All Products
Search

This Product

    Security Center:Collection scope

    Document Center

    Security Center:Collection scope

    Last Updated:Jun 15, 2023

    After the Security Center agent is installed on your servers, Security Center collaborates with Alibaba Cloud to protect your servers. Security Center provides a wide array of features, including alerting, vulnerability management, antivirus, baseline checks, and attack analysis.

    This topic describes the collection scope of Security Center.

    Note

    Changes to the following information will be posted on the Alibaba Cloud official website. If you do not accept the changes, you can stop using Security Center. In this case, you can uninstall the agent from your servers. For more information, see Uninstall the Security Center agent. If you continue to use Security Center, you are deemed to have accepted these changes.

    Information about suspicious files

    Security Center can detect suspicious files on your servers. After Security Center detects a suspicious file, information about the file is uploaded to Alibaba Cloud for further verification. The file information includes but is not limited to the file path, MD5 hash value, and creation time. If the suspicious file is determined as a malicious file, Security Center sends you an alert notification.

    Information about suspicious processes

    Security Center can detect suspicious processes on your servers. After Security Center detects a suspicious process, information about the process is uploaded to Alibaba Cloud for further verification. The process information includes but is not limited to the process name, parameters used to start the process, file path of the process, and start time of the process. If the suspicious process is determined as a malicious process, Security Center sends you an alert notification.

    Information about accounts

    Security Center provides features such as logon audit, suspicious account alerting, and brute-force attack prevention. Security Center regularly analyzes and uploads account and logon information about protected servers. The account information includes but is not limited to the usernames and user permissions. The logon information includes but is not limited to the usernames and IP addresses that are used for logons. If a logon is determined as an unusual logon, Security Center sends you an alert notification.

    Information about suspicious connections

    Security Center detects suspicious network connections to your servers. After Security Center detects a suspicious network connection, information about the connection is uploaded to Alibaba Cloud for further verification. The connection information includes but is not limited to the source IP address, source port, destination IP address, and destination port. If the suspicious network connection is determined as a malicious connection, Security Center sends you an alert notification.

    Information about servers

    Security Center supports server management. Security Center periodically collects information about servers. The server information includes software information, listening port information, and information about the websites running on your servers. You can log on to the Security Center console and view the information on the Assets page.

    Images

    Security Center provides the feature of container image scan. Security Center periodically scans containers to check whether vulnerabilities and malicious files exist in your images. You can log on to the Security Center console and view the detected vulnerabilities and malicious files on the Image Security page.

    Container security in runtime

    To ensure container security in runtime, Security Center dynamically detects threats, including viruses, malicious programs, intrusions, container escapes, and high-risk operations in the runtime of containers. If threats are detected in the runtime of containers, Security Center sends you an alert notification.

    Vulnerabilities

    The following table describes the types of vulnerabilities that can be detected and fixed in each edition of Security Center.

    Note

    The following symbols are used in the table:

    • Tick: indicates that the feature is supported.

    • Cross: indicates that the feature is not supported.

    Vulnerability type

    Feature

    Basic edition

    Anti-virus edition

    Advanced edition

    Enterprise edition

    Ultimate edition

    Linux software vulnerability

    Manual vulnerability scan

    		CrossCrossTickTickTick

    Periodic automatic vulnerability scan

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Vulnerability fixing

    		CrossCrossTickTickTick

    Windows system vulnerability

    Manual vulnerability scan

    		CrossCrossTickTickTick

    Periodic automatic vulnerability scan

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Vulnerability fixing

    		CrossCrossTickTickTick

    Web-CMS vulnerability

    Manual vulnerability scan

    		CrossCrossTickTickTick

    Periodic automatic vulnerability scan

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is two days.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Tick(The default scan cycle is one day.)

    Vulnerability fixing

    		CrossCrossTickTickTick

    Application vulnerability

    Manual vulnerability scan

    		CrossCrossCrossTickTick

    Periodic automatic vulnerability scan

    		CrossCrossCross

    Tick(The default scan cycle is one week. You can specify a custom scan cycle.)

    Tick(The default scan cycle is one week. You can specify a custom scan cycle.)

    Vulnerability fixing

    		CrossCrossCrossCrossCross

    Urgent vulnerability

    Manual vulnerability scan

    		TickTickTickTickTick

    Periodic automatic vulnerability scan

    		CrossCross

    Tick(The default scan cycle is one week. You can specify a custom scan cycle.)

    Tick(The default scan cycle is one week. You can specify a custom scan cycle.)

    Tick(The default scan cycle is one week. You can specify a custom scan cycle.)

