This topic describes how to configure the following features on the Settings page in the Security Center console: proactive defense, webshell detection, threat detection for Kubernetes containers, security control, access control, protection mode, and client protection.

Proactive defense

The proactive defense feature automatically intercepts common viruses, malicious network connections, and webshell connections. It also allows you to use bait to capture ransomware.
  • Anti-Virus: This feature automatically quarantines common network viruses, such as ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security experts test and verify all of the viruses that are automatically quarantined to guarantee a minimum false positive rate.
  • Anti-ransomware (Bait Capture): This feature uses bait to capture the new types of ransomware, analyzes ransomware, and initiates defense against ransomware. The bait files configured for your server in Security Center are only used to capture new types of ransomware, which does not interrupt your services. On the Alerts page, you can set the alert type to Precision defense to view quarantined ransomware.
  • Webshell Protection: This feature automatically intercepts suspicious connections initiated by known webshells and quarantines related files. You can view the alerts and quarantined files on the Alerts page. For more information, see View and handle alert events and Quarantine files.
  • Behavior prevention: This feature intercepts the abnormal network behavior between your server and disclosed malicious access sources, which provides enhanced protection for your server.

If you enable Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention, Security Center automatically enables cloud antivirus. Cloud antivirus automatically quarantines common network viruses. For more information, see Cloud threat detection.

If all the features in the Proactive Defense section are disabled, Security Center only sends alerts to you when viruses are detected. You must log on to the Security Center console and manually handle the alerts. We recommend that you enable all the features in the Proactive Defense section to reinforce the security of servers.

Note
  • If you enable any feature in the Proactive Defense section, Security Center enables this feature and cloud antivirus for newly added servers by default.
  • If you purchase the Security Center Basic Anti-Virus or Advanced edition, Security Center enables the Anti-Virus feature by default and protects your servers. If you purchase the Security Center Enterprise edition, Security Center enables the Anti-Virus, Webshell Protection, and Behavior prevention features by default. This ensures that your servers are protected by these features.
  • Before you turn on Anti-ransomware (Bait Capture), you must purchase and enable the anti-ransomware feature. For more information, see Enable the anti-ransomware feature.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Proactive Defense section of the General tab, turn on Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention.

    After you turn on the switches, Security Center protects your servers against viruses, ransomware, webshell connections, and access from malicious sources. We recommend that you turn on these switches.

    Configure proactive defense
  4. Click Manage for Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention to manage the detection scope.
  5. In the Proactive Defense-Anti-Virus, Proactive Defense-Anti-ransomware (Bait Capture), Proactive Defense-Webshell Protection, or Proactive Defense-Behavior prevention dialog box, configure the servers for which you want to enable the feature.

    Select servers from the Detection Disabled section and click the Rightwards arrow icon to move them to the Detection Enabled section. Required features are enabled for the servers in the Detection Enabled section. To disable a feature for a server, move the server from the Detection Enabled section to the Detection Disabled section.

    Notice The Anti-ransomware (Bait Capture) feature is available only for servers that run Windows operating systems. To use the anti-ransomware (bait capture) feature, ensure that your operating system is Windows Server 2003 or later.
  6. Click OK.
  7. After the antivirus, anti-ransomware (bait capture), and webshell protection features are enabled, Security Center automatically quarantines any detected mainstream viruses or suspicious connections. To view the viruses quarantined by the proactive defense, go to the Alerts page and set the alert type to Precision defense.Precision defense
    Note False positives or false negatives may occur after you enable the antivirus, anti-ransomware (bait capture), and webshell protection features.
    • If some files are quarantined due to false positives, you can restore the quarantined files in the Quarantine pane. For more information, see Quarantine.
    • You can manually quarantine files that Security Center fails to quarantine on the Alerts page. For more information, see View and handle alert events.

Webshell detection

Webshell detection periodically scans servers and web directories for webshells and trojans.

Security Center runs webshell detection tasks and generates alerts only when webshell detection is enabled. For more information, see Security events.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Webshell Detection section of the General tab, click Manage.Webshell detection
  4. Configure the servers for which you want to enable webshell detection.

    Select servers from the Detection Disabled section and click the rightwards arrow to move them to the Detection Enabled section. The webshell detection feature is enabled for the servers in the Detection Enabled section. To disable the webshell detection feature for a server, move the server from the Detection Enabled section to the Detection Disabled section.

