This topic describes how to configure the following features on the Settings page in the Security Center console: virus detection, webshell detection, threat detection for Kubernetes containers, security control, access control, protection modes, and client protection.

The anti-virus feature

The anti-virus feature can automatically quarantine common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security specialists test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. For more information, see Cloud threat detection.

If automatic quarantine is disabled, Security Center only generates alerts when viruses are detected. Therefore, you must manually manage the detected viruses in the Security Center console. We recommend that you enable automatic quarantine to better protect your servers.
Note After automatic quarantine is enabled, it is automatically applied to newly purchased servers.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click Manage in the Anti-virus section.Manage the anti-virus feature
  4. In the Configure Servers for Virus Detection dialog box, select the servers for which you want to enable the anti-virus feature.

    Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. The anti-virus feature is enabled for the servers in the Detection Enabled list. To disable the anti-virus feature for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  5. Click OK.
  6. In the Anti-Virus section, turn on the Virus Blocking switch to enable virus blocking. After virus blocking is enabled, Security Center automatically quarantines detected viruses. Quarantined viruses are listed on the Alerts page. You can select the Precise Defense type to filter quarantined viruses. Precise defense
    Note
    • By default, virus blocking is enabled for users who newly activated Security Center. If you are using the Basic Anti-Virus, Advanced, or Enterprise edition of Security Center and virus blocking is disabled, we recommend that you enable virus blocking. Follow the instructions in the console or steps introduced in this procedure to enable virus blocking.
    • After virus blocking is enabled, false positives or quarantine failures may occur.
      • You can restore false positive files on the Quarantine page. For more information, see Quarantine.
      • On the Alerts page, you can manually quarantine files that Security Center fails to quarantine. For more information, see View and handle alert events.

Webshell detection

Webshell detection periodically scans servers and web page directories for webshells and Trojans.

Security Center can run webshell detection tasks and generate alerts only when webshell detection is enabled. For more information, see Security events.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Webshell Detection section, and then click Manage.Manage webshell detection settings
  4. Select the servers for which you want to enable webshell detection.

    Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. Webshell detection is enabled for the servers in the Detection Enabled list. To disable webshell detection for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  5. Click OK.

Threat detection for Kubernetes containers

The Enterprise edition of Security Center supports container threat detection. This feature checks the security status of running containers, and detects security threats and attacks against the protected containers. For more information, see Detectable container threats.
Note No configuration is required to use the container threat detection feature if you are using the Enterprise edition. If you are using the Basic, Basic Anti-Virus, or Advanced edition, you must upgrade Security Center to the Enterprise edition before you can use the container threat detection feature.

Security Center provides threat detection for Kubernetes containers. We recommend that you turn on the K8s Threat Detection switch on the Settings page. After you turn on the switch, Security Center can detect security threats in your Kubernetes container clusters. You can handle relevant alerts on the Alerts page. For more information, see View and handle alert events.

Manage settings of container threat detection
The Enterprise edition of Security Center can detect threats in Kubernetes containers and check the security status of running containers. The following table lists the types of threats that can be detected.
Type Check item
Suspicious network connections External reverse shell connections
Suspicious external network connections
Suspicious lateral movements of internal networks
Manage a malicious process DDoS Trojans
Suspicious connections from mining machines
Suspicious programs
Suspicious tools initiating brute-force attacks on ports
Suspicious attack programs
Backdoor programs
Malicious vulnerability detection tools
Malicious programs
Mining programs
Trojans
Self-mutating Trojans
Computer worms
Webshells Webshell
Suspicious processes Suspicious command running in Apache CouchDB
Suspicious command running in FTP applications
Suspicious command running in Hadoop
Suspicious command running in Java applications
Suspicious command running in Jenkins
Suspicious account creation in Linux
Suspicious command running in Linux cron jobs
Suspicious command running in MySQL
Suspicious command running in Oracle
Suspicious command running in PostgreSQL applications
Suspicious command running in Python applications
Suspicious running of non-interactive SSH commands that contain only one line that targets remote machines
Webshells running suspicious probe commands
Modification of remote desktop protocol settings of port 3389 in Windows
Suspicious running of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command queuing in Linux
Suspicious command running in Linux
Dynamic script injection
Reverse shells
Reverse shell commands
Potential information leakage in HTTP tunnels
Suspicious SSH port forwarding through SSH tunneling
Suspicious webshell injection
Containers starting in the privileged mode
Suspicious processes monitoring ports
Malicious containers starting
Remote API debugging in Docker that may pose security risks
Suspicious commands
Privilege escalation in containers or container escapes
Malicious containers starting

Security control

Security control allows you to configure the IP whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to the destination servers. This prevents normal network traffic from being blocked.

If Security Center identifies a normal IP address as malicious and blocks its requests, your service systems may be affected. To avoid false positives, add trusted IP addresses to the whitelist. Security Center no longer generates alerts on IP addresses that are in the whitelist or blocks requests from the IP addresses.

Note After an IP address is added to the whitelist, requests from the IP address are directly forwarded to the destination servers. We recommend that you add only trusted IP addresses to the whitelist.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Security Control section, and then click Configuration to go to the Security Control console.Manage security control settings
  4. In the left-side navigation pane, choose Whitelist > Access Whitelist to add IP addresses to the whitelist. For more information, see Configure the access whitelist.

