All Products
Search
Document Center

Security Center:Use the agentless detection feature

Last Updated:Oct 31, 2024

The agentless detection feature uses agentless technology to detect security risks on Elastic Compute Service (ECS) instances. You do not need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.

Scenarios

You can perform comprehensive security checks on the system disk and data disks of an ECS instance on which the Security Center agent is not installed.

Billing

  • The agentless detection feature uses the pay-as-you-go billing method, and you are charged based on the amount of data that is scanned. The system generates a bill on the next day after you use the feature to scan data. For more information, see Billing overview.

  • If you create a detection task for an ECS instance, the system creates an image of the ECS instance. You are charged for the image based on the size and storage period of the image, and the fees are included in ECS bills. For more information, see Images.

Limits

Item

Description

Asset type

The agentless detection feature supports Alibaba Cloud ECS instances, disk snapshots, and images.

Region

The agentless detection feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Chengdu), China (Hong Kong), Singapore, and US (Virginia).

Operating system

The agentless detection feature supports various check items for different operating systems.

Encrypted disk

The agentless detection feature cannot check encrypted system disks or data disks.

Disk

  • The agentless detection feature can check a system disk or data disk that is up to 1 TiB in size. If the size of a disk exceeds 1 TiB, the feature does not check the disk.

    • The agentless detection feature can check up to 20,000,000 files in a system disk or data disk. The feature does not check excess files.

File system

  • The agentless detection feature can check compressed files, specifically JAR files. The feature decompresses only the top-level directory of a JAR file for checking.

  • The agentless detection feature supports the following file systems: ext2, ext3, ext4, XFS, and NTFS. The feature cannot check the items that are related to file permissions in the NTFS file system.

  • The agentless detection feature cannot check data disks that are managed by using Logical Volume Manager (LVM), Redundant Array of Independent Disks (RAID), or Resilient File System (ReFS).

Detection task

  • The agentless detection can check up to 15 disks on an ECS instance. The disks are system disks and data disks. The feature does not check excess disks.

  • You can run only one detection task at a time.

Risk handling

The agentless detection feature can detect but cannot fix vulnerabilities, baseline risks, malicious files, and sensitive files. If risks are detected, you must manually handle the risks based on the information provided on the risk details page.

Retention period of check results

  • If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

  • The check results of ECS instances are stored for up to 30 days. Data of risks that are detected 30 days earlier than the date of the most recent check is automatically deleted.

Operating systems that support vulnerability scans

Operating system

Version

Windows Server

  • Windows Server 2008 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Windows Server 2012 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

Red Hat

  • Red Hat 5 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Red Hat 6 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Red Hat 7

CentOS

  • CentOS 5 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • CentOS 6 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • CentOS 7

Ubuntu

  • Ubuntu 12.04 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Ubuntu 14.04 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Ubuntu 16.04 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Ubuntu 18.04 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • Ubuntu 18.10 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

Debian

  • Debian 6

  • Debian 7

  • Debian 8

  • Debian 9

  • Debian 10

Alpine

  • Alpine 2.3

  • Alpine 2.4

  • Alpine 2.5

  • Alpine 2.6

  • Alpine 2.7

  • Alpine 3.1

  • Alpine 3.2

  • Alpine 3.3

  • Alpine 3.4

  • Alpine 3.5

  • Alpine 3.6

  • Alpine 3.7

  • Alpine 3.8

  • Alpine 3.9

  • Alpine 3.10

  • Alpine 3.11

  • Alpine 3.12

Amazon Linux

  • Amazon Linux 2

  • Amazon Linux AMI

Oracle Linux

  • Oracle Linux 5

  • Oracle Linux 6

  • Oracle Linux 7

  • Oracle Linux 8

SUSE Linux Enterprise Server

  • SUSE Linux Enterprise Server 5

  • SUSE Linux Enterprise Server 6

  • SUSE Linux Enterprise Server 7

  • SUSE Linux Enterprise Server 8

  • SUSE Linux Enterprise Server 9

  • SUSE Linux Enterprise Server 10

  • SUSE Linux Enterprise Server 10 SP4

  • SUSE Linux Enterprise Server 11 SP3

  • SUSE Linux Enterprise Server 12 SP2

  • SUSE Linux Enterprise Server 12 SP5

Fedora Linux

  • Fedora Linux 2X

  • Fedora Linux 3X

openSUSE

  • openSUSE 10.0 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • openSUSE Leap 15.2 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

  • openSUSE Leap 42.3 (Only vulnerabilities that are disclosed before the system EOL date are supported.)

Step 1: Purchase the agentless detection feature by using the pay-as-you-go billing method and complete authorization

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Agentless Detection.

