The agentless detection feature uses agentless technology to detect security risks on Elastic Compute Service (ECS) instances. You do not need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.
Scenarios
You can perform comprehensive security checks on the system disk and data disks of an ECS instance on which the Security Center agent is not installed.
Billing
The agentless detection feature uses the pay-as-you-go billing method, and you are charged based on the amount of data that is scanned. The system generates a bill on the next day after you use the feature to scan data. For more information, see Billing overview.
If you create a detection task for an ECS instance, the system creates an image of the ECS instance. You are charged for the image based on the size and storage period of the image, and the fees are included in ECS bills. For more information, see Images.
Limits
Item | Description |
Asset type | The agentless detection feature supports Alibaba Cloud ECS instances, disk snapshots, and images. |
Region | The agentless detection feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Chengdu), China (Hong Kong), Singapore, and US (Virginia). |
Operating system | The agentless detection feature supports various check items for different operating systems.
|
Encrypted disk | The agentless detection feature cannot check encrypted system disks or data disks. |
Disk |
|
File system |
|
Detection task |
|
Risk handling | The agentless detection feature can detect but cannot fix vulnerabilities, baseline risks, malicious files, and sensitive files. If risks are detected, you must manually handle the risks based on the information provided on the risk details page. |
Retention period of check results |
|
Step 1: Purchase the agentless detection feature by using the pay-as-you-go billing method and complete authorization
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Agentless Detection page, click Activate Now.
In the dialog box that appears, read and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service. Then, click Activate Now.
If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.
After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.
Step 2: Create a detection task
After you create a detection task for your ECS instance, the system creates an image of the ECS instance. Then, the system scans data in the image to check whether risks such as vulnerabilities, alerts, baseline risks, and sensitive files exist on the ECS instance.
Create an immediate detection task
After you create a detection task for your ECS instance, Security Center automatically creates an image of the ECS instance and then scans the image. The time required to complete the task increases with the volume of data that needs to be scanned.
Server Check
On the Agentless Detection page, click the Server Check tab and then click Create Detection Task.
In the Create Detection Task panel, select the servers that you want to scan and click Next.
Configure the Scan Scope and Image Storage Time parameters. Valid values of the Image Storage Time parameter: 1 to 365. Unit: days. Click Next.
NoteWe recommend that you set the Scan Scope parameter to Data Disk. A complete data source improves the performance of detection, such as the detection of vulnerabilities and alerts.
You are charged for images that are created. A longer retention period of the images leads to higher fees. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, an image that is created by the task is immediately released if no risks are detected, and only at-risk images are retained. This reduces storage costs.
Click Go to Task List to view the progress of the task.
Custom Image Check
On the Agentless Detection page, click the Custom Image Check tab and then click Create Detection Task.
In the Custom Image Check-Create Detection Task panel, select the images that you want to scan and click OK.
Create a periodic detection task
In the upper-right corner of the Agentless Detection page, click Scan Configuration.
In the Scan Configuration panel, configure the Baseline Check Scope, Vulnerability Detection Scope, Scan Object, Scan Cycle, Scan Assets, Scan Scope, and Snapshot/Image Storage Time parameters. You can select or clear Retain Only At-risk Snapshots or Images based on your business requirements.
Click Save.
Automatically created image
Each time you create a detection task for an ECS instance, the system automatically creates an image of the ECS instance. The image name starts with SAS_Agentless_. After the image is created, the image is automatically shared with the Security Center service account whose ID is 182*********0517 or 160*********0463. In this way, Security Center can perform security scans on data from your ECS instance.
The sharing process does not generate fees. Security Center uses only the shared image for security scanning. When the image is deleted or automatically released, the sharing is also canceled.
Step 3: View the progress of the detection task
Before you can view the results of the detection task that you create, make sure that the task is complete. You can view the progress of a detection task to check whether the task is complete.
Server Check
In the upper-right corner of the Agentless Detection page, click Task Management.
In the Task Management panel, click the Server Check tab to view the progress and status of the task.
Find the task whose details you want to view and click Details in the Actions column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.
Custom Image Check
In the upper-right corner of the Agentless Detection page, click Task Management.
In the Task Management panel, click the Custom Image Check tab to view the progress and status of the task.
Find the task whose details you want to view and click Details in the Actions column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.
If the task fails, you can view the cause of the failure in the Task Details panel and resolve the issue based on the following table. A detection task created on the Server Check tab is used as an example.
Cause | Solution |
Current region unsupported | None. View the regions in which the agentless detection feature is supported. For more information, see Limits. The error is returned only if you call an API operation to create the detection task. |
Disk connection failed | Click Retry in the Actions column to reconnect to the disk. |
Image creation failed | Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas. |
Task processing timed out | None. Re-create a detection task. |
Step 4: View the detection results
The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.
View the details of a risk
Server Check
On the Agentless Detection page, click the Server Check tab and then click the Vulnerability, Baseline Check, Security Alerts, or Sensitive File tab. Find the risk whose details you want to view and click View or Details in the Actions column.
Custom Image Check
On the Agentless Detection page, click the Custom Image Check tab and then the Vulnerability, Malicious Sample, Baseline Check, or Sensitive File tab. Find the risk whose details you want to view and click View or Details in the Actions column.
Handle the risk based on the risk description provided by Security Center.
Download the detection results
You can download a report of detection results by task or ECS instance.
