If your organization uses SAP, it's essential to understand the compatibility and support between antivirus and EDR in Microsoft Defender for Endpoint and your SAP applications. This article helps you understand the support provided by SAP for endpoint protection security solutions like Defender for Endpoint and how they interact with SAP applications.
This article describes how to use Microsoft Defender for Endpoint on Windows Server alongside SAP applications, such as NetWeaver and S4 Hana, and SAP standalone engines, such as LiveCache. In this article, we focus on antivirus and EDR capabilities in Defender for Endpoint. For an overview of all of the Defender for Endpoint capabilities, see Microsoft Defender for Endpoint.
This article doesn't cover SAP client software, such as SAPGUI or Microsoft Defender Antivirus on Windows client devices.
Enterprise security and your SAP Basis team
Enterprise security is a specialist role and the activities described in this article should be planned as a joint activity between your enterprise security team and the SAP Basis team. The enterprise security team needs to coordinate with the SAP Basis team and jointly design the Defender for Endpoint configuration and analyze any exclusions.
Get an overview of Defender for Endpoint
Defender for Endpoint is a component of Microsoft Defender XDR, and can be integrated with your SIEM/SOAR solution.
Before you begin to plan or deploy Defender for Endpoint on Windows Server with SAP, take a moment to get an overview of Defender for Endpoint. The following video provides an overview:
For more detailed information about Defender for Endpoint and Microsoft security offerings, see the following resources:
Defender for Endpoint includes capabilities that are beyond the scope of this article. In this article, we focus on two main areas:
Next-generation protection (which includes antivirus protection). Next-generation protection is an antivirus product like other antivirus solutions for Windows environments.
Endpoint Detection and Response (EDR). EDR capabilities detect suspicious activity and system calls, and provide an extra layer of protection against threats that bypassed antivirus protection.
SAP support statement on Defender for Endpoint and other security solutions
SAP provides basic documentation for conventional file scan antivirus solutions. Conventional file scan antivirus solutions compare file signatures against a database of known threats. When an infected file is identified, the antivirus software typically alerts and quarantines the file. The mechanisms and behavior of file scan antivirus solutions are reasonably well known and are predictable; therefore, SAP support can provide a basic level of support for SAP applications interacting with file scan antivirus software.
File based threats are now only one possible vector for malicious software. Fileless malware and malware that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional antivirus security solutions aren't sufficient to stop such attacks. Artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment are required. Security software such as Defender for Endpoint has advanced threat protection features to mitigate modern threats.
Defender for Endpoint is continuously monitoring operating system calls, such as file read, file write, create socket, and other process level operations. The Defender for Endpoint EDR sensor acquires opportunistic locks on local NTFS files systems and is, therefore, unlikely to impact applications. Opportunistic locks aren't possible on remote network file systems. In rare cases, a lock could cause general nonspecific errors, such as Access Denied in SAP applications.
SAP isn't able to provide any level of support for EDR/XDR software like Microsoft Defender XDR or Defender for Endpoint. The mechanisms in such solutions are adaptive; therefore, they're not predictable. Further, issues are potentially not reproducible. When problems are identified on systems running advanced security solutions, SAP recommends disabling the security software and then attempting to reproduce the problem. A support case can then be raised with the security software vendor.
SAP applications on Windows Server: Top 10 recommendations
Limit access to SAP servers, block network ports, and take all other common security protection measures. This first step is essential. The threat landscape has evolved from file-based viruses to file-less complex and sophisticated threats. Actions, such as blocking ports and limiting logon/access to VMs are no longer considered sufficient to fully mitigate modern threats.
Deploy Defender for Endpoint to nonproductive systems first before deploying to production systems. Deploying Defender for Endpoint directly to production systems without testing is highly risky and can lead to downtime. If you can't delay deploying Defender for Endpoint to your production systems, consider temporarily disabling tamper protection and real-time protection.
Remember that real-time protection is enabled by default in Windows Server. If problems are identified that might be related to Defender for Endpoint, it's recommended to configure exclusions and/or open a support case via the Microsoft Defender portal.
Have the SAP Basis team and your security team work together on Defender for Endpoint deployment. The two teams need to jointly create a phased deployment, testing, and monitoring plan.
Use tools like PerfMon (Windows) to create a performance baseline before deploying and activating Defender for Endpoint. Compare the performance utilization before and after activating Defender for Endpoint. See perfmon.
To use Defender for Endpoint security settings management, in the Microsoft Defender portal, go to Endpoints > Configuration management > Endpoint security policies, and then select Create new Policy. For more information, see Manage endpoint security policies in Microsoft Defender for Endpoint.
Use the latest release of Defender for Endpoint. Several new features are being implemented in Defender for Endpoint on Windows, and these features were tested with SAP systems. These new features reduce blocking and lower CPU consumption. For more information about new features, see What's new in Microsoft Defender for Endpoint.
Deployment methodology
SAP and Microsoft both don't recommend deploying Defender for Endpoint on Windows directly to all development, QAS, and production systems simultaneously, and/or without careful testing and monitoring. Customers who deployed Defender for Endpoint and other similar software in an uncontrolled manner without adequate testing experienced system downtime as a result.