  3. On the Agentless Detection page, click Activate Now.

  4. In the dialog box that appears, read and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service. Then, click Activate Now.

  5. If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.

    After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.

Step 2: Create a detection task

After you create a detection task for your ECS instance, the system creates an image of the ECS instance. Then, the system scans data in the image to check whether risks such as vulnerabilities, alerts, baseline risks, and sensitive files exist on the ECS instance.

Create an immediate detection task

Note

After you create a detection task for your ECS instance, Security Center automatically creates an image of the ECS instance and then scans the image. The time required to complete the task increases with the volume of data that needs to be scanned.

Server Check

  1. On the Agentless Detection page, click the Server Check tab and then click Create Detection Task.

  2. In the Create Detection Task panel, select the servers that you want to scan and click Next.

    image

  3. Configure the Scan Scope and Image Storage Time parameters. Valid values of the Image Storage Time parameter: 1 to 365. Unit: days. Click Next.

    image

    Note
    1. We recommend that you set the Scan Scope parameter to Data Disk. A complete data source improves the performance of detection, such as the detection of vulnerabilities and alerts.

    2. You are charged for images that are created. A longer retention period of the images leads to higher fees. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, an image that is created by the task is immediately released if no risks are detected, and only at-risk images are retained. This reduces storage costs.

  4. Click Go to Task List to view the progress of the task.

Custom Image Check

  1. On the Agentless Detection page, click the Custom Image Check tab and then click Create Detection Task.

  2. In the Custom Image Check-Create Detection Task panel, select the images that you want to scan and click OK.

    image

Create a periodic detection task

  1. In the upper-right corner of the Agentless Detection page, click Scan Configuration.

  2. In the Scan Configuration panel, configure the Baseline Check Scope, Vulnerability Detection Scope, Scan Object, Scan Cycle, Scan Assets, Scan Scope, and Snapshot/Image Storage Time parameters. You can select or clear Retain Only At-risk Snapshots or Images based on your business requirements.

  3. Click Save.

Automatically created image

Each time you create a detection task for an ECS instance, the system automatically creates an image of the ECS instance. The image name starts with SAS_Agentless_. After the image is created, the image is automatically shared with the Security Center service account whose ID is 182*********0517 or 160*********0463. In this way, Security Center can perform security scans on data from your ECS instance.

The sharing process does not generate fees. Security Center uses only the shared image for security scanning. When the image is deleted or automatically released, the sharing is also canceled.

image

Step 3: View the progress of the detection task

Before you can view the results of the detection task that you create, make sure that the task is complete. You can view the progress of a detection task to check whether the task is complete.

Server Check

  1. In the upper-right corner of the Agentless Detection page, click Task Management.

  2. In the Task Management panel, click the Server Check tab to view the progress and status of the task.

  3. Find the task whose details you want to view and click Details in the Actions column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.

    image

Custom Image Check

  1. In the upper-right corner of the Agentless Detection page, click Task Management.

  2. In the Task Management panel, click the Custom Image Check tab to view the progress and status of the task.

  3. Find the task whose details you want to view and click Details in the Actions column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.

    image

If the task fails, you can view the cause of the failure in the Task Details panel and resolve the issue based on the following table. A detection task created on the Server Check tab is used as an example.

image

Cause

Solution

Current region unsupported

None. View the regions in which the agentless detection feature is supported. For more information, see Limits. The error is returned only if you call an API operation to create the detection task.

Disk connection failed

Click Retry in the Actions column to reconnect to the disk.

Image creation failed

Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas.

Task processing timed out

None. Re-create a detection task.

Step 4: View the detection results

The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

View the details of a risk

Server Check

On the Agentless Detection page, click the Server Check tab and then click the Vulnerability, Baseline Check, Security Alerts, or Sensitive File tab. Find the risk whose details you want to view and click View or Details in the Actions column.

Custom Image Check

On the Agentless Detection page, click the Custom Image Check tab and then the Vulnerability, Malicious Sample, Baseline Check, or Sensitive File tab. Find the risk whose details you want to view and click View or Details in the Actions column.

Note

Handle the risk based on the risk description provided by Security Center.

Download the detection results

You can download a report of detection results by task or ECS instance.

  1. In the upper-right corner of the Agentless Detection page, click Task Management.

  2. Download a report of detection results for a task: In the Task Management panel, click the Server Check or Custom Image Check tab and find the required task.

  3. Click Download Report in the Actions column.

  4. Download a report of detection results for an ECS instance: In the Task Management panel, click the Server Check or Custom Image Check tab, find the required task, and then click Details in the Actions column.

