1 2 3 Previous Next 27 Replies Latest reply on Feb 21, 2011 11:29 AM by jmaxwell

    ScriptScan & mySAP Issue

      Good Morning everyone,

      My organisation is currently in the midst of upgrading our ERP System to MySAP. One of the applications we're implementing, Time-Clocking Web Application, seemed to be having issues with ScriptScan. When ScriptScan is enabled, it takes about 8-10secs to select a row in Time-Clocking Web Application while it takes only about 2 sec if ScriptScan is disabled.

      We've tried excluding a list of scripts as given by the SAP guys but it doesnt seemed to work. Disabling ScriptScan would open up the machines to potential malwares/virus.

      Anyone able to advise any solutions?

      The product versions I'm currently using :
      1. VSE8.0i with Patch 15
      2. ePO Agent
      3. ePO Server

      Any help is very much appreciated!
        • 1. RE: ScriptScan & mySAP Issue

          i suggest you carry out some testing with VSE 8.5 - i observed a similar problem with CA Service Desk - comparitive testing with 8.5 showed it to be much faster - adding only about 1 sec to the render time, based off the internal "time taken to render page" debug setting.

          please let us know what you find out,
          • 2. RE: ScriptScan & mySAP Issue
            thanks! i'd take a look and report any findings here!!
            • 3. RE: ScriptScan & mySAP Issue
              yes, please do.

              i dug out my results just to remind myself.

              with VSE 8.0i, 5100 scanning engine installed and scriptscan enabled, the render time average was about 4 seconds for 5 different CA ServiceDesk pages.

              with no AV it was about 0.3 secs for the same pages.

              with VSE 8.5 beta IIII (newest version at time of testing), the average was 0.5 secs render time for the same pages.

              so the average was for VSE 8.5 to add .2 secs to the render time,

              hopefully the same will hold true for you.
              • 4. RE: ScriptScan & mySAP Issue
                i've done the testing with scriptscan on/off for VSE8.5i. there seemed to be only a reduction of 1-2secs when scriptscan is on, if its off, performance increases significantly.
                • 5. Possible fix via ScriptScan exclusions
                  We've just discovered the same problem when McAfee 8 was rollout out as out corporate standard. (We're using the mySAP ERP 2004 Time Clocking application in Enterprise Portal 6.0/NetWeaver 2004)

                  Our Security dept. isn't keen on turning ScriptScan off, so I've been investigating the ScriptScan exclusion facility. (But I'm part of the SAP team and not responsible for the Anti-virus solution).

                  I'd like to try copying iexplore.exe to another name, and name that new exe as an exclusion to Scriptscan. If we can launch our SAP system with the new exe, ScriptScan might not kick in. We're going to try this next week.

                  I can't see our Security people buying this as a solution because there is nothing to stop users using our instance to IE to access potentially dangerous websites without the protection of ScriptScan. I've been looking at URL Lockdown tools but what I've found so far won't discriminate between the exe we want to use for mySAP and the exe we want to use for everything else. I also can't see our PC people wanting this as a solution because they will have to add the copy of IE into their base build.

                  Can anyone develop this potential further solution further?
                  • 6. RE: Possible fix via ScriptScan exclusions
                    well, my IT Security Team suggested 2 solutions :
                    1. add IExplorer.exe to the exception list in ScriptScan. this had to be done via regedit since vse8.0i doesnt have the interface to exclude this item. vse8.5i does have the interface for this purpose.
                    2. update the WSH host to version 5.7, our current version was 5.6.

                    they've tested both methods and it worked. however, to do security concerns, we'd probably be going with method 2.

                    hope this helps.
                    • 7. RE: Possible fix via ScriptScan exclusions
                      Thanks for the update, but you need to check your solution 2 really is a solution:

                      Installing a new WSH version merely overwrites the registry changes that 8.0 makes to install ScriptScan. Thus, Scriptscan will no longer be installed correctly and Java & VBScripts will not be scanned. Installing some McAfee patches will (re-)register the ScriptScan component (scriptproxy.dll) in place of jscript.dll & vbscript.dll and you will be back to the same problem.

                      Examine the value of default value of InprocServer32 in HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}, if it is C:\WINDOWS\system32\VBScript.dll, the WSH version has merely overwritten the change made by the McAfee installation (which will have put the fully path reference to scriptproxy.dll file in this key). (Info courtesy of Didier Stevens)

                      If this has happened, you might want to go with solution 1 as at least all the other processes that use the WSH will be protected.

                      • 8. RE: Possible fix via ScriptScan exclusions
                        oops, we had missed out that portion about the registry changes completely. thanks for pointing that out to me.

                        in your opinion, do you suggest any other solutions?
                        • 9. RE: Possible fix via ScriptScan exclusions
                          The best fix will come from McAfee when they add a facility to exclude scripts running from trusted sites/URLs, e.g. Intranet sites.

                          In the meantime, making a copy of IE, excluding the copy from script scanning, and launching the copy to access Intranet applications is the best I can suggest, but we still haven't tested this at work yet, so I'm not completely sure that this works.

                          If you have time to try this, I'd like to hear of any success you have.
                          1 2 3 Previous Next