Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. It also allows you to use bait to capture ransomware. This topic describes how to configure the features of proactive defense.

Description

Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. It also allows you to use bait to capture ransomware. The following table describes the features of proactive defense.
Feature Supported version Description
Virus Blocking Security Center Anti-virus, Advanced, Enterprise, and Ultimate The virus blocking feature automatically quarantines common network viruses, such as ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security experts test and verify all of the automatically quarantined viruses to minimize false positive rates.
Note
  • After you purchase Security Center Anti-virus or higher, Security Center automatically enables the virus blocking feature for all your servers.
  • A computer virus is a type of malicious program. The virus can write malicious code into normal program files for execution. This causes a large number of normal programs to be infected and detected as virus hosts. Computer viruses jeopardize system processes. If system processes are unexpectedly terminated, risks on system stability arise. Security Center does not automatically quarantine computer viruses. You must manually handle the viruses.
Anti-ransomware (Bait Capture) Security Center Advanced, Enterprise, and Ultimate The anti-ransomware feature uses bait to capture the new types of ransomware, analyzes ransomware, and initiates defense against ransomware. The bait files configured for your servers in Security Center are used to capture only new types of ransomware. This does not interrupt your services. On the Alerts page, you can set the alert type to Precision defense to view quarantined ransomware.
Note Before you turn on Anti-ransomware (Bait Capture), you must purchase and enable the anti-ransomware feature. For more information, see Enable the anti-ransomware feature.
Webshell Protection Security Center Enterprise and Ultimate After you enable this feature, Security Center automatically intercepts suspicious connections initiated by known webshells and quarantines related files. On the Alerts page, you can view the related alerts and quarantined files. For more information, see View and handle alert events and Use the quarantine feature.
Note After you purchase the Enterprise or Ultimate edition of Security Center, Security Center automatically enables the webshell protection feature for all your servers.
Behavior prevention Security Center Enterprise and Ultimate After you enable this feature, Security Center intercepts the abnormal network behavior between your servers and disclosed malicious access sources. This reinforces the security of your servers.
Active defense experience optimization Security Center Enterprise and Ultimate After you enable this feature, Security Center collects kdump data of servers for protection analysis when your server unexpectedly shuts down or the defense capability is unavailable. This enhances the protection capability of Security Center on an ongoing basis.
Note
  • After you enable Virus Blocking, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention, Security Center automatically enables cloud threat detection. Security Center also automatically enables the feature and cloud threat detection for newly purchased servers. Cloud threat detection automatically quarantines common network viruses. For more information, see Cloud threat detection.
  • If all the features in the Proactive Defense section are disabled, Security Center only sends alerts to you when viruses are detected. You must log on to the Security Center console and manually handle the alerts. We recommend that you enable all the features in the Proactive Defense section to reinforce the security of servers. For more information, see View and handle alert events.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Proactive Defense section of the General tab, turn on Virus Blocking, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention. Configure proactive defense
    After you turn on the switches, Security Center protects your servers against viruses, ransomware, webshell connections, and access from malicious sources. We recommend that you turn on these switches.
  4. Click Manage for Virus Blocking, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention to configure the scope of detection.
    After you turn on the switch for a feature, Security Center automatically quarantines and intercepts viruses or malicious behavior for the servers within the scope of detection for the servers.
  5. In the Proactive Defense-Anti-Virus, Proactive Defense-Anti-ransomware (Bait Capture), Proactive Defense-Webshell Protection, or Proactive Defense-Behavior prevention dialog box, specify the servers for which you want to enable the feature.
    Select servers from the Detection Disabled section and click the Rightwards arrow icon to move the servers to the Detection Enabled section. Required features are enabled for the servers in the Detection Enabled section. To disable a feature for a server, move the server from the Detection Enabled section to the Detection Disabled section.
    Notice The Anti-ransomware (Bait Capture) feature is available only for servers that run Windows operating systems. To use the anti-ransomware (bait capture) feature, your operating system must be Windows Server 2003 or later.
  6. Click OK.
    After you turn on Virus Blocking, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention in the Proactive Defense section, Security Center automatically quarantines the detected common viruses and intercepts the abnormal connections.
  7. On the Alerts page, Precise Defense
    filter alerts by Handled and set the alert type to Precise defense to view the viruses quarantined by proactive defense.
    Note False positives or false negatives may occur after you enable the virus blocking, anti-ransomware (bait capture), and webshell protection features.
    • If some files are quarantined due to false positives, you can restore the quarantined files in the Quarantine panel. For more information, see Quarantine.
    • You can manually quarantine files that Security Center fails to quarantine on the Alerts page. For more information, see View and handle alert events.
  8. Optional:Select Active defense experience optimization.
    After you select Active defense experience optimization, Security Center collects server data that reflects the security of the server in the case of exceptions. We recommend that you select Active defense experience optimization to reinforce the security of your servers.