This topic describes how to configure the following features on the Settings page in the Security Center console: anti-virus, webshell detection, container threat detection, access control, security control, protection control, and client protection.

The anti-virus feature

The anti-virus feature can automatically quarantine common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security experts test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. For more information, see Cloud threat detection.

If automatic quarantine is disabled, Security Center only generates alerts when viruses are detected. Therefore, you must manually manage detected viruses in the Security Center console. We recommend that you enable automatic quarantine to better safeguard your servers.
Note After automatic quarantine is enabled, it is automatically applied to newly purchased servers.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click Manage in the Anti-virus section.Manage the anti-virus feature
  4. In the Configure Servers for Virus Detection dialog box that appears, select the servers for which you want to enable the anti-virus feature.

    Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. The anti-virus feature is enabled for the servers in the Detection Enabled list. To disable the anti-virus feature for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  5. Click OK.
  6. In the Anti-Virus section, turn on the Virus Blocking switch to enable virus blocking. After virus blocking is enabled, Security Center automatically quarantines detected viruses. Quarantined viruses are listed on the Alerts page. You can select the Precise Defense type to filter quarantined viruses. Precise defense
    Note
    • Virus blocking is enabled by default. If you are using the Advanced or Enterprise edition of Security Center and virus blocking is disabled, we recommend that you enable virus blocking. Follow the instructions in the console or steps introduced in this procedure to enable virus blocking.
    • After virus blocking is enabled, false positives or quarantine failures may occur.
      • You can restore false positive files on the Quarantine page. For more information, see Quarantine.
      • On the Alerts page, you can manually quarantine files that Security Center fails to quarantine. For more information, see View and handle alert events.

Webshell detection

Webshell detection periodically scans servers and web page directories for webshells and Trojans.

Security Center can run webshell detection tasks and generate alerts only when webshell detection is enabled. For more information, see Alert events.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Webshell Detection section, and then click Manage.Webshell detection
  4. Select the servers for which you want to enable webshell detection.

    Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. Webshell detection is enabled for the servers in the Detection Enabled list. To disable webshell detection for a server, move the server from the Detection Enabled list to the Detection Disabled list.

  5. Click OK.

Container threat detection

The Enterprise edition of Security Center supports container threat detection. This feature checks the security status of running containers, and detects security threats and attacks against the protected containers. For more information, see Detectable container threats.
Note No configuration is required to use the container threat detection feature if you are using the Enterprise edition. If you are using the Basic or Advanced edition, you must upgrade Security Center to the Enterprise edition before you can use the container threat detection feature.
Container threat detection
The Enterprise edition of Security Center can detect threats in containers and check the security status of running containers. The following table lists the types of threats that can be detected.
Type Threat
Suspicious network connections External reverse shell connections
Suspicious external network connections
Suspected lateral movements of internal networks
Malicious processes DDoS Trojans
Suspicious connections from mining machines
Suspicious programs
Suspicious tools initiating brute-force attacks on ports
Suspicious attack programs
Backdoor programs
Malicious vulnerability detection tools
Malicious programs
Mining programs
Trojans
Automatic mutating Trojans
Computer worms
Webshells Webshell
Suspicious process activities Suspicious command running in Apache CouchDB
Suspicious command running in FTP applications
Suspicious command running in Hadoop
Suspicious command running in Java applications
Suspicious command running in Jenkins
Suspicious account creation in Linux
Suspicious command running in Linux cron jobs
Suspicious command running in MySQL
Suspicious command running in Oracle
Suspicious command running in PostgreSQL applications
Suspicious command running in Python applications
Suspicious running of non-interactive SSH commands that contain only one line targeting remote machines
Webshells running suspicious probe commands
Modification of remote desktop protocol settings of port 3389 in Windows
Suspicious running of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command queuing in Linux
Suspicious command running in Linux
Dynamic script injection
Reverse shells
Reverse shell commands
Potential information leakage in HTTP tunnels
Suspicious SSH port forwarding through SSH tunneling
Suspicious webshell injection
Containers starting in the privileged mode
Suspicious processes monitoring ports
Malicious containers starting
Remote API debugging in Docker that may pose security risks
Suspicious commands
Privilege escalation in containers or container escapes
Malicious containers starting

Security control

Security control allows you to configure an IP whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to the target servers. This prevents normal network traffic from being blocked.

If Security Center identifies a normal IP address as malicious and blocks its requests, your service systems may be affected. To avoid false positives, add trusted IP addresses to the whitelist. Security Center no longer generates alerts on IP addresses that are in the whitelist or blocks requests from these IP addresses.

Note After an IP address is added to the whitelist, requests from the IP address are directly forwarded to the target servers. Only add trusted IP addresses to the whitelist.
Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Security Control section, and then click Configuration to go to the Security Control console.Manage security control settings
  4. In the left-side navigation pane, choose Whitelist > Access Whitelist to add IP addresses to the whitelist. For more information, see Configure the access whitelist.