  5. Click OK.

Threat detection for Kubernetes containers

The Security Center Enterprise edition supports threat detection for Kubernetes containers. This feature checks the security status of running container clusters, and detects security threats and attacks in protected container clusters. For more information, see Detectable container threats.
Note If you use the Security Center Enterprise edition, you can use threat detection for Kubernetes containers without any configurations. If you use the Security Center Basic, Basic Anti-Virus, or Advanced edition, you must upgrade Security Center to the Enterprise edition before you use this feature.

Security Center provides threat detection for Kubernetes container clusters. We recommend that you turn on Threat Detection in the K8s Threat Detection section. After you turn on the switch, Security Center detects security threats in your Kubernetes container clusters. You can handle relevant alerts on the Alerts page. For more information, see View and handle alert events.

Container threat detection
The Security Center Enterprise edition detects threats in Kubernetes containers and checks the security status of running containers. The following table lists the types of threats that can be detected.
Type Check item
Container cluster errors Suspicious command execution on a Kubernetes API server
Mounting of suspicious directories to a pod
Transfer of Kubernetes service accounts from one application to another
Startup of a pod based on a malicious image
Suspicious network connections External reverse shell connections
Suspicious external network connections
Suspicious lateral movements in internal networks
Malicious processes (cloud antivirus) DDoS trojans
Suspicious connections from mining machines
Suspicious programs
Suspicious tools initiating brute-force attacks on ports
Suspicious attack programs
Backdoor programs
Malicious vulnerability detection tools
Malicious programs
Mining programs
Trojans
Self-mutating trojans
Computer worms
Webshells Webshell
Suspicious processes Suspicious command execution in Apache CouchDB
Suspicious command execution in FTP applications
Suspicious command execution in Hadoop
Suspicious command execution in Java applications
Suspicious command execution in Jenkins
Suspicious account creation in Linux
Suspicious command execution in Linux cron jobs
Suspicious command execution in MySQL
Suspicious command execution in Oracle
Suspicious command execution in PostgreSQL applications
Suspicious command execution in Python applications
Suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines
Webshells running suspicious probe commands
Modification of remote desktop protocol settings of port 3389 in Windows
Suspicious execution of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command queuing in Linux
Suspicious command execution in Linux
Dynamic script injection
Reverse shells
Reverse shell commands
Potential information leakage in HTTP tunnels
Suspicious SSH port forwarding by using SSH tunneling
Suspicious webshell injection
Containers started in privileged mode
Suspicious processes listening on ports
Malicious container startup
Remote API debugging in Docker that may pose security risks
Suspicious commands
Privilege escalation in containers or container escapes
Malicious container startup

Security control

Security control allows you to configure IP address whitelists. Requests initiated from IP addresses in a whitelist are directly forwarded to the destination servers. This prevents normal network traffic from being blocked.

If Security Center identifies a normal IP address as malicious and blocks its requests, your services may be affected. To avoid false positives, add trusted IP addresses to a whitelist. Security Center no longer generates alerts on IP addresses that are in a whitelist or blocks their requests.

Note After an IP address is added to a whitelist, requests from the IP address are directly forwarded to the destination servers. We recommend that you add only trusted IP addresses to a whitelist.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Security Control section of the General tab, click Configuration to go to the Security Control console.Security control settings
  4. In the left-side navigation pane, choose Whitelist > Access Whitelist to add IP addresses to a whitelist. For more information, see Configure the access whitelist.

Access control

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage RAM user permissions to control access to Alibaba Cloud resources. RAM is suitable for scenarios in which multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant permissions to RAM users based on the principle of least privilege. This way, you do not need to share your Alibaba Cloud AccessKey pair. This minimizes security risks.

If Security Center detects events that may compromise account security, you can use RAM to check and manage RAM user permissions and policies under you Alibaba Cloud account. This enhances the security of your account.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Access control section of the General tab, perform the following operations as needed:
    • Click Manage for Permission policy management to go to the RAM console. On the page that appears, manage all the permission policies under your Alibaba Cloud account. For more information, see Policy overview.
    • Click Manage for User Management to go to the RAM console. On the page that appears, manage RAM users under your Alibaba Cloud account. For more information, see Overview of a RAM user.
    • Click Manage for Role Management to go to the RAM console. On the page that appears, manage RAM roles under your Alibaba Cloud account. For more information, see RAM role overview.
    Access control

Protection mode

To use Security Center, you must install the Security Center agent on your servers. For more information about the Security Center agent, see Security Center agent overview. For more information about how to install the Security Center agent, see Install the Security Center agent.

