Host-based security software such as the Security Center agent monitors host security, detects and removes viruses and scripts, and identifies malicious command execution. If this software is uninstalled without authorization, the cloud security service can no longer protect the affected hosts.
Security risks of unauthorized uninstallation
When the Security Center agent is removed from a host without authorization, the following threats go undetected:
Insider threats: An employee who intends to perform unauthorized operations may first uninstall the security software to avoid triggering alerts.
Post-intrusion tampering: After gaining access to a host, an attacker can uninstall the security software so that intrusion alerts are no longer sent to security engineers.
Malware persistence: Without the agent, activities such as worm propagation, trojan installation, webshell persistence, and data exfiltration generate no alerts.
Switch IPS rules from Monitor to Block
The rules that you can use to disable uninstallation of the Security Center agent are in Monitor mode. You can perform the following operations to disable uninstallation of the agent in the cloud:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, change the action of some or all related rules from Monitor to Block. This prevents or minimizes the preceding impacts in an efficient manner.
Verify the configuration
After you switch the rules to Block mode, confirm that the rule status displays Block on the Basic Protection tab.