After the Security Center agent is installed on your servers, Security Center collaborates with Alibaba Cloud to protect your servers. Security Center provides a wide array of features, including alerting, vulnerability management, antivirus, baseline checks, and attack analysis.
This topic describes the collection scope of Security Center.
Changes to the following information will be posted on the Alibaba Cloud official website. If you do not accept the changes, you can stop using Security Center. In this case, you can uninstall the agent from your servers. For more information, see Uninstall the Security Center agent. If you continue to use Security Center, you are deemed to have accepted these changes.
Information about suspicious files
Security Center can detect suspicious files on your servers. After Security Center detects a suspicious file, information about the file is uploaded to Alibaba Cloud for further verification. The file information includes but is not limited to the file path, MD5 hash value, and creation time. If the suspicious file is determined as a malicious file, Security Center sends you an alert notification.
Information about suspicious processes
Security Center can detect suspicious processes on your servers. After Security Center detects a suspicious process, information about the process is uploaded to Alibaba Cloud for further verification. The process information includes but is not limited to the process name, parameters used to start the process, file path of the process, and start time of the process. If the suspicious process is determined as a malicious process, Security Center sends you an alert notification.
Information about accounts
Security Center provides features such as logon audit, suspicious account alerting, and brute-force attack prevention. Security Center regularly analyzes and uploads account and logon information about protected servers. The account information includes but is not limited to the usernames and user permissions. The logon information includes but is not limited to the usernames and IP addresses that are used for logons. If a logon is determined as an unusual logon, Security Center sends you an alert notification.
Information about suspicious connections
Security Center detects suspicious network connections to your servers. After Security Center detects a suspicious network connection, information about the connection is uploaded to Alibaba Cloud for further verification. The connection information includes but is not limited to the source IP address, source port, destination IP address, and destination port. If the suspicious network connection is determined as a malicious connection, Security Center sends you an alert notification.
Information about servers
Security Center supports server management. Security Center periodically collects information about servers. The server information includes software information, listening port information, and information about the websites running on your servers. You can log on to the Security Center console and view the information on the Assets page.
Images
Security Center provides the feature of container image scan. Security Center periodically scans containers to check whether vulnerabilities and malicious files exist in your images. You can log on to the Security Center console and view the detected vulnerabilities and malicious files on the Container Image Scan page.
Container security in runtime
To ensure container security in runtime, Security Center dynamically detects threats, including viruses, malicious programs, intrusions, container escapes, and high-risk operations in the runtime of containers. If threats are detected in the runtime of containers, Security Center sends you an alert notification.
Vulnerabilities
The following table describes the types of vulnerabilities that can be detected and fixed in each edition of Security Center.
The following symbols are used in the table:
: The feature is supported. 
: The feature is not supported.
Vulnerability type | Feature | Basic edition | Value-added Plan edition | Anti-virus edition | Advanced edition | Enterprise edition | Ultimate edition |
Linux software vulnerability | Manual vulnerability scan |
|
|
|
|
|
|
Periodic automatic vulnerability scan |
|
|
|
|
|
| |
Vulnerability fixing |
| You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method. | You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method. |
|
|
| |
Windows system vulnerability | Manual vulnerability scan |
|
|
|
|
|
|
Periodic automatic vulnerability scan |
|
|
|
|
|
| |
Vulnerability fixing |
| You must purchase a quota for vulnerability fixing. | You must purchase a quota for vulnerability fixing. |
|
|
| |
Web-CMS vulnerability | Manual vulnerability scan |
|
|
|
|
|
|
Periodic automatic vulnerability scan |
|
|
|
|
|
| |
Vulnerability fixing |
|
|
|
|
|
| |
Application vulnerability | Manual vulnerability scan |
|
|
|
|
|
|
Periodic automatic vulnerability scan |
|
|
|
|
|
| |
Vulnerability fixing |
|
|
|
|
|
| |
Urgent vulnerability | Manual vulnerability scan |
|
|
|
|
|
|
Periodic automatic vulnerability scan |
|
|
|
|
|
| |
Vulnerability fixing |
|
|
|
|
|
|
Alerts
Alert name | Alert description |
Web Tamper-proofing | Monitors web directories in real time and restores tampered files or directories by using the backup files. This protects websites from malicious modifications, trojans, hidden links, and uploads of violent or illicit content. The following check items are supported:
Note Web tamper-proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. Web tamper-proofing is available in the Anti-virus Edition, Pro, Enterprise, and Ultimate editions. The Basic Edition does not support this feature. For more information, see Web tamper-proofing. |
Process Anomaly | Detects suspicious processes on your assets, including but not limited to the following check items:
|
Webshell | Uses a proprietary detection engine to detect common backdoor files and provides a one-click manual isolation feature.
Note The Free Edition supports only some types of webshell detection. Other paid editions of Security Center support all types of webshell detection. For more comprehensive webshell detection, we recommend that you upgrade to the Anti-virus Edition, Pro, Enterprise, or Ultimate edition. For more information about how to upgrade, see Upgrade and downgrade. |
Unusual Logon | Detects unusual logons to your servers. You can configure approved logon IP addresses, time ranges, and accounts. Logons from unapproved IP addresses, accounts, or time ranges trigger alerts. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are generated when logons from unapproved locations are detected. The following check items are supported:
For more information, see What is the principle of Security Center's detection and alerting of unusual logons?. |
Anomalous Activity | Detects suspicious activities during application runtime. |
Sensitive File Tampering | Checks whether the sensitive files on your servers are tampered with. The sensitive files include pre-loaded configuration files in the shared libraries of Linux. |
Malware | Uses an agent to scan your servers in real time. If viruses are detected, Security Center generates alerts. You can handle malicious programs in the Security Center console. The following check items are supported:
|
Suspicious Network Connection | Detects unusual network connections and disconnections. The following check items are supported:
|
Others | Detects unusual disconnections of the Security Center agent. |
Unauthorized Account | Detects unauthorized logon accounts. |
Application Intrusion | Detects intrusions that use system application components. |
Threat Detection For Alibaba Cloud Services | Detects whether threats exist in the other Alibaba Cloud services that you have purchased. The threats include suspicious deletion of ECS security group rules. |
Accurate Defense | Malicious Host Behavior Prevention provides accurate defense capabilities against mainstream ransomware, DDoS trojans, mining and trojan programs, malicious programs, backdoor programs, and worms. For more information about how to enable this feature, see Proactive defense. |
Application Whitelist | You can configure the applications that require key protection in the whitelist policy to detect suspicious or malicious processes on your servers. Alerts are generated for processes that are not in the whitelist. |
Persistent Backdoor | Detects persistent backdoors or intrusion traces implanted by attackers on your servers. Alerts are generated for threats such as in-memory webshell injection, backdoor programs, and abnormal registry entry modifications. |
Web Application Threat Detection | Detects intrusions that use web applications. |
Malicious Script | Detects whether the system services of your assets are attacked or modified by malicious scripts. If potential script attacks are detected, Security Center generates alerts. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and backdoors into the terminal, and add administrator accounts to the system of the terminal. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript. |
Threat Intelligence | Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, malicious download sources, and malicious IP addresses. |
Container Cluster Anomaly | Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and intrusions in a cluster at the earliest opportunity. You need to enable the container K8s threat detection feature. For more information, see Container protection settings. |