Security Center provides application control based on an application whitelist. This
prevents unauthorized applications from running on your servers.
Background information
The application whitelist feature allows you to add servers and trusted applications
to a whitelist. Applications that are not specified in the whitelist cannot run on
your servers. This feature protects your assets from malicious processes and improves
resource utilization.
After you apply a whitelist policy to a server, Security Center detects suspicious
processes and malicious processes and generates alerts on applications that are not
specified in the whitelist.
Note An alert is triggered if a process that is not specified in the whitelist is detected.
The detected process may be a normal process or a malicious process. If you trust
the process that triggers an alert, we recommend that you add the process to the whitelist.
A process that has been added to the whitelist no longer triggers alerts when it restarts.
If the process is malicious, we recommend that you remove this process immediately
and check whether configuration files such as cron job files have been modified.
Trial instructions
The application whitelist feature is in the public preview phase. In the left-side
navigation pane of the Security Center console, choose to apply for a trial.
Step 1: Create an application whitelist policy
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- On the App Control page, click the Policies tab.
- On the Policies tab, click Create Policy.
- On the Create Whitelist Policy page, set the following parameters:
- Policy Name: Enter a whitelist policy name.
- Intelligent Learning Duration: Select a duration for Security Center to perform intelligent learning. You can select
1, 3, 7, or 15 days. The intelligent learning feature uses machine learning to automatically
collect and categorize large amounts of alert data. This helps Security Center identify
suspicious or malicious processes.
- Servers for Intelligent Learning: Select the servers that you want to add to the whitelist.
- Click Next to create the whitelist policy.
After the whitelist policy is created, the policy details are listed in the policy
list on the Policies tab.
The following table lists the parameters in the policy list.
Parameter |
Description |
Policy Name |
The name of the whitelist policy. |
Servers |
The number of servers to which the whitelist policy is applied. |
Status |
The status of the policy. Valid values:
- Applied: Intelligent learning is complete. The policy has been applied to servers.
- Pending Confirmation: Intelligent learning is complete. The policy must be confirmed and enabled.
After intelligent learning is complete, you must turn on the switch in the Policy Status column to enable this policy. The policy takes effect only after it is enabled. Security
Center automatically identifies the processes on your servers as trusted, suspicious,
or malicious.
- Paused: Intelligent learning has been manually paused. You can click Continue to resume intelligent learning.
- Learning: Intelligent learning is in progress.
After a whitelist policy is created, Security Center performs intelligent learning
based on the policy. The status of a new policy is Learning.
|
Applications |
The total number of each type of processes on all servers that use the policy. The
process types include trusted, suspicious, and malicious.
|
Actions |
The actions that you can perform on a policy. The actions include:
- Apply: Click this button to add or remove servers to which the policy is applied on the
Apply Whitelist Policy page.
- Modify: Click this button to modify the policy on the Modify Whitelist Policy page. You can modify Policy Name, Intelligent Learning Duration, and the servers that require automatic intelligent learning.
- Pause Learning: Click this button to pause intelligent learning.
- Continue: Click this button to resume intelligent learning.
After you click Continue, the status of the policy changes to Learning. You can view the learning progress of the policy in the Status column.
- Delete: Click this button to delete the policy.
After the policy is deleted, the associated servers are no longer protected by the
policy.
|
Step 2: Apply the application whitelist policy to servers
Before you apply a whitelist policy to servers, you must purchase sufficient authorization
licenses.
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- On the Servers tab, click Add Server.
- On the Add Server page that appears, set the parameters.
The parameters are described as follows:
- Whitelist Policy: Select an existing whitelist policy from the drop-down list.
- Event Handling: The default value is Alert, which indicates that Security Center generates an alert when a suspicious process
is detected.
When a process that is not specified in the whitelist starts on a server that uses
the whitelist policy, an alert is automatically triggered. You can click the number
in the Suspicious Events column to go to the page and view the alert details.
- Servers: Select the servers that you want to add to the whitelist. You can select multiple
servers.
To search for servers, enter the server name in the search box on the Servers tab. The Servers search box supports fuzzy match.
- Click OK to add the selected servers.
After you create the application whitelist, you can view the protected servers and
the whitelist policies used by the servers on the
Servers tab.
The
Servers tab provides the following information:
- Server Name/IP: the name and IP address of the server that uses a whitelist policy.
- Whitelist Policy: the whitelist policy that is applied to the server.
- Suspicious Events: the number of unauthorized processes that are detected on the server. Security Center
generates alerts immediately when a suspicious process is detected.
- Event Handling: The default value is Alert, which indicates that Security Center generates alerts when a suspicious process
is detected.
When a process that is not specified in the whitelist starts on a server that uses
the whitelist policy, an alert is automatically triggered. You can click the number
in the Suspicious Events column to go to the page and view the alert details.
- Actions: Click Delete in the Actions column to remove a server from the application whitelist.
After the server is removed from the whitelist, the application whitelist policy no
longer protects the server. Security Center generates an alert if a process in this
whitelist starts on this server.
Add or remove a process from the application whitelist
After you enable the application whitelist feature for your servers, you can view
the protected servers and the whitelist policies used by the servers on the Servers tab. Click the policy name in the Whitelist Policy column to view the processes running on the server. You can view the trusted, suspicious,
and malicious processes and their details.
The process list provides the following information about each process:
- Type: the type of the process. Processes are classified as trusted, suspicious, and malicious
processes.
- Process Name: the name of the process.
- Hash: the hash function of the process. The hash function is used to ensure that the process
is unique and is not forged.
- Path: the file path of the process on the server.
- Degree of Trustability: the degree of trustability for the process. This parameter is determined by Security
Center. Valid values: 0% (malicious process), 60% (suspicious process), and 100% (trusted
process).
Note We recommend that you focus on the 0% trustability processes.
- Actions: the operations that you can perform on the process. You can determine whether to
add the process to the whitelist based on the services deployed on your server. You
can perform the following operations:
- Add to Whitelist: Add a trusted process to the whitelist.
- Remove from Whitelist: After a process is removed from the whitelist, Security Center identifies the process
as untrusted and generates an alert when this process starts.