You can configure the following features in Security Center: virus detection, web shell detection, container threat detection, access control, security control, and protection mode. This topic describes how to configure and manage the settings of these features.

Virus detection

Virus detection can automatically quarantine common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, backdoor programs, and computer worms. Alibaba Cloud security specialists test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. For more information, see Cloud threat detection.

If automatic quarantine is disabled, Security Center only sends alerts when viruses are detected. You need to manually manage the detected viruses. We recommend that you enable automatic quarantine to better safeguard your servers.
Note After automatic quarantine is enabled, it applies to all servers, including existing and newly added servers.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Operation > Settings. You are redirected to the Settings page.
  3. In the Virus Detection section, click Manage.Manage virus detection settings
  4. In the Configure Servers for Virus Detection dialog box that appears, select the servers for which you want to enable virus detection.

    Select servers from the Detection Disabled list on the left side and click the right arrow to add them to the Detection Enabled list on the right side. Virus detection is enabled for the servers that are added to the Detection Enabled list. To disable virus detection for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  5. Click OK.
  6. In the Virus Detection section, turn on Automatic Quarantine. After automatic quarantine is enabled, Security Center automatically quarantines viruses that it detects. Quarantined viruses are listed on the Alerts page. You can select the Precise Defense type to filter quarantined viruses.Precise defense
    Note After automatic quarantine is enabled, false positives or false negatives may occur.
    • You can restore false positive files on the Quarantine page. For more information, see Quarantine.
    • You can manually quarantine viruses that Security Center fails to quarantine. For more information, see View and handle security events.

Web shell detection

Web shell detection periodically scans servers and web page directories for web shells and Trojans.

Security Center runs web shell detection and generates alerts only after you enable this feature. For more information, see Security events.

Procedure
  1. In the left-side navigation pane, choose Operation > Settings. You are redirected to the Settings page.
  2. In the Webshell Detection section, click Manage.Web shell detection
  3. Select the servers for which you want to enable web shell detection.

    Select servers from the Detection Disabled list on the left side and click the right arrow to add them to the Detection Enabled list on the right side. Web shell detection is enabled for the servers that are added to the Detection Enabled list. To disable web shell detection for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  4. Click OK.

Container threat detection

The Enterprise edition of Security Center supports container threat detection. This feature checks the security status of running containers, and detects security threats and attacks targeting protected containers in real time. For more information, see Detectable container threats.
Note No configuration is required to use the container threat detection feature in the Enterprise edition. If you are using the Basic or Advanced edition, you must upgrade Security Center to the Enterprise edition before you can use the container threat detection feature.
Container threat detection
The Enterprise edition of Security Center can detect threats in containers and check the security status of running containers. The following table lists the types of threats that can be detected.
Type Threat
Suspicious network connections External reverse shell connections
Suspicious external network connections
Suspected lateral movements of internal networks
Malicious processes DDoS Trojans
Suspicious connections from mining machines
Suspicious programs
Suspicious tools initiating brute force attacks on ports
Suspicious attack programs
Backdoor programs
Malicious vulnerability detection tools
Malicious programs
Mining programs
Trojans
Automatic mutating Trojans
Computer worms
Web shells Web shells
Suspicious process behaviors Suspicious command execution in Apache CouchDB
Suspicious command execution in FTP applications
Suspicious command execution in Hadoop
Suspicious command execution in Java applications
Suspicious command execution in Jenkins
Suspicious account creation in Linux
Suspicious command execution in Linux cron jobs
Suspicious command execution in MySQL
Suspicious command execution in Oracle
Suspicious command execution in PostgreSQL applications
Suspicious command execution in Python applications
Suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines
Web shells running suspicious probe commands
Modification of remote desktop protocol settings of port 3389 in Windows
Suspicious execution of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command queuing in Linux
Suspicious command execution in Linux
Dynamic script injection
Reverse shells
Reverse shell commands
Potential information leakage in HTTP tunnels
Suspicious SSH port forwarding through SSH tunneling
Suspicious web shell injection
Containers started in the privileged mode
Suspicious processes monitoring ports
Startup of malicious containers
Remote API debugging in Docker that pay pose security risks
Suspicious commands
Privilege escalation or escapes in containers
Startup of malicious containers

Security control

Security control supports IP whitelists. You can add trusted IP addresses to the whitelist. Security Center allows requests from trusted IP addresses to pass through.

If Security Center blocks normal requests, your workloads in the cloud may be adversely affected. To avoid false positives, add trusted IP addresses to the whitelist. Security Center does not send alerts or block requests when they are sent from trusted IP addresses.

Procedure
  1. In the left-side navigation pane, choose Operation > Settings. You are redirected to the Settings page.
  2. In the Security Control section, click Configuration to go to the Security Control console.Security control settings
  3. In the left-side navigation pane, choose Whitelist > Access Whitelist. Add IP addresses to the whitelist. For more information, see Configure the access whitelist.

Access control

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage RAM user permissions to control access to Alibaba Cloud resources. RAM applies to scenarios where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant RAM users the minimum permissions. In this case, you do not need to share your Alibaba Cloud account and password. This helps you minimize security risks.

When Security Center detects events that may compromise account security, you can use RAM to check and manage RAM user permissions and policies. This helps you enhance account security.

Procedure
  1. In the left-side navigation pane, choose Operation > Settings. You are redirected to the Settings page.
  2. In the Access Control section, you can perform the following operations.
    • Click Manage next to Permission policy management to go to the RAM console. You can then manage policies under your Alibaba Cloud account. For more information, see Policy overview.
    • Click Manage next to User Management to go to the RAM console. You can then manage RAM users under your Alibaba Cloud account. For more information, see Overview of a RAM user.
    • Click Manage next to Role Management to go to the RAM console. You can then manage RAM roles under your Alibaba Cloud account. For more information, see RAM role overview.
    Access control

Protection modes

To use Security Center to protect your servers, you must install the Security Center agent on your servers. For more information about the Security Center agent, see Security Center agent. For more information about how to install the Security Center agent, see Install the Security Center agent.

The Security Center agent may consume a small amount of resources on your servers. You can change protection modes to better allocate server resources. The Security Center agent supports the following protection modes:
  • Business First Mode: In this mode, memory and CPU consumption is minimized. The agent consumes less than 1% of CPU resources and less than 50 MB of memory.
  • Protection First Mode: In this mode, more memory and CPU resources are consumed to reinforce protection for servers. The agent consumes less than 10% of CPU resources and less than 80 MB of memory.
Note Both modes have an upper limit of resource consumption. Business First mode: 50 MB of memory and 1% of CPU resources. Protection First mode: 80 MB of memory and 10% of CPU resources. When the upper limit is exceeded, the Security Center agent is stopped. The agent restarts only when the amount of memory and CPU resources consumed by the agent drops below the upper limit.
Procedure
  1. In the left-side navigation pane, choose Operation > Settings. You are redirected to the Settings page.
  2. In the Protection Mode section, click Manage.Change protection modes
  3. In the Protection Mode dialog box that appears, select a protection mode for your servers.

    To change the protection mode of your servers to Protection First Mode, select the target servers from the Business First Mode list on the left side and click the right arrow to add them to the Protection First Mode list on the right side. To change the protection mode of your servers to Business First Mode, select the target servers from the Protection First Mode list on the right side and click the left arrow to add them to the Business First Mode list on the left side.

  4. Click OK to change the protection mode.