All Products
Search

This Product

    Security Center:Enable features on the Host Protection Settings tab

    Document Center

    Security Center:Enable features on the Host Protection Settings tab

    Last Updated:Nov 07, 2023

    Security Center provides various features, such as Malicious Behavior Defense, anti-ransomware, and webshell protection. You can enable the features to protect your server. This topic describes the features that you can enable on the Host Protection Settings tab. This topic also describes how to enable the features.

    Proactive Defense

    Overview

    Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. Proactive defense also allows you to use bait to capture ransomware. The following table describes the features of proactive defense.

    Feature

    Supported edition

    Description

    Malicious Behavior Defense

    Anti-virus, Advanced, Enterprise, and Ultimate

    The Malicious Behavior Defense feature can help you automatically detect and remove common network viruses, such as ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms.

    After you purchase Security Center Anti-virus or higher, Security Center automatically enables the Malicious Behavior Defense feature for all your servers.

    Feature differences among Security Center editions

    • Security Center Anti-virus can automatically block common viruses, such as trojans and mining programs.

    • Security Center Advanced, Enterprise, and Ultimate provide more comprehensive defense capabilities. These editions effectively intercept common attacks in the ATT&CK framework, intercept large-scale intrusion events in common services and applications, block the encryption behavior of common ransomware, and support custom rules to protect hosts. For more information about custom defense rules, see Malicious behavior defense.

    Note

    A computer virus is a type of malicious program. The virus can write malicious code to normal program files for execution. This causes a large number of normal programs to be infected and detected as virus hosts. Computer viruses jeopardize system processes. If system processes are unexpectedly terminated, system stability risks arise. Security Center does not automatically quarantine computer viruses. You must manually handle the viruses.

    Anti-ransomware (Bait Capture)

    Advanced, Enterprise, and Ultimate

    This feature uses bait to capture new types of ransomware and analyzes the patterns of the new types of ransomware to protect your servers.

    The bait files that are configured on your servers by Security Center are used only to capture new types of ransomware. The files do not interrupt your services. You can click Precision defense below Alert Type on the Alerts page to view quarantined ransomware.

    Webshell Protection

    Enterprise and Ultimate

    After you enable this feature, Security Center automatically intercepts suspicious connections that are initiated by known webshells and quarantines related files. You can view the related alerts and quarantined files on the Alerts page. For more information, see View and handle alert events and Quarantine.

    Note

    After you purchase Security Center Enterprise or Ultimate, Security Center automatically enables the Webshell Protection feature for all your servers.

    Behavior prevention

    Enterprise and Ultimate

    After you enable this feature, Security Center intercepts the abnormal network behavior between your servers and disclosed malicious access sources. This reinforces the security of your servers.

    Active defense experience optimization

    Enterprise and Ultimate

    After you enable this feature, Security Center collects the kdump data of your servers for protection analysis when the servers unexpectedly shut down or the defense capability is unavailable. This continuously enhances the protection capability of Security Center.

    Note

    If all features in the Proactive Defense section are disabled, Security Center sends alerts only when viruses are detected. You must log on to the Security Center console and manually handle the alerts. We recommend that you enable the features in the Proactive Defense section to reinforce the security of servers. For more information about how to handle alerts, see View and handle alert events.

    Enable the features of proactive defense

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose System Configuration > Feature Settings.

    3. On the Settings > Host Protection Settings tab, turn on Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention in the Proactive Defense section.

      After you turn on all switches in the Proactive Defense section, Security Center enables the following features for your servers: malicious behavior defense, anti-ransomware, webshell protection, and defense against access to malicious sources.

    4. Click Manage to the right of each feature to configure the detection scope. In the panel that appears, select the servers for which you want to enable a feature and click OK.

      After you turn on Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention in the Proactive Defense section, Security Center automatically blocks the programs and processes that are related to the detected viruses and intercepts suspicious connections.