  5. In the Task Details panel, click Download Report in the Actions column.

Step 5: (Optional) Configure a whitelist

Configure a vulnerability whitelist

If you confirm that a vulnerability is allowed or can cause low risks, you can configure a vulnerability whitelist to ignore the vulnerability. If Security Center detects the vulnerability on assets in the effective scope of the whitelist rule that is created for the vulnerability in the next detection task, Security Center does not display the vulnerability on the Vulnerability tab. After you configure whitelist settings, the vulnerability remains on the Vulnerability tab until the next detection task is run.

  • Directly add a vulnerability to the whitelist

    On the Agentless Detection page, click the Server Check tab and then the Vulnerability tab. Find the vulnerability that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

    Security Center automatically creates a whitelist rule on the Scan Configuration > Manage Whitelist > Vulnerability Whitelist tab.

  • Create a whitelist rule

    In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Vulnerability Whitelist Rule panel, configure the Vulnerability Type, Vulnerability Name, and Remarks parameters, and click Save.

Note

The vulnerability whitelist takes effect on all assets.

Configure a baseline whitelist

If you confirm that risks detected by using specific baseline check items are at a low level, you can configure a baseline whitelist to ignore the baseline check items. If Security Center detects baseline risks by using the baseline check items on the assets in the effective scope of the whitelist rule that is created for the baseline check items in the next detection task, Security Center does not display the baseline check items on the Baseline Check tab. After you configure whitelist settings, the baseline check items remain on the Baseline Check tab until the next detection task is run.

  • Directly add a baseline check item to the whitelist

    On the Agentless Detection page, click the Server Check tab and then the Baseline Check tab. Find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

    Security Center automatically creates a whitelist rule on the Scan Configuration > Manage Whitelist > Baseline Whitelist tab.

  • Create a whitelist rule

    In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Baseline Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Baseline Whitelist Rule panel, configure the Check Item Type, Check Item, and Remarks parameters, and click Save.

Note

The baseline whitelist takes effect on all assets.

Configure an alert whitelist

If you confirm that a false positive is generated for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects the file on the assets on which the whitelist takes effect in the next detection task, no alerts are generated.

  • Directly add an alert to the whitelist

    On the Agentless Detection page, click the Server Check tab and then the Alert tab. Find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

  • Create a whitelist rule

    In the upper-right corner of the Agentless Detection page, click Scan Configuration. In the Scan Configuration panel, click the Manage Whitelist tab and then the Alert Whitelist tab, and click Create Rule. In the panel that appears, configure the parameters and click Save.

    Parameter

    Description

    Alert Name

    The default value is All Alerts, which indicates that the whitelist rule takes effect on all types of alerts. You cannot change the value.

    Whitelist Field

    The default value is fileMd5, which indicates that the MD5 hash value of a file is added to the whitelist. You cannot change the value.

    Wildcard Character

    You can select only Equal To.

    Rule Content

    The MD5 hash value of a file.

Note

The alert whitelist takes effect on all assets.

Risks that can be detected

Vulnerabilities

The agentless detection feature can detect Linux software vulnerabilities, Windows system vulnerabilities, and application vulnerabilities.