Access control

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage RAM user permissions to control access to Alibaba Cloud resources. RAM is applied to scenarios where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant RAM users the minimum permissions. This way, you do not need to share your Alibaba Cloud AccessKey pair. This minimizes security risks.

When Security Center detects events that may compromise account security, you can use RAM to check and manage RAM user permissions and policies under you Alibaba Cloud account. This enhances security of your account.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Access Control section. In this section, you can perform the following actions:
    • You can click Manage next to Permission policy management to go to the RAM console. You can then manage all the permission policies under your Alibaba Cloud account. For more information, see Policy overview.
    • You can click Manage next to User Management to go to RAM console. On the page that appears, you can manage RAM users under your Alibaba Cloud account. For more information, see Overview of a RAM user.
    • You can click Manage next to Role Management to go to RAM console. On the page that appears, you can manage RAM roles under your Alibaba Cloud account. For more information, see RAM role overview.
    Access control

Manage protection modes

To use Security Center, you must install the Security Center agent on your servers. For more information about the Security Center agent, see Security Center agent. For more information about how to install the Security Center agent, see Install the Security Center agent.

The Security Center agent may consume a small amount of resources on your servers when it is running. You can modify the protection mode of the Security Center agent to limit the amount of resources that can be consumed by the Security Center agent. The following table describes protection modes supported by the Security Center agent.
Protection mode Maximum utilization of memory or CPU resource Supported edition Scenario
Basic Protection Mode
  • Maximum memory utilization: 200 MB
  • Maximum CPU utilization rate: 10% of each core
Basic, Basic Anti-Virus, Advanced, and Enterprise This mode is suitable for all service scenarios. It consumes a small amount of resources and does not affect your workloads.
Note By default, the basic protection mode is enabled to protect newly purchased Elastic Compute Service (ECS) instances.
High-security Prevention Mode
  • Maximum memory utilization: 300 MB
  • Maximum CPU utilization rate: 30% of each core
Basic Anti-Virus, Advanced, and Enterprise This mode is suitable for scenarios where important workloads need to be protected. It identifies more types of potential attacks and threats based on the big data analysis engine, machine learning engine, and deep learning engine.
  • Maximum memory utilization: 500 MB
  • Maximum CPU utilization rate: 60% comprehensively
Enterprise This mode is suitable for major events. It enables all the protection rules and security engines, and increases the capability to detect potential threats based on intelligent rules. Potential attacks and threats trigger alerts.
Note If the consumed resources reach the upper limit in any mode you have selected, the Security Center agent stops running. It automatically restarts after the consumed resources drop below the upper limit. The maximum resources that the Security Center agent can consume in each mode is described in the Maximum utilization of memory or CPU resources column in the preceding table.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Protection Mode section and click Manage under High-security Prevention Mode or Safeguard Mode For Major Activities.Change protection modes
  4. On the High-security Prevention Mode or Safeguard Mode For Major Activities page, select the servers that need to enable the High-security Prevention Mode or Safeguard Mode For Major Activities.Select a protection mode
    Note You can select either High-security Prevention Mode or Safeguard Mode For Major Activities for each server. For example, the Security Center agent on a server uses the High-security Prevention Mode. If you change the mode to Safeguard Mode For Major Activities, the Security Center agent will use the Safeguard Mode For Major Activities.
  5. Click OK.
  6. Optional. In the Safeguard Mode For Major Activities section, select a percentage from the CPU Threshold drop-down list to set the maximum CPU utilization rate.Set the maximum CPU utilization rate for the Safeguard Mode For Major Activities.

    The Safeguard Mode For Major Activities allows you to set the maximum CPU utilization rate. A higher threshold supports more precise protection. Supported percentages: 5% to 60%. The default percentage is 5%.

    Note In Safeguard Mode For Major Activities, more types of threats can be detected, and more alerts are triggered. Therefore, the false positive rate may increase. We recommend that you pay attention to alerts and manage them at the earliest opportunity.

Client protection

After client protection is enabled, Security Center provides default security protection for the process files under the directory of the Security Center agent. In addition, Security Center blocks malicious activities that attempt to uninstall the Security Center agent. This prevents attackers from intruding into the servers to uninstall the Security Center agent or other processes from mistakenly terminating the Security Center agent. If the Security Center agent is uninstalled or terminated, Security Center will fail to protect your servers. We recommend that you enable client protection.
Note To ensure the security of your servers, you cannot uninstall the Security Center agent in the Security Center console after you enable client protection. You must disable client protection before you can uninstall the Security Center agent. For more information about how to uninstall the Security Center agent, see Uninstall the Security Center agent.

Only the Basic Anti-Virus, Advanced, and Enterprise editions of Security Center support client protection. To enable client protection, users of the Basic edition must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Client Protection section and turn on the Defense Mode switch.Client protection

    After you enable Client Protection, client protection is enabled for the servers that are in the Protection Scope and have the Security Center agent installed.

  4. Click Manage next to Protection Scope.
  5. Select the servers for which you want to enable or disable client protection and click OK. Client protection

    Client protection is enabled for the servers in the Protected list. Client protection is disabled for the servers in the Unprotected list.

    Note After you enable Client Protection for your servers, the operation takes effect immediately. Five minutes after you disable Client Protection for your servers, the operation takes effect.