Security Center provides the application control feature to prevent unauthorized processes from running on your server and protect your assets.

Background information

You can add servers to the whitelist as needed. This feature checks the specified processes and identifies trusted, suspicious, and malicious processes. Unauthorized processes will be terminated. This feature can protect your asset from malicious processes and avoid unnecessary resource losses.

After you create a whitelist policy, you can apply it to a server as needed to detect suspicious or malicious processes.

Note If this feature detects a process that is not listed in the whitelist, an alert is triggered. The detected process may be a newly started normal process, or a malicious process placed by an intruder. If you trust the process that triggered an alert, we recommend that you add the process to the whitelist. A process that has been added to the whitelist no longer triggers alerts when it restarts. If the process is malicious, we recommend that you remove this process immediately and check whether configuration files of scheduled tasks have been modified.

Trial instructions

The application whitelist feature is in the public preview period. In the left-side navigation pane, choose Operation > Extensions to apply for the public preview.

Step 1: Create an application whitelist policy

  1. Log on to the Security Center.
  2. In the left-side navigation pane, click Defense > App Control.
  3. On the App Control page, click the Policies Tab.
  4. On the Policies tab, click Create Policy.
  5. On the Create Whitelist Policy page that appears, set the following parameters:
    • Policy Name: Enter a whitelist policy name.
    • Intelligent Learning Duration: Select a duration for Security Center to perform intelligent learning. You can select 1, 3, 7, or 15 days. The intelligent learning feature uses machine learning to automatically collect and categorize large amounts of alert data. Security Center can learn to identify suspicious or malicious processes based on the collected data.
    • Servers for Intelligent Learning: Select the servers that you want to add to the whitelist.
  6. Click Next to create the whitelist policy.
    After the whitelist policy is created, its details are automatically displayed in the policy list on the Policies tab.
    • Policy Name: the name of the whitelist policy.
    • Servers: the number of servers to which the whitelist policy is applied.
    • Status: the policy status. Valid values:
      • Applied: Intelligent learning is complete. The policy has been applied to the servers.
      • Pending Confirmation: Intelligent learning is complete. The policy must be confirmed and enabled.

        After intelligent learning is finished, you need to turn on the switch in the Policy Status column to enable this policy. The policy takes effect only after it is enabled. Security Center automatically identifies the processes on your servers as trusted, suspicious, or malicious.

      • Paused: Intelligent learning has been manually paused. You can click Continue to resume intelligent learning.
      • Learning: Intelligent learning is in progress.

        After a whitelist policy is created, Security Center will perform intelligent learning based on the policy. The status of each newly created policy is Learning.

    • Applications: the numbers of processes, including Trusted, Suspicious, and Malicious processes, on all servers to which the policy is applied.
    • Actions: the actions that can be performed on the policy.
      • Apply: Click Apply to add or remove servers to which the policy is applied on the Create Whitelist Policy page.
      • Modify: Click Modify to modify the policy on the Modify Whitelist Policy page. You can modify the Policy Name, Intelligent Learning Duration, and the servers that need to automatically perform intelligent learning.
      • Pause Learning: Click Pause Learning to pause intelligent learning.
      • Continue: Click Continue to resume intelligent learning.

        After you click Continue, the status of the policy changes to Learning. You can view the learning progress of the policy in the Status column.

      • Click Delete to delete the policy.

        After the policy is deleted, the corresponding servers and processes are no longer protected by the policy.

Step 2: Add servers to the application whitelist

Before you apply whitelist policies to servers, you need to purchase a sufficient authorization quota for the application whitelist.

  1. Log on to the Security Center.
  2. In the left-side navigation pane, click Defense > App Control.
  3. On the Servers tab, click Add Server.
  4. On the Add Server page, set the following parameters:
    • Whitelist Policy: Select an existing whitelist policy from the drop-down list.
    • Event Handling: The default value is Alert, which indicates that Security Center generates an alert when it detects a suspicious process.

      When an unauthorized process starts on a server protected by the whitelist, an alert is automatically triggered. You can click the number in the Suspicious Events column to go to the Assets > Events page and view the alert details.

    • Servers: Select the servers that you want to add to the whitelist. You can select multiple servers.

      To search for servers, enter the server name in the search box on the Servers tab. The Servers search box supports fuzzy match.

  5. Click OK to add the selected servers.
    After you create the application whitelist, you can view the protected servers and the name of the whitelist policy applied to the servers in the server list on the Servers tab.
    The following information of the added servers is displayed on the Servers tab:
    • Server Name/IP: the name and IP address of the server to which the whitelist policy is applied.
    • Whitelist Policy: the whitelist policy that is applied to the server.
    • Suspicious Events: the number of unauthorized processes that are detected on the server. Security Center generates alerts immediately when a suspicious process is detected
    • Event Handling: The default value is Alert, which indicates that Security Center generates alerts when a suspicious process is detected.

      When an unauthorized process starts on a server protected by the whitelist, an alert is automatically triggered. You can click the number in the Suspicious Events column to go to the Assets > Events page and view the alert details.

    • Actions: Click Delete in the Actions column to remove a server from the application whitelist.

      After the server is removed from the whitelist, the application whitelist policy no longer protects the server. Security Center generates alerts when any process starts on that server.

Add or remove a process from the application whitelist

After the whitelist is configured for your servers, you can view the protected servers and the names of the whitelist policies applied to the servers in the server list on the Servers tab. Click the policy name in the Whitelist Policy column and the list of processes running on the server will be displayed. You can view the trusted, suspicious, and malicious processes that have been detected and their details.

The following information about each process on the server is displayed in the process list:

  • Type: the type of the process. Processes are classified as trusted, suspicious, and malicious processes.
  • Process Name: the name of the process.
  • Hash: the Hash function of the process. The Hash function is used to ensure that the process is unique and has not been forged.
  • Path: the file path of the process on the server.
  • Degree of Trustability: the degree of trustability for the process determined by Security Center. Valid values: 0% (malicious process), 60% (suspicious process), and 100% (trusted process).
    Note We recommend that you focus on the 0% trustability processes.
  • Actions: the operations that can be performed on the process. You can determine whether to add the process to the whitelist based on the services deployed on your server.
    • Add to Whitelist: If a process is trusted, add it to the whitelist.
    • Remove from Whitelist: After a process is removed from the whitelist, Security Center will identify the process as untrusted and generate an alert when this process starts.