The Security Center agent may consume a small number of resources on your servers while it is running. You can modify the protection mode of the Security Center agent to adjust the resources that can be consumed by the agent. The following table describes the protection modes supported by the Security Center agent.
Protection mode Maximum consumption of memory and CPU resources Supported edition Scenario
Basic Protection Mode
  • Maximum memory usage: 200 MB
  • Maximum CPU utilization: 10% per core
Basic, Basic Anti-Virus, Advanced, and Enterprise This mode is suitable for all service scenarios. It consumes a small number of resources and does not affect your services.
Note By default, the basic protection mode is enabled to protect newly purchased Elastic Compute Service (ECS) instances.
High-security Prevention Mode
  • Maximum memory usage: 300 MB
  • Maximum CPU utilization: 30% per core
Basic Anti-Virus, Advanced, and Enterprise This mode is suitable for scenarios in which important services need to be protected. It identifies more types of potential attacks and threats by using the big data analytics engine, machine learning engine, and deep learning engine.
Safeguard Mode For Major Activities
  • Maximum memory usage: 500 MB
  • Maximum CPU utilization: 60%
Enterprise This mode is suitable for major events. It enables all the protection rules and security engines, and enhances the ability to detect potential threats based on intelligent rules. Potential attacks and threats trigger alerts.
Note If the consumed resources reach the upper limit in any mode you select, the Security Center agent stops running. After the consumed resources drop below the upper limit, the agent automatically restarts. The maximum resources that the Security Center agent can consume in each mode is described in the Maximum utilization of memory and CPU resources column of the preceding table.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Protection Mode section of the General tab, click Manage for High-security Prevention Mode or Safeguard Mode For Major Activities.Protection modes
  4. In the High-security Prevention Mode or Safeguard Mode For Major Activities pane, select the servers for which you want to enable the High-security Prevention Mode or Safeguard Mode For Major Activities mode.Select a protection mode
    Note You can select High-security Prevention Mode or Safeguard Mode For Major Activities for a server. For example, the Security Center agent on a server uses the High-security Prevention Mode. If you change the mode to Safeguard Mode For Major Activities, the Security Center agent then uses the Safeguard Mode For Major Activities mode.
  5. Click Ok.
  6. Optional. In the Safeguard Mode For Major Activities section, select a percentage from the CPU Threshold drop-down list to specify the threshold of CPU utilization.Set the maximum CPU utilization rate for the Safeguard Mode For Major Activities mode.

    The Safeguard Mode For Major Activities mode allows you to specify the threshold of CPU utilization. A high threshold supports more precise protection. You can set CPU Threshold to a value that ranges from 5% to 60%. The default value is 5%.

    Note In Safeguard Mode For Major Activities mode, more types of threats can be detected, and more alerts are triggered. Therefore, the false positive rate may increase. We recommend that you pay attention to alerts and handle them in a timely manner.

Client protection

After client protection is enabled, Security Center provides default security protection for the process files under the directory of the Security Center agent. Security Center also blocks any malicious activities that attempt to uninstall the Security Center agent but are not performed in the Security Center console. This stops the ability of attackers to gain access to servers and to uninstall the Security Center agent. This also prevents the accidental termination of the Security Center agent by other processes. If the Security Center agent is uninstalled or terminated, Security Center fails to protect your servers. We recommend that you enable client protection for all servers.
Note
  • If client protection is enabled for a server, you cannot uninstall the Security Center agent from the server by any means, such as uninstalling the application by using administrative rights. This comprehensively protects your server. You must disable client protection before you uninstall the Security Center agent from your server.
  • You can uninstall the Security Center agent in the Security Center console regardless of whether you enable client protection. For more information about how to uninstall the Security Center agent, see Uninstall the Security Center agent.

The Security Center Basic, Basic Anti-Virus, Advanced, and Enterprise editions support client protection.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Client Protection section of the General tab, turn on Defense Mode.Client protection

    After you turn on the switch for Client Protection, client protection is enabled for the servers that are in the protection scope and have the Security Center agent installed.

  4. Click Manage for Protection Scope.
  5. Select the servers for which you want to enable or disable client protection and click OK. Client protection

    Client protection is enabled for the servers in the Protected section, and is disabled for the servers in the Unprotected section.

    Note If you enable Client Protection for your servers, the operation takes effect immediately. If you disable Client Protection for your server, the operation takes effect five minutes later.