Why Even the Best Anti-Virus Program Can’t Protect SAP Systems

Jul 7, '21 by Joerg Schneider-Simon

Is your enterprise-grade anti-virus software protecting your SAP systems?


Is it leaving your business exposed and vulnerable to the latest viruses, whether GoBrut, Jokeroo, Trojan Glupteba, ILOVEYOU or something else?


Why? Because SAP has blind spots. Just as your car’s side mirrors have blind spots, so does your anti-virus program.

The ability to upload content into SAP systems creates one of those blind spots. And it’s a particularly dangerous one: A breach of an SAP system that manages personal identifiable information, payment information or corporate resources could prove to be ruinous—both to your organization’s bottom-line and to its reputation.

The Anti-Virus Assumption You Might Be Making

Many SAP-based applications allow users to attach documents or files to a business operation. For example: a job applicant uploading their cv, photos snapped by a service technician while out in the field, or scans of a lunch receipt that a sales rep uploads to your travel expense application.

When it comes to uploaded content, many (but not all) businesses are aware that malware can come along for the ride. So, they deploy top-of-the-line anti-virus software on every desktop and server, scanning files, inbound emails and web-traffic.

Then, they rest easy, thinking that their company is protected. And they are – at the OS level. But their SAP system is still glaringly vulnerable.

To understand how that happens, we need to look closely at how OS level antivirus solutions work.

What Your Anti-Virus Program Does—and Doesn’t Do

Corporate anti-virus programs have a clear task: to protect the machine they are running on from malware being either stored or executed. They do this by implementing a series of controls:

  1. On-access scanning: Anti-virus programs constantly scan any file read or written, from or to the server’s file system. Based on the operating system, these can be FAT32, NTFS, ext3, ext4, JFS or any other file-system type supported by the OS. Basically, as soon as the OS or an application accesses a file on disk, the AV solution scans it. Depending on your vendor’s preferred lingo, this functionality is referred to as “on-access scan,” “real-time scan” or variations thereof.

  2. Scheduled scans: Most anti-malware programs provide the option of scheduling full scans on a regular basis. The goal is to identify and remove (or quarantine) malware that may have been stored on the server before a detection signature was available. Typically, during off-hours, the anti-malware solution will become active and scan all drives attached to the system end-to-end. However, with today’s storage capacities growing exponentially, these full scans become less practical to perform.

  3. Vulnerability shielding and memory/process protection: With malware becoming more sophisticated, they no longer are “plain” executables. In most cases, the initial infection will leverage an unpatched vulnerability and attempt to create a persistent copy of itself by injecting its code into an operating system-level process or by modifying system files in a way that ensures the malware runs continuously on the infected system. The anti-virus software shields the vulnerability as well as your OS processes and system files.

More advanced anti-malware programs may also use a few other techniques, such as heuristics, sandboxing and the new perceived “silver bullet,” machine-learning. However, these techniques only achieve additional enhancements to the products’ detection capabilities.

Why SAP Systems Are Different

Essentially, anti-virus systems handle basic attacks, like malware in an email, and also advanced attacks, such as attempts to exploit an unpatched vulnerability or to modify system configurations.

But in a typical SAP application, such as SRM, ERP, CRM, Enterprise Portal, or modern FIORI apps, these controls will not prevent attackers from uploading malware into the application. Why not? Because anti-virus programs only protect against the threats they see.

Let’s look at why even advanced anti-virus setups don’t protect you against SAP cyberattacks.

  • Upon upload, the user establishes an encrypted connection. This is done via HTTPS, or possibly also the SAP-proprietary DIAG protocol used by the SAP-GUI. The latter may additionally be protected by SAP’s SNC encryption/authentication. This encrypted connection means there is no way for the anti-virus program to “see” the file when it’s being transferred.
  • The SAP application processing the upload stores the file in the database or an SAP-proprietary data repository instead of the standard disk/volume format found in traditional disk-based databases. Anti-virus software cannot look inside those volumes. So, there is no way for the anti-virus to “see” the file when it’s being stored.
  • Vulnerability shielding and process protection on the server won’t help either, as the malware is not being run at this point in time. It is tucked away in the SAP database, waiting for a user or customer to retrieve it as part of a business process. So, the vulnerability shielding software does not “see” the malware in action, as it never gets executed on that protected server.

This is alarming enough on its own. But wait…it gets worse.

Cyberattacks on SAP Systems Are Growing

Hackers typically discover and then exploit unprotected SAP applications in cloud environments within three hours of SAP publishing patches for these vulnerabilities.

According to Onapsis, since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities. Onapsis further reports that critical SAP vulnerabilities (and since most SAP systems are mission critical, most vulnerabilities are critical), are typically weaponized within 72 hours of patches being released.

Hackers typically discover and then exploit unprotected SAP applications in cloud environments within three hours of SAP publishing patches for these vulnerabilities.

Companies assume that the corporate anti-virus deployed to every server will automatically catch any malware uploaded into an SAP application. And as we now know, that assumption is wrong.

The Good News: You’re Not Doomed

Back in 2004, SAP added a virus scan interface (NW-VSI) to every SAP application server. This interface has since evolved to a complex content security interface, aimed at detecting and blocking various threats in inbound and outbound file transfers. Applications automatically re-route all file operations through a security solution attached to the NW-VSI.

The catch? Your standard (and even your advanced) anti-virus program does not connect to, or even understand, the NW-VSI.

That’s why it’s so important to complement your OS-level anti-virus program with an anti-virus solution designed specifically and solely for SAP. Fighting back-to-back, the two solutions can each play to their strengths—and guard each other’s weak spots.

To protect your OS-level anti-virus solution’s flank, choose the right provider. We’re proud to say that bowbridge’s Anti-Virus for SAP Solutions has been rigorously tested by SAP and is officially SAP-certified. This means our customers can rest easy, knowing their most critical assets will be guarded not just securely, but seamlessly.

Learn more about how bowbridge’s Anti-Virus for SAP Solutions protects your SAP applications from viruses. And download our free guide, Does Anti-Virus Protect SAP Systems?


Does Anti-Virus Protect SAP Systems? Download the Data Sheet