    Vulnerability fixing

    		CrossCrossCrossCrossCross

    Alerts

    Alert

    Description

    Web tamper proofing

    Security Center monitors web directories in real time and restores tampered files or directories by using the backup files. This protects websites from malicious modifications, trojans, hidden links, and uploads of violent or illicit content. Security Center can detect the following suspicious activities:

    • File addition

    • File modification

    • File deletion

    Note

    Web tamper proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. Security Center Anti-virus, Advanced, Enterprise, and Ultimate support web tamper proofing. Security Center Basic does not support web tamper proofing. For more information, see Use the feature of web tamper proofing.

    Suspicious Process

    Security Center can detect suspicious processes, including processes that perform the following operations:

    • Write operations on the configuration files of scheduled tasks in Linux.

    • Suspicious modification to the files of scheduled tasks in Linux.

    • Execution of suspicious commands in Linux.

    • Execution of reverse shells. For more information, see Detect reverse shells from multiple dimensions.

    Webshell

    Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quarantines webshell files.

    • Security Center scans an entire web directory early in the morning on a daily basis. If a file in the web directory changes, Security Center immediately scans for webshells.

    • You can specify the assets on which Security Center scans for webshells.

    • You can quarantine, restore, or ignore the detected trojan files.

    Note

    Security Center Basic detects only some types of webshells. If you want to detect all types of webshells, we recommend that you upgrade Security Center Basic to the Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center.

    Unusual Logon

    Security Center detects unusual logons to your servers. You can configure approved logon IP addresses, time periods, and accounts. Logons from unapproved IP addresses, accounts, or time periods trigger alerts. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are triggered when unusual logon locations are detected.

    Security Center can detect the following suspicious activities:

    • Logons to Elastic Compute Service (ECS) instances from unapproved IP addresses

    • Logon to an ECS instance from an unusual location

    • Suspicious command sequence executed after ECS logons over SSH

    • ECS instance compromised due to brute-force attacks on SSH

    For more information, see How does Security Center detect unusual logons and generate alerts for unusual logons?

    Suspicious Event

    Security Center detects suspicious activities.

    Sensitive File Tampering

    Security Center checks whether the sensitive files on your servers are tampered with. The sensitive files include pre-loaded configuration files in the shared libraries of Linux.

    Malicious Process

    Security Center uses an agent to scan your servers in real time. If viruses are detected, Security Center generates alerts. You can handle the detected viruses in the Security Center console.

    Security Center can detect the following suspicious activities:

    • Access to a malicious IP address

    • Mining program

    • Self-mutating trojan

    • Malicious program

    • Trojan

    Unusual Network Connection

    Security Center detects unusual network connections and disconnections.

    Security Center can detect the following suspicious activities:

    • Proactive connections to malicious download sources

    • Access to malicious domain names

    • Communication with mining pools

    • Suspicious outbound network connections

    • Outbound connections of reverse shells (For more information, see Detect reverse shells from multiple dimensions)

    • Abnormal network connections in Windows

    • Suspicious lateral movement attacks on internal networks

    • Suspicious scans on sensitive ports (such as ports 22, 80, 443, and 3389)

    Other

    Security Center detects unusual disconnections of the Security Center agent and network intrusions such as DDoS attacks.

    Suspicious Account

    Security Center detects unapproved accounts that attempt to log on to your assets.

    Application intrusion event

    Security Center detects intrusions that use system application components.

    Cloud threat detection

    Security Center detects whether threats exist in the other Alibaba Cloud services that you have purchased. For example, Security Center can detect suspicious deletion of ECS security group rules.

    Precise Defense

    Security Center provides the Malicious Behavior Defense feature for precise protection against common ransomware, DDoS trojans, mining programs, trojans, malicious processes, webshells, and computer worms. For more information about how to enable the feature, see Proactive Defense.

    Application Whitelist

    You can create a whitelist policy for applications on servers that require reinforced protection. If the suspicious or malicious processes that are identified by the policy are not added to the whitelist, Security Center generates alerts.

    Persistence

    Security Center detects suspicious scheduled tasks on servers. If persistent threats against the servers are detected, Security Center generates alerts.

    Web Application Threat Detection

    Security Center detects intrusions that use web applications.

    Malicious scripts

    Security Center detects whether the system services of your assets are attacked or modified by malicious scripts. If potential script attacks are detected, Security Center generates alerts.

    Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.

    Threat intelligence

    Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, malicious download sources, and malicious IP addresses.

    Malicious Network Activity

    Security Center identifies unusual network behavior based on log data, such as packet content and server behavior. Unusual network behavior includes intrusions into servers by using network services and unusual behavior of compromised servers.

    K8s Abnormal Behavior

    Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and intrusions in a cluster at the earliest opportunity.

    To detect threats to a cluster, you must enable the feature of threat detection on Kubernetes containers. For more information, see Enable features on the Container Protection Settings tab.