All Products
Search
Document Center

Security Center:Enable features on the Host Protection Settings tab

Last Updated:Oct 28, 2024

Security Center provides various features, such as Malicious Host Behavior Prevention, anti-ransomware, and webshell prevention. You can enable the features to protect your server. This topic describes the features that you can enable on the Host Protection Settings tab. This topic also describes how to enable the features.

Proactive Defense

Overview

Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. Proactive defense also allows you to use bait to capture ransomware. The following table describes the features of proactive defense.

Feature

Supported edition

Description

Malicious Host Behavior Prevention

Anti-virus, Advanced, Enterprise, and Ultimate

The Malicious Host Behavior Prevention feature can help you automatically detect and remove common network viruses, such as ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms.

After you purchase Security Center Anti-virus or higher, Security Center automatically enables the Malicious Host Behavior Prevention feature for all your servers.

Feature differences among Security Center editions

  • Security Center Anti-virus can automatically block common viruses, such as trojans and mining programs.

  • Security Center Advanced, Enterprise, and Ultimate provide more comprehensive defense capabilities. These editions effectively intercept common attacks in the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, intercept large-scale intrusion events in common services and applications, block the encryption behavior of common ransomware, and support custom rules to protect hosts. For more information about custom defense rules, see Malicious behavior defense.

Note

A computer virus is a type of malicious program. The virus can write malicious code to normal program files for execution. This causes a large number of normal programs to be infected and detected as virus hosts. Computer viruses jeopardize system processes. If system processes are unexpectedly terminated, system stability risks arise. Security Center does not automatically quarantine computer viruses. You must manually handle the viruses.

Anti-ransomware (Bait Capture)

Anti-virus, Advanced, Enterprise, and Ultimate

This feature uses bait to capture new types of ransomware and analyzes the patterns of the new types of ransomware to protect your servers.

The bait files that are configured on your servers by Security Center are used only to capture new types of ransomware. The files do not interrupt your services. You can click Precision defense below Alert Type on the Alerts page to view the removed ransomware.

Webshell Prevention

Enterprise and Ultimate

After you enable this feature, Security Center automatically intercepts suspicious connections that are initiated by known webshells and quarantines related files. You can view the related alerts and quarantined files on the Alerts page. For more information, see View and handle alerts and View and restore quarantined files.

Note

After you purchase Security Center Enterprise or Ultimate, Security Center automatically enables the webshell prevention feature for all your servers.

Malicious Network Behavior Prevention

Advanced, Enterprise, and Ultimate

After you enable this feature, Security Center intercepts the abnormal network behavior between your servers and disclosed malicious access sources. This reinforces the security of your servers.

User Experience Optimization in Proactive Defense

Enterprise and Ultimate

After you enable this feature, Security Center collects the kdump data of your servers for protection analysis when the servers unexpectedly shut down or the defense capability is unavailable. This continuously enhances the protection capability of Security Center.

Note

If all features in the Proactive Defense section are disabled, Security Center sends alerts only when viruses are detected. You must log on to the Security Center console and manually handle the alerts. We recommend that you enable all features in the Proactive Defense section to reinforce the security of servers. For more information, see View and handle alerts.

Enable the features of proactive defense

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Settings > Host Protection Settings tab, turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Prevention, and Malicious Network Behavior Prevention in the Proactive Defense section.

    After you turn on all switches in the Proactive Defense section, Security Center enables the following features for your servers: malicious host behavior prevention, anti-ransomware, webshell prevention, and defense against access to malicious sources.

  4. Click Manage to the right of each feature to configure the detection scope. In the panel that appears, select the servers for which you want to enable a feature and click OK.

    After you turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Prevention, and Malicious Network Behavior Prevention in the Proactive Defense section, Security Center automatically blocks the programs and processes that are related to the detected viruses and intercepts suspicious connections.

  5. Optional. Select User Experience Optimization in Proactive Defense.

    After you select User Experience Optimization in Proactive Defense, Security Center collects server data that reflects the security of the servers in the case of exceptions. We recommend that you select User Experience Optimization in Proactive Defense to reinforce the security of your servers.