Baseline risks

Baseline category

Baseline check item

Internationally Agreed Best Practices for Security

  • CentOS Linux 6 LTS Internationally Agreed Best Practices for Security

  • CentOS Linux 7 LTS Internationally Agreed Best Practices for Security

  • Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security

  • Ubuntu 14 LTS Internationally Agreed Best Practices for Security

  • Debian Linux 8 Internationally Agreed Best Practices for Security

  • Windows Server 2008 R2 Internationally Agreed Best Practices for Security

  • Windows Server 2012 R2 Internationally Agreed Best Practices for Security

  • Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security

  • Alibaba Cloud Linux 2/3 Internationally Agreed Best Practices for Security

  • CentOS Linux 8 LTS Internationally Agreed Best Practices for Security

  • Windows Server 2022 R2 Internationally Agreed Best Practices for Security

  • Ubuntu 22 LTS Internationally Agreed Best Practices for Security

  • Rocky 8 Internationally Agreed Best Practices for Security

MLPS Compliance

  • MLPS Level 3 Compliance Baseline for SUSE 15

  • MLPS Level 3 Compliance Baseline for Windows 2008 R2

  • MLPS Level 3 Compliance Baseline for CentOS Linux 7

  • MLPS Level 3 Compliance Baseline for CentOS Linux 6

  • MLPS Level 3 Compliance Baseline for Windows 2012 R2

  • MLPS Level 3 Compliance Baseline for Ubuntu 16/18/20

  • MLPS Level 3 Compliance Baseline for Debian Linux 8/9/10

  • MLPS Level 3 Compliance Baseline for Windows Server 2016/2019

  • MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 2

  • MLPS Level 3 Compliance Baseline for Red Hat Linux 7

  • MLPS Level 3 Compliance Baseline for Ubuntu 14

  • MLPS Level 3 Compliance Baseline for SUSE 12

  • MLPS Level 3 Compliance Baseline for SUSE 11

  • MLPS Level 3 Compliance Baseline for SUSE 10

  • MLPS Level 3 Compliance Baseline for Red Hat Linux 6

  • MLPS Level 3 Compliance Baseline for CentOS Linux 8

  • MLPS Level 2 Compliance Baseline for Alibaba Cloud Linux 3

  • MLPS Level 3 Compliance Baseline for Anolis 8

  • MLPS Level 3 Compliance Baseline for Ubuntu 22

  • MLPS Level 2 Compliance Baseline for Windows 2008 R2

  • MLPS Level 2 Compliance Baseline for CentOS Linux 7

  • MLPS Level 2 Compliance Baseline for CentOS Linux 6

  • MLPS Level 2 Compliance Baseline for Windows 2012 R2

  • MLPS Level 2 Compliance Baseline for Ubuntu 16/18

  • MLPS Level 2 Compliance Baseline for Debian Linux 8

  • MLPS Level 2 Compliance Baseline for Windows Server 2016/2019

  • MLPS Level 2 Compliance Baseline for Alibaba Cloud Linux 2

  • MLPS Level 2 Compliance Baseline for Red Hat Linux 7

  • MLPS Level 2 Compliance Baseline for Ubuntu 14

  • MLPS Level 3 Compliance Baseline for UOS

  • MLPS Level 3 Compliance Baseline for Kylin

Best security practice

  • Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check

  • Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check

  • Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check

  • Alibaba Cloud Standard - Windows 2012 R2 Security Baseline

  • Alibaba Cloud Standard - Ubuntu Security Baseline

  • Alibaba Cloud Standard - Debian Linux 8/9/10/11 Security Baseline

  • Alibaba Cloud Standard - Windows 2016/2019 Security Baseline

  • Alibaba Cloud Standard - Alibaba Cloud Linux 2/3 Benchmark

  • Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check

  • Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check

  • Alibaba Cloud Standard - Windows 2022 Security Baseline

  • Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check

  • Alibaba Cloud Standard - Uos Security Baseline Check

  • Alibaba Cloud Standard - Kylin Security Baseline Check

  • Alibaba Cloud Standard - Anolis 7/8 Security Baseline Check

  • Alibaba Cloud Standard - Alma Linux 8 Security Baseline Check

  • Alibaba Cloud Standard - Rocky Linux 8 Security Baseline Check

Alerts

Alert type

Description

Supported check item

Malicious script

Security Center checks whether the system services of your assets are attacked or modified by malicious scripts. The behavior of potential attacks that are based on malicious scripts is included in the detection results.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to the system of the server.

Supported programming languages for detection include Shell, Python, Perl, PowerShell, VBScript, and BAT.

WebShell

Security Center checks whether the script files in your assets are malicious and whether webshell communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and use scripts for additional attacks.

Supported programming languages for detection include PHP, JSP, ASP, and ASPX.

Malware

Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damage to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms.

Tainted basic software

Suspicious program

Spyware

Trojan

Infectious virus

Worm

Exploit

Self-mutating trojan

Attacker tool

DDoS trojan

Webshell

Malicious program

Rootkit

Trojan downloader

Scanner

Riskware

Proxy

Ransomware

Webshells

Mining program

Sensitive File

The agentless detection feature can detect common sensitive files, which include the following items:

  • Application configurations that contain sensitive information

  • General certificate keys

  • Application identity or logon credentials

  • Credentials for cloud server providers

FAQ

What are the differences between the agentless detection feature and the feature of virus detection and removal?

The following table describes the differences between the features.

Item

Agentless detection

Virus detection and removal

Detection scope

The agentless detection feature can detect vulnerabilities, baseline risks, alerts, and sensitive files. The feature cannot handle the detected risks.

The feature of virus detection and removal can detect and remove viruses, and quarantine source files that are related to the detected viruses in an efficient manner.

Detection method

The agentless detection feature scans data in the image that is created for a server and shared with the Security Center service account to check whether risks exist on the server. This does not affect the performance of the server.

The feature of virus detection and removal scans data in the system of a server to check whether persistent viruses exist on the server during the runtime of the server.

Enabling method

You must purchase the agentless detection feature by using the pay-as-you-go billing method.

You must purchase Security Center Anti-Virus or higher, and install the Security Center agent on your server.

References