Defender for Endpoint on Windows and any other software or configuration change should be deployed into development systems first, validated in QAS, and only then deployed into production environments.
Exclude DBMS files and executables following your DBMS vendor recommendations.
Analyze SAPMNT, SAP TRANS_DIR, Spool, and Job Log directories. If there are more than 100,000 files, consider archiving to reduce the number of files.
Confirm the performance limits and quotas of the shared file system used for SAPMNT. The SMB share source could be a NetApp appliance, a Windows Server shared disk, or Azure Files SMB.
Configure exclusions so that all SAP application servers aren't scanning the SAPMNT share simultaneously, as it could overload your shared storage server.
In general, host interface files on a dedicated non-SAP file server. Interface files are recognized as an attack vector. Real-time protection should be activated on this dedicated file server. SAP Servers should never be used as file servers for interface files.
Note
Some large SAP systems have more than 20 SAP application servers each with a connection to the same SAPMNT SMB share. 20 application servers simultaneously scanning the same SMB server may overload the SMB server. It is recommended to exclude SAPMNT from regular scans.
Important configuration settings for Defender for Endpoint on Windows Server with SAP
The term Defender is sometimes used to refer to an entire suite of products and solutions. See What is Microsoft Defender XDR?. In this article, we focus on antivirus and EDR capabilities in Defender for Endpoint.
Check the status of Microsoft Defender Antivirus. Open Command Prompt, and run the following PowerShell commands:
Make sure that Microsoft Defender Antivirus is up to date. The best way to make sure your antivirus protection is up to date is by using Windows Update. If you encounter issues or get an error, contact your security team.
Make sure behavior monitoring is turned on. When tamper protection is enabled, behavior monitoring is turned on by default. Use the default configuration of tamper protection enabled, behavior monitoring enabled, and real-time monitoring enabled unless a specific problem is identified.
Make sure real-time protection is enabled. The current recommendation for Defender for Endpoint on Windows is to enable real-time scanning, with tamper protection enabled, behavior monitoring enabled, and real-time monitoring enabled, unless a specific problem is identified.
Keep in mind how scans work with network shares. By default, the Microsoft Defender Antivirus component on Windows scans SMB shared network file systems (for example, a Windows server share \\server\smb-share or a NetApp share) when these files are accessed by processes.
Defender for Endpoint EDR on Windows might scan SMB shared network file systems. The EDR sensor scans certain files that are identified as interesting for EDR analysis during file modification, delete, and move operations.
Defender for Endpoint on Linux doesn't scan NFS file systems during scheduled scans.
Troubleshoot sense health or reliability issues. To troubleshoot such issues, use the Defender for Endpoint Client Analyzer tool. The Defender for Endpoint Client Analyzer can be useful when diagnosing sensor health or reliability issues on onboarded devices running either Windows, Linux, or macOS. Get the latest version of the Defender for Endpoint Client Analyzer here: https://aka.ms/MDEAnalyzer.
If you're using production SAP VMs with Microsoft Defender for Cloud, keep in mind that Defender for Cloud deploys the Defender for Endpoint extension to all VMs. If a VM isn't onboarded to Defender for Endpoint, it could be used as an attack vector. If you need more time to test Defender for Endpoint before deplying to your production environment, contact support.
Useful Commands: Microsoft Defender for Endpoint with SAP on Windows Server
The following sections describe how to confirm or configure Defender for Endpoint settings by using PowerShell and Command Prompt:
Update Microsoft Defender Antivirus definitions manually
EDR in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode. You can determine whether EDR in block mode is enabled by running the following command:
PowerShell
Get-MPComputerStatus|select AMRunningMode
There are two modes: Normal and Passive Mode. Testing with SAP systems was done only with AMRunningMode = Normal for SAP systems.
Before you configure exclusions, make sure that the SAP Basis team coordinates with your security team. Exclusions should be configured centrally and not at the VM level. Exclusions such as the shared SAPMNT file system should be excluded via a policy using the Intune admin portal.
It isn't recommended to exclude files, paths, or processes from EDR as such exclusions comprise the protection from modern nonfile based threats. If necessary, open a support case with Microsoft Support via the Microsoft Defender portal specifying executables and/or paths to exclude. See Contact Microsoft Defender for Endpoint support.
Completely disable Defender for Endpoint on Windows for testing purposes
Caution
It is not recommended to disable security software unless there is no alternative to solve or isolate a problem.
Defender for Endpoint should be configured with tamper protection turned on. To temporarily disable Defender for Endpoint to isolate problems, use troubleshooting mode.
To shut down various subcomponents of the Microsoft Defender Antivirus solution, run the following commands:
This module examines how Microsoft Defender for Endpoint helps enterprise networks prevent, detect, investigate, and respond to advanced threats by using endpoint behavioral sensors, cloud security analytics, and threat intelligence. MS-102
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Learn about how Windows Defender works with Microsoft Defender for Endpoint. Also learn how Defender for Endpoint works when a third-party anti-malware client is used.