In the upper-right corner of the Agentless Detection page, click Task Management.
Download a report of detection results for a task: In the Task Management panel, click the Server Check or Custom Image Check tab and find the required task.
Click Download Report in the Actions column.
Download a report of detection results for an ECS instance: In the Task Management panel, click the Server Check or Custom Image Check tab, find the required task, and then click Details in the Actions column.
In the Task Details panel, click Download Report in the Actions column.
Step 5: (Optional) Configure a whitelist
Configure a vulnerability whitelist
If you confirm that a vulnerability is allowed or can cause low risks, you can configure a vulnerability whitelist to ignore the vulnerability. If Security Center detects the vulnerability on assets in the effective scope of the whitelist rule that is created for the vulnerability in the next detection task, Security Center does not display the vulnerability on the Vulnerability tab. After you configure whitelist settings, the vulnerability remains on the Vulnerability tab until the next detection task is run.
Directly add a vulnerability to the whitelist
On the Agentless Detection page, click the Server Check tab and then the Vulnerability tab. Find the vulnerability that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Security Center automatically creates a whitelist rule on the
tab.Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Vulnerability Whitelist Rule panel, configure the Vulnerability Type, Vulnerability Name, and Remarks parameters, and click Save.
The vulnerability whitelist takes effect on all assets.
Configure a baseline whitelist
If you confirm that risks detected by using specific baseline check items are at a low level, you can configure a baseline whitelist to ignore the baseline check items. If Security Center detects baseline risks by using the baseline check items on the assets in the effective scope of the whitelist rule that is created for the baseline check items in the next detection task, Security Center does not display the baseline check items on the Baseline Check tab. After you configure whitelist settings, the baseline check items remain on the Baseline Check tab until the next detection task is run.
Directly add a baseline check item to the whitelist
On the Agentless Detection page, click the Server Check tab and then the Baseline Check tab. Find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Security Center automatically creates a whitelist rule on the
tab.Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Baseline Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Baseline Whitelist Rule panel, configure the Check Item Type, Check Item, and Remarks parameters, and click Save.
The baseline whitelist takes effect on all assets.
Configure an alert whitelist
If you confirm that a false positive is generated for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects the file on the assets on which the whitelist takes effect in the next detection task, no alerts are generated.
Directly add an alert to the whitelist
On the Agentless Detection page, click the Server Check tab and then the Alert tab. Find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. In the Scan Configuration panel, click the Manage Whitelist tab and then the Alert Whitelist tab, and click Create Rule. In the panel that appears, configure the parameters and click Save.
Parameter
Description
The default value is All Alerts, which indicates that the whitelist rule takes effect on all types of alerts. You cannot change the value.
Whitelist Field
The default value is fileMd5, which indicates that the MD5 hash value of a file is added to the whitelist. You cannot change the value.
Wildcard Character
You can select only Equal To.
Rule Content
The MD5 hash value of a file.
The alert whitelist takes effect on all assets.
Risks that can be detected
Vulnerabilities
The agentless detection feature can detect Linux software vulnerabilities, Windows system vulnerabilities, and application vulnerabilities.
Baseline risks
Baseline category | Baseline check item |
Internationally Agreed Best Practices for Security |
|
MLPS Compliance |
|
Best security practice |
|
Alerts
Alert type | Description | Supported check item |
Malicious script | Security Center checks whether the system services of your assets are attacked or modified by malicious scripts. The behavior of potential attacks that are based on malicious scripts is included in the detection results. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to the system of the server. | Supported programming languages for detection include Shell, Python, Perl, PowerShell, VBScript, and BAT. |
WebShell | Security Center checks whether the script files in your assets are malicious and whether webshell communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and use scripts for additional attacks. | Supported programming languages for detection include PHP, JSP, ASP, and ASPX. |
Malware | Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damage to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms. | Tainted basic software |
Suspicious program | ||
Spyware | ||
Trojan | ||
Infectious virus | ||
Worm | ||
Exploit | ||
Self-mutating trojan | ||
Attacker tool | ||
DDoS trojan | ||
Webshell | ||
Malicious program | ||
Rootkit | ||
Trojan downloader | ||
Scanner | ||
Riskware | ||
Proxy | ||
Ransomware | ||
Webshells | ||
Mining program |
Sensitive File
The agentless detection feature can detect common sensitive files, which include the following items:
Application configurations that contain sensitive information
General certificate keys
Application identity or logon credentials
Credentials for cloud server providers
FAQ
What are the differences between the agentless detection feature and the feature of virus detection and removal?
The following table describes the differences between the features.
Item | Agentless detection | Virus detection and removal |
Detection scope | The agentless detection feature can detect vulnerabilities, baseline risks, alerts, and sensitive files. The feature cannot handle the detected risks. | The feature of virus detection and removal can detect and remove viruses, and quarantine source files that are related to the detected viruses in an efficient manner. |
Detection method | The agentless detection feature scans data in the image that is created for a server and shared with the Security Center service account to check whether risks exist on the server. This does not affect the performance of the server. | The feature of virus detection and removal scans data in the system of a server to check whether persistent viruses exist on the server during the runtime of the server. |
Enabling method | You must purchase the agentless detection feature by using the pay-as-you-go billing method. | You must purchase Security Center Anti-Virus or higher, and install the Security Center agent on your server. |