Why Even the Best Anti-Virus Program Can’t Protect SAP Systems
Aug 7, '17 by Joerg Schneider-Simon
Petya. No-Petya. WannaCry. Locky. The names alone are enough to make any IT professional’s senses leap to high alert.
These types of large-scale malware attacks can steal sensitive data, inflict massive damage … or both. And the results? They can devastate a business, if not destroy it altogether.
Smart companies know this, so your team deploys a top-of-the-line anti-virus software on every desktop and server, scanning files, inbound emails and web-traffic. Then, you rest easy, knowing that the company is protected.
Unfortunately, your company isn’t as well protected from cyberattack as you think.
Watch Your Blind Spot
Just like your car’s side mirror has a blind spot, so does your anti-virus program.
The ability to upload content into SAP systems creates one of those blind spots. And it’s a particularly dangerous one. A breach to an SAP system that manages corporate resources or stores personal identifiable information or payment information could prove to be ruinous— both to your organization’s bottom-line and to its reputation.
How does this blind spot exist? SAP-based applications often allow users to attach documents or files to a business operation. For example: a job applicant uploading their cv, photos snapped by a service technician while out in the field, or scans of a lunch receipt that a sales rep uploads to your travel expense application.
Companies often assume that the corporate anti-virus deployed to every server will automatically catch any malware uploaded into an SAP application.
As it turns out, that assumption is wrong.
To understand why, we need to look at how anti-virus programs work.
What Anti-Virus Programs Do and Don’t Do
Corporate anti-virus programs have a very clear task: to protect the machine they are running on from malware being either stored or executed. They do that by implementing a series of controls:
- On-access scanning: Anti-virus programs constantly scan any file read or written, from or to the server’s file system. Based on the operating system, these can be FAT32, NTFS, ext3, ext4, JFS or any other file-system type supported by the OS. Basically, as soon as the OS or an application accesses a file on disk, the AV solution scans it.
Depending on your vendor’s preferred lingo, this functionality is referred to as “on-access scan”, “real-time scan” or variations thereof.
- Scheduled scans: Most anti-malware programs provide the option to schedule full scans on a regular basis. The goal is to identify and remove (or quarantine) malware that may have been stored on the server before a detection signature was available.
Typically, during off-hours, the anti-malware solution will become active and scan all drives attached to the system end-to-end. However, with today’s storage capacities growing exponentially, these full scans become less practical to perform.
- Vulnerability shielding and memory/process protection: With malware becoming more sophisticated, they no longer are “plain” executables. In most cases, the initial infection will leverage an unpatched vulnerability and attempt to create a persistent copy of itself by injecting its code into an operating system-level process or by modifying system files in a way that ensures the malware runs continuously on the infected system. The anti-virus software shields the vulnerability as well as your OS processes and system files.
More advanced anti-malware programs may also use a few other techniques, such as heuristics, sandboxing and the new perceived “silver bullet,” machine-learning. However, these techniques only achieve additional enhancements to the products’ detection capabilities.
Essentially, anti-virus systems can handle basic attacks, like malware in an email, and also advanced attacks, such as attempts to exploit an unpatched vulnerability or to modify system configurations.
But in a typical SAP application, such as E-Recruiting, SRM, ERP, CRM or Enterprise Portal, these controls will not prevent attackers from uploading malware into the application.
Why? Because anti-virus programs can only protect against threats they can see.
Why SAP Is Different
Let’s look at why even advanced anti-virus setups don’t cover SAP cyberattacks:
- Upon upload, the user establishes an encrypted connection. This is done via HTTPS, or possibly also the SAP-proprietary DIAG protocol used by the SAP-GUI. The latter may additionally be protected by SAP’s SNC encryption/authentication. This encrypted connection means there is no way for the anti-virus program to “see” the file when it’s being transferred.
- The SAP application processing the upload will store the file in the database or an SAP-proprietary data repository instead of the standard disk/volume format found in traditional disk-based databases. Anti-virus software cannot look inside those volumes. So, there is no way for the anti-virus to “see” the file when it’s being stored.
- Vulnerability shielding and process protection on the server won’t help either, as the malware is not being run at this point in time. It is tucked away in the SAP database, waiting for a user or customer to retrieve it as part of a business process. So the vulnerability shielding software does not “see” the malware in action, as it never gets executed on that protected server.
So We’re Doomed?
Good news: No, you’re not doomed!
Back in 2004, SAP added a virus scan interface (NW-VSI) to every SAP application server. This interface has since evolved to a complex content security interface, aimed at detecting and blocking various threats in inbound and outbound file transfers. Applications automatically re-route all file operations through a security solution attached to the NW-VSI.
The bad news? Your standard (and even your advanced) anti-virus program does not connect to, or even understand, the NW-VSI. Instead, an SAP anti-virus solution must be designed specifically to work with the NW-VSI. The right solution should be able to detect malware at any point, whether it’s being transmitted or lying in wait among your workflows.
All of this leads to the question, what is the right solution? And how can you know it will integrate smoothly into your SAP system?
Choose the right provider. We’re proud to say that bowbridge’s Anti-Virus for SAP Solutions has been rigorously tested by SAP and is officially SAP-certified. This means our customers can rest easy, knowing their most critical assets will be guarded not just securely, but seamlessly.
To learn more about how bowbridge’s Anti-Virus for SAP Solutions can help protect your applications from cyberattack, contact us today.