Resource Access Management

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage RAM user permissions to control access to Alibaba Cloud resources. RAM is applied to scenarios where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant RAM users the minimum permissions. This way, you do not need to share your Alibaba Cloud account and password. This helps you minimize security risks.

When Security Center detects events that may compromise account security, you can use RAM to check and manage RAM user permissions and policies under you Alibaba Cloud account. This helps you enhance account security.

Procedure
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Access Control section. In this section, you can perform the following actions:
    • Click Manage next to Permission policy management to go to the RAM console. You can then manage all permission policies under your Alibaba Cloud account. For more information, see Policy overview.
    • Click Manage next to User Management to go to RAM console. On the page that appears, you can manage RAM users under your Alibaba Cloud account. For more information, see Overview of a RAM user.
    • Click Manage next to Role Management to go to RAM console. On the page that appears, you can manage RAM roles under your Alibaba Cloud account. For more information, see RAM role overview.
    Resource Access Management

Manage protection modes

To use Security Center, you must install the Security Center agent on your servers. For more information about the Security Center agent, see Security Center agent. For more information about how to install the Security Center agent, see Install the Security Center agent.

The Security Center agent may consume a small number of resources on your servers when it is running. You can modify the protection mode of the Security Center agent to limit the amount of resources that can be consumed by the Security Center agent. Protection modes supported by the Security Center agent are described in the following table.
Protection modes Maximum utilization of memory or CPU resources Supported edition Scenarios
Basic Protection Mode
  • Maximum memory utilization: 200 MB
  • Maximum CPU utilization rate: 10% of each core
Basic, Advanced, and Enterprise This mode is suitable for all service scenarios. It consumes a small number of resources and does not affect your workloads.
Note By default, the basic protection mode is enabled to protect newly purchased Elastic Compute Service (ECS) instances.
High-security Prevention Mode
  • Maximum memory utilization: 300 MB
  • Maximum CPU utilization rate: 30% of each core
Advanced and Enterprise This mode is suitable for scenarios where important workloads need to be protected. It identifies more types of potential attacks and threats based on the big data analysis engine, machine learning engine, and deep learning engine.
Safeguard Mode For Major Activities
  • Maximum memory utilization: 500 MB
  • Maximum CPU utilization rate: 60% comprehensively
Enterprise This mode is suitable for major events. It enables all protection rules and security engines, and increases the capability to detect potential threats based on intelligent rules. Potential attacks and threats trigger alerts.
Note If the consumed resources reach the upper limit in any mode you have selected, the Security Center agent stops running. It automatically restarts after the consumed resources drop below the upper limit. The maximum resources that the Security Center agent can consume in each mode is described in the Maximum consumption of memory or CPU resources column in the preceding table.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Protection Mode section, and then click Manage under High-security Prevention Mode or Safeguard Mode For Major Activities.Manage protection modes
  4. On the High-security Prevention Mode or Safeguard Mode For Major Activities page, select the servers that need to enable the High-security Prevention Mode or Safeguard Mode For Major Activities.Select a protection mode to protect servers
    Note You can select either the High-security Prevention Mode or Safeguard Mode For Major Activities. For example, the Security Center agent on a server uses the High-security Prevention Mode. If you change the mode to Safeguard Mode For Major Activities, the Security Center agent will use the Safeguard Mode For Major Activities.
  5. Click OK.
  6. Optional. In the Safeguard Mode For Major Activities section, select a percentage from the CPU Threshold drop-down list to set the maximum CPU utilization rate.Set the maximum CPU utilization rate for the Safeguard Mode For Major Activities.

    The Safeguard Mode For Major Activities allows you to set the maximum CPU utilization rate. A higher threshold supports more precise protection. Supported percentages: 5% to 60%. The default percentage is 5%.

    Note In the Safeguard Mode For Major Activities, more types of threats can be detected, and more alerts are triggered. Therefore, the false positive rate may increase. We recommend that you pay close attention to alerts and manage them at the earliest opportunity.

Client protection

After client protection is enabled, Security Center provides default security protection for the process files under the directory of the Security Center agent. This prevents attackers from intruding the servers to uninstall the Security Center agent or other processes from mistakenly terminating the Security Center agent. If the Security Center agent is uninstalled or terminated, Security Center will fail to protect your servers. We recommend that you enable client protection.
Note To ensure the security of your servers, you can only uninstall the Security Center agent in the Security Center console. You cannot uninstall the Security Center agent on your servers. For more information about how to uninstall the Security Center agent, see Uninstall the agent in the console.

Only the Advanced and Enterprise editions of Security Center support client protection. Users of the Basic edition must upgrade Security Center to the Advanced or Enterprise edition to use client protection.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, find the Client Protection section and turn on the Defense Mode switch.Client protection

    After the switch is turned on in the Client Protection section, the servers where the Security Center agent is installed automatically enable client protection.

  4. Click Manage next to Protection Scope.
  5. Select the servers for which you want to enable or disable client protection and click OK. Client protection

    Client protection is enabled for the servers in the Protected list. Client protection is disabled for the servers in the Unprotected list.