    5. Optional. Select Active defense experience optimization.

      After you select Active defense experience optimization, Security Center collects server data that reflects the security of the servers in the case of exceptions. We recommend that you select Active defense experience optimization to reinforce the security of your servers.

    What to do next

    You can view the viruses that are quarantined by proactive defense in the list of precision defense-related alerts on the Alerts page. To view the viruses, select Handled from the status drop-down list and click Precision defense below Alert Type.精准防御

    Note

    False positives or quarantine failures may occur after you turn on Malicious Behavior Defense, Anti-ransomware (Bait Capture), and Webshell Protection.

    • If some files are quarantined due to false positives, you can restore the quarantined files in the Quarantine panel. For more information, see Quarantine.

    • You can manually quarantine files that Security Center fails to quarantine on the Alerts page. For more information, see View and handle alert events.

    Webshell Detection

    The feature of webshell detection and removal uses engines developed by Alibaba Cloud to scan for common webshell files, supports scheduled scan tasks, provides real-time protection, and allows you to quarantine webshell files with a few clicks. The feature scans servers and web directories for webshells and trojans at regular intervals. Security Center runs webshell detection tasks on your servers and generates alerts only after you enable webshell detection and removal for your servers.

    • Security Center scans an entire web directory early in the morning on a daily basis. If a file in the web directory changes, Security Center immediately scans for webshells.

    • You can specify the assets on which Security Center scans for webshells.

    • You can quarantine, restore, or ignore the detected trojan files.

    Limits

    Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

    Enable webshell detection and removal for servers

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose System Configuration > Feature Settings.

    3. On the Settings > Host Protection Settings tab, click Manage in the Webshell Detection section.

    4. In the Configure Servers for Webshell Detection panel, select the servers for which you want to enable webshell detection and removal and click OK.

    What to do next

    After you enable webshell detection and removal for your servers, you can view the alerts whose type is WebShell on the Alerts page. If you do not handle the alerts, the alerts may pose threats to your servers. We recommend that you handle the alerts at the earliest opportunity. For more information, see View and handle alerts.

    Dynamic adaptive threat detection capability

    By default, the adaptive threat detection feature is disabled. You must manually enable the feature. If Security Center detects a high-risk intrusion on your server after the adaptive threat detection feature is enabled, Security Center automatically enables the strict alert mode for your server for seven days. In this mode, all protection rules and security engines are enabled to detect intrusions in a more comprehensive manner.

    Note

    If you manually configure a protection mode for your server during the seven-day period, the server runs in the configured protection mode. After the seven-day period elapses, the strict alert mode is not automatically disabled, and the server continues to run in the protection mode that you configured.

    Limits

    Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

    Enable adaptive threat detection

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose System Configuration > Feature Settings.

    3. On the Settings > Host Protection Settings tab, turn on Dynamic and adaptive threat detection in the Dynamic adaptive threat detection capability section.

      Note

      If you have not authorized Security Center to access your cloud resources, you must complete the authorization by following the on-screen instructions. After the authorization is successful, Resource Access Management (RAM) automatically creates a service-linked role named AliyunServiceRoleForSas. Security Center can assume this role to access your cloud resources and protect the resources. For more information, see Service-linked roles for Security Center.

    Alert Settings

    Security Center supports different alert modes for servers to meet your security requirements in different scenarios. By default, Security Center enables Balanced Mode for all servers that are added to Security Center. In this mode, Security Center attempts to detect as many risks as possible while minimizing the false positive rate. This mode has been tested by Alibaba Cloud experts.

    Change the alert mode

    If you want to detect risks on servers in a stricter manner, you can change the alert mode to Strict Mode for the servers.

    Important

    After Strict Mode is enabled, Alibaba Cloud detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. We recommend that you enable this mode during major events.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose System Configuration > Feature Settings.

    3. On the Settings > Host Protection Settings tab, click Manage to the right of Strict Mode in the Alert Settings section.

    4. Select the servers for which you want to enable Strict Mode and click OK.