HowTo setup ClamAV/ClamSAP in the ABAP world

The ClamSAP project provides connectors from SAP VSI to ClamAV.

The architecture for a scan infrastructure can be very complex. There is a picture from http://scn.sap.com/docs/DOC-7838 which provides an overview of possible integrations scenarios.

---

The problem with this complexity is, it often confuses the system administrators. The same issue occurs with the ClamSAP possibility to connect ClamAV in 2 different ways.
Therefore I want provide a brief overview of what integration should be installed in which situation.
ClamSAP provides 2 libraries:
1.(lib)clamsap.(shared)
This library is only a middleware interface to load directly the ClamAV shared library including the siguture files. This means, ClamAV must be installed on this system. The clamsap and clamav shared libraries must have the same platform architecture, e.g. Linux x64 clamav needs a x64 version of clamsap.

2.(lib)clamdsap.(shared)
This library is a network connector the clamd (the ClamAV daemon). By default clamd only listen to localhost connections, however you can configure which hosts are allowed to connect also remote clamd processes. This option is similar to the SAP Virus Scan Server. The RFC server vscan_rfc offers remote scan capabilities.

The question from application point is now: What do you want protect with VSI? SAP application server processes data and documents, therefore you can protect an document upload. The way you activate such a protection is a configuration you need to have in your SAP ABAP system. The protection for document processing can be activated with transaction VSCANPROFILE. But before you are able to activate such a profile you need a running connection to a local or remote AV scanner. This connection can be done in transaction VSCAN. The automation of this setup is available as report which creates the most important setting, see: https://github.com/strehle/abap_vsi_setup

The main questions to deceide which library you should use are:
1. Is ClamAV available for the operating system you have your ABAP running, e.g. Linux or HP-UX, AIX, etc. You can also run ClamAV on Windows, however here you often have to issue, that in enterprise oranisations there are still other AV products installed which also block file system activities of ClamAV.
2. What is the amout of data you want scan, means, how many documents do you expect to be passed through VSI? The size of documents play here a role but also your netwerk capacity. If you scan typicall office documents with VSI then the remote scan with clam-daemon is fine.