What to do next

You can view the viruses that are quarantined by proactive defense in the list of precision defense-related alerts on the Alerts page. To view the viruses, select Handled from the status drop-down list and click Precision defense below Alert Type.精准防御

Note

False positives or quarantine failures may occur after you turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), and Webshell Prevention.

  • If some files are quarantined due to false positives, you can restore the quarantined files in the Quarantined Files panel. For more information, see View and restore quarantined files.

  • You can manually quarantine files that Security Center fails to quarantine on the Alerts page. For more information, see View and handle alerts.

Webshell Detection and Removal

The feature of webshell detection and removal uses engines developed by Alibaba Cloud to scan for common webshell files, supports scheduled scan tasks, provides real-time protection, and allows you to quarantine webshell files with one click. The feature scans servers and web directories for webshells and trojans at regular intervals. Security Center runs webshell detection tasks on your servers and generates alerts only after you enable webshell detection and removal for your servers. The following list explains how the webshells are detected and removed:

  • Security Center scans an entire web directory early in the morning on a daily basis. If a file in the web directory changes, Security Center immediately scans for webshells.

  • You can specify the assets on which Security Center scans for webshells.

  • You can quarantine, restore, or ignore the detected trojan files.

Note

Security Center Basic detects only some types of webshells. If you want to detect all types of webshells, we recommend that you upgrade Security Center Basic to the Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center.

Enable webshell detection and removal for servers

Security Center enables webshell detection and removal feature by default for servers on which the Security Center agent is installed. We recommend you enable webshell detection and removal feature for servers that provide public web services. If your server is completely isolated from the internet, you can follow the steps below to disable webshell detection and removal feature for your server.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Settings > Host Protection Settings tab, click Manage in the Webshell Detection and Removal section.

  4. In the Configure Servers for Webshell Detection and Removal panel, clear the servers for which you want to disable webshell detection and removal and click OK.

Handle webshell alerts

After you enable webshell detection and removal for your servers, you can view the alerts whose type is Webshell on the Alerts page when Security Center detects security threats such as webshell files on your servers. If you do not handle the alerts, the alerts may pose threats to your servers. We recommend that you handle the alerts at the earliest opportunity.

Note

The one-click webshell alert handling feature is not available in the Basic edition of Security Center. Users of the Anti-virus edition or higher can isolate the detected webshell files with one click in the console. For more information, see View and handle alerts.

alerts.jpg

Dynamic adaptive threat detection capability

By default, the adaptive threat detection feature is disabled. You must manually enable the feature. If Security Center detects a high-risk intrusion on your server after the adaptive threat detection feature is enabled, Security Center automatically enables the strict alert mode for your server for seven days. In this mode, all protection rules and security engines are enabled to detect intrusions in a more comprehensive manner.

Note

If you manually configure a protection mode for your server during the seven-day period, the server runs in the configured protection mode. After the seven-day period elapses, the strict alert mode is not automatically disabled, and the server continues to run in the protection mode that you configured.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Enable adaptive threat detection

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Settings > Host Protection Settings tab, turn on Dynamic Adaptive Threat Detection in the Adaptive Threat Detection Capability section.

    Note

    If you have not authorized Security Center to access your cloud resources, you must complete the authorization by following the on-screen instructions. This way, Security Center is authorized to access your cloud resources. After the authorization is successful, Resource Access Management (RAM) automatically creates a service-linked role named AliyunServiceRoleForSas. Security Center can assume this role to access your cloud resources and protect the resources. For more information, see Service-linked roles for Security Center.

Alert Settings

Security Center supports different alert modes for servers to meet your security requirements in different scenarios. By default, Security Center enables Balanced Mode for all servers that are added to Security Center. In this mode, Security Center attempts to detect as many risks as possible while minimizing the false positive rate. This mode has been tested by Alibaba Cloud experts.

Change the alert mode

If you want to detect risks on servers in a stricter manner, you can change the alert mode to Strict Mode for the servers.

Important

After Strict Mode is enabled, Alibaba Cloud detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. We recommend that you enable this mode during major events.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Settings > Host Protection Settings tab, click Manage to the right of Protected Assets for Strict Mode in the Alert Settings section.

  4. Select the servers for which you want to enable Strict Mode and click OK.

References