The virus detection and removal feature of Security Center uses the machine learning-based antivirus engine that is provided by Alibaba Cloud and a virus library that is updated in real time. You can use the feature to scan the items in your system that are vulnerable to attacks. The items include persistent startup items, active processes, kernel modules, sensitive directories, and public keys that are used in SSH backdoors. You can also use the feature to clean up malicious threats on servers in an efficient manner. This topic describes how to use the virus detection and removal feature.
Background information
Before you use the virus detection and removal feature, we recommend that you turn on Malicious Host Behavior Prevention. After you turn on Malicious Host Behavior Prevention, Security Center automatically blocks malicious behavior to intercept threats such as common trojans, ransomware, mining viruses, and DDoS trojans. For more information about how to turn on Malicious Host Behavior Prevention, see Use proactive defense.
The following list describes the types of viruses that can be detected and removed by the virus detection and removal feature and the scan items that are supported:
Virus types: ransomware, mining programs, DDoS trojans, trojans, backdoor programs, malicious programs, high-risk programs, worms, suspicious programs, and self-mutating trojans.
Scan items: active processes, hidden processes, Docker processes, kernel modules, installed programs, dynamic-link library hijacks, services, scheduled tasks, startup items, and sensitive directories.
Full scan is not supported. This helps reduce the consumption of server resources.
Limits
Only the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Step 1: Scan for viruses
The virus detection and removal feature scans all servers that are protected by Security Center to detect persistent viruses, such as ransomware and mining programs. You can perform immediate scan tasks or configure periodic scan tasks.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.
After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.
On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.
Perform an immediate scan task
On the Virus Detection and Removal page, click Immediate Scan or Scan Again.
In the Scan Settings panel, configure the Scan Mode and Scan Scope parameters.
Parameter
Description
Scan Mode
Select a scan mode. Valid values:
Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.
Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.
Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
Scan Scope
Select the assets that you want to scan. You can select assets based on the following types:
All Assets: If you select this option, all assets are scanned.
By Asset: If you select this option, you can select the servers that you want to scan.
By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.
By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.
Click OK.
Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.
Configure a periodic scan task
On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.
In the Scan Settings panel, configure the Scan Cycle, Scan Mode, and Scan Scope parameters.
Parameter
Description
Scan Cycle
Specify the interval and period for automatic scan.
Scan Mode
Select a scan mode. Valid values:
Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.
Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.
Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
Scan Scope
Select the assets that you want to scan. You can select assets based on the following types:
All Assets: If you select this option, all assets are scanned.
By Asset: If you select this option, you can select the servers that you want to scan.
By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.
By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.
Click Next.
Security Center automatically scans the specified assets based on the configurations.
Optional. On the Virus Detection and Removal page, click Task Management in the upper-right corner to view the status and progress of the scan task.
Step 2: Handle alerts
Security Center provides complete capabilities to handle the threats that are detected. Security Center allows you to perform in-depth virus detection and removal with a few clicks. The following methods are used for in-depth virus detection and removal of persistent viruses: detect and remove malicious virus processes, quarantine malicious files, and remove persistence of viruses and trojans. After a scan task is complete, we recommend that you view the scan results and handle the viruses that are detected at the earliest opportunity to ensure that your servers are not affected.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
Go to the Alerts page. You can use one of the following methods:
To handle alerts for a single server, open the list of check results, find the server for which you want to handle alerts, and then click Handle in the Actions column.
To handle alerts for multiple servers in a batch, select the servers and click Batch Handle.
In the Handle Alert panel, select a handling method.
Handling Method
Description
In-depth Cleanup
Performs in-depth virus detection on a server and removes the detected viruses. Security Center conducted tests and analysis on persistent viruses and developed the Deep cleanup method to remove persistent viruses. You can view the details of this method in the console.
If you use the Deep cleanup method, you can enable auto-snapshot to back up your system disks before you remove the viruses. This helps prevent data loss when you remove viruses.
Add to Whitelist
Adds an alert to the whitelist. If the alert event reoccurs after the alert is added to the whitelist, Security Center no longer generates alerts.
Ignore
Ignores an alert. After the alert is ignored, the status of the alert changes to Ignored. If the alert event reoccurs, Security Center generates alerts.
Manually Handled
If you manually handled an alert, select Manually Handled. The status of the alert changes to Handled.
Click Next.
The system starts to handle alerts. After the process is complete, you can view the handling results and the status of the alerts.
Step 3: Configure alert notifications
On the Configure notification settings.
page, you can configure severities and methods for notifications on alerts. For more information, see