GUI used to connect to SAP servers, use proprietary network protocols (“DIAG”, “RFC”) and a proprietary encryption (SNC) to communicate – and to transfer files. There is no way for standard anti-virus programs to “see” files when they are being transferred over these encrypted connections.
Problem 2: Storage
Adding to your headaches is that SAP applications store uploaded files in a unique way. They store the files in SAP-proprietary data repositories in the database or a document management system, like the SAP content server instead of the file-system.
The result is that files infected with malware remain hidden inside these silos. Anti-virus software cannot “see” the infected files when they are being stored.
The result of these two shortcomings is that malware uploaded directly to SAP applications typically goes undetected. Which means an increased risk of spreading malware to internal users, or worse, to external users like customers or suppliers. Without malware detection software protecting your SAP applications, third-party users could unknowingly download malware when accessing your SAP system. This would not only be damaging to your company’s reputation, but you might also be liable for any damages caused by the malware infecting their system.
What to Look for in Malware Detection Software for SAP Applications
Standard anti-virus solutions can’t protect SAP applications against malware. What you need to protect your enterprise is anti-virus software that’s designed specifically for SAP. This type of software should work seamlessly in the background, securing ABAP and Java-based SAP applications as well as SAP Business Objects, Mobile Platform and new solutions built on SAP HANA and UI5/FIORI.
When you start your search for malware detection software for SAP applications, look for a solution that protects you against the following five threat vectors.
1. Malware-infected uploads
The software has an embedded virus scanning engine (by industry-leading vendors such as McAfee Security, SOPHOS or Kaspersky) that performs scans 100% in-memory. If it offers centralized virus scanning services via the ICAP protocol, that’s a bonus.
2. Active-content attacks
The software protects against malicious active content (active content is code hidden in documents or seemingly benign files). The software detects malware in macros, scripts, add-ins, OLE files etc.
3. Content-based MIME attacks
The software protects against file-based attacks using MIME-type checks that analyze files beyond the extension to determine the file’s true content.
4. SAPCAR archive attacks
The software checks files that are archived in SAP’s SAPCAR archive format to ensure that no malware or malicious content can be transferred from archives to the SAP system.
5. Cross-site scripting (XSS) attacks
And of course, it’s vital that the software detects and blocks XSS attacks in files, even if the attacks are hidden or obfuscated (after all, ~20% of SAP Security Notes patch XSS vulnerabilities).
Check the Credentials of SAP Anti-Malware Software Vendors
Besides just checking that anti-malware software will protect your SAP applications, also check the credentials of the company behind the software.
The first thing to look for is that the company makes a product that is built specifically for SAP, one that integrates seamlessly into SAP NetWeaver environments.
The second item on your vendor checklist is SAP certification. Only go with a company that has passed SAP’s stringent software certification process. You want to find a software company that meets the highest standards of compatibility and stability.
Finally, look for a software firm that has a reputation for delivering outstanding service. Anti-malware software for SAP applications is only as good as the people behind the software.
Choose the Right Malware Detection for SAP Applications
Ransomware attacks were up 150% in 2020 and growing even faster in 2021 according to Harvard Business Review. If you need to protect your mission-critical SAP applications against malware attacks, you must understand the limitations of traditional anti-virus software, and then deploy an SAP-certified product that protects your SAP software and your users against viruses, malware, active content and other cyber threats.
Our Anti-Virus for SAP Solutions is designed specifically for the SAP Virus Scan Interface that’s found in every SAP application server. With full-spectrum security, integration with security monitoring, and leading-edge features, you’ll stop the malware attacks that slip past standard operating system anti-virus programs.
Share this on social: