Security Center provides application control based on an application whitelist. This prevents unauthorized applications from running on your servers.

Background information

The application whitelist feature allows you to add servers and trusted applications to a whitelist. Applications that are not specified in the whitelist cannot run on your servers. This feature protects your assets from malicious processes and improves resource utilization.

After you apply a whitelist policy to a server, Security Center detects suspicious processes and malicious processes and generates alerts on applications that are not specified in the whitelist.

Note An alert is triggered if a process that is not specified in the whitelist is detected. The detected process may be a normal process or a malicious process. If you trust the process that triggers an alert, we recommend that you add the process to the whitelist. A process that has been added to the whitelist no longer triggers alerts when it restarts. If the process is malicious, we recommend that you remove this process immediately and check whether configuration files such as cron job files have been modified.

Trial instructions

The application whitelist feature is in the public preview phase. In the left-side navigation pane of the Security Center console, choose Operation > Extensions to apply for a trial.

Step 1: Create an application whitelist policy

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > App Control.
  3. On the App Control page, click the Policies tab.
  4. On the Policies tab, click Create Policy.
  5. On the Create Whitelist Policy page, set the following parameters:
    • Policy Name: Enter a whitelist policy name.
    • Intelligent Learning Duration: Select a duration for Security Center to perform intelligent learning. You can select 1, 3, 7, or 15 days. The intelligent learning feature uses machine learning to automatically collect and categorize large amounts of alert data. This helps Security Center identify suspicious or malicious processes.
    • Servers for Intelligent Learning: Select the servers that you want to add to the whitelist.
  6. Click Next to create the whitelist policy.
    After the whitelist policy is created, the policy details are listed in the policy list on the Policies tab.
    The following table lists the parameters in the policy list.
    Parameter Description
    Policy Name The name of the whitelist policy.
    Servers The number of servers to which the whitelist policy is applied.
    Status The status of the policy. Valid values:
    • Applied: Intelligent learning is complete. The policy has been applied to servers.
    • Pending Confirmation: Intelligent learning is complete. The policy must be confirmed and enabled.

      After intelligent learning is complete, you must turn on the switch in the Policy Status column to enable this policy. The policy takes effect only after it is enabled. Security Center automatically identifies the processes on your servers as trusted, suspicious, or malicious.

    • Paused: Intelligent learning has been manually paused. You can click Continue to resume intelligent learning.
    • Learning: Intelligent learning is in progress.

      After a whitelist policy is created, Security Center performs intelligent learning based on the policy. The status of a new policy is Learning.

    Applications The total number of each type of processes on all servers that use the policy. The process types include trusted, suspicious, and malicious.
    Actions The actions that you can perform on a policy. The actions include:
    • Apply: Click this button to add or remove servers to which the policy is applied on the Apply Whitelist Policy page.
    • Modify: Click this button to modify the policy on the Modify Whitelist Policy page. You can modify Policy Name, Intelligent Learning Duration, and the servers that require automatic intelligent learning.
    • Pause Learning: Click this button to pause intelligent learning.
    • Continue: Click this button to resume intelligent learning.

      After you click Continue, the status of the policy changes to Learning. You can view the learning progress of the policy in the Status column.

    • Delete: Click this button to delete the policy.

      After the policy is deleted, the associated servers are no longer protected by the policy.

Step 2: Apply the application whitelist policy to servers

Before you apply a whitelist policy to servers, you must purchase sufficient authorization licenses.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > App Control.
  3. On the Servers tab, click Add Server.
  4. On the Add Server page that appears, set the parameters.

    The parameters are described as follows:

    • Whitelist Policy: Select an existing whitelist policy from the drop-down list.
    • Event Handling: The default value is Alert, which indicates that Security Center generates an alert when a suspicious process is detected.

      When a process that is not specified in the whitelist starts on a server that uses the whitelist policy, an alert is automatically triggered. You can click the number in the Suspicious Events column to go to the Assets > Events page and view the alert details.

    • Servers: Select the servers that you want to add to the whitelist. You can select multiple servers.

      To search for servers, enter the server name in the search box on the Servers tab. The Servers search box supports fuzzy match.

  5. Click OK to add the selected servers.
    After you create the application whitelist, you can view the protected servers and the whitelist policies used by the servers on the Servers tab.
    The Servers tab provides the following information:
    • Server Name/IP: the name and IP address of the server that uses a whitelist policy.
    • Whitelist Policy: the whitelist policy that is applied to the server.
    • Suspicious Events: the number of unauthorized processes that are detected on the server. Security Center generates alerts immediately when a suspicious process is detected.
    • Event Handling: The default value is Alert, which indicates that Security Center generates alerts when a suspicious process is detected.

      When a process that is not specified in the whitelist starts on a server that uses the whitelist policy, an alert is automatically triggered. You can click the number in the Suspicious Events column to go to the Assets > Events page and view the alert details.

    • Actions: Click Delete in the Actions column to remove a server from the application whitelist.

      After the server is removed from the whitelist, the application whitelist policy no longer protects the server. Security Center generates an alert if a process in this whitelist starts on this server.

Add or remove a process from the application whitelist

After you enable the application whitelist feature for your servers, you can view the protected servers and the whitelist policies used by the servers on the Servers tab. Click the policy name in the Whitelist Policy column to view the processes running on the server. You can view the trusted, suspicious, and malicious processes and their details.

The process list provides the following information about each process:

  • Type: the type of the process. Processes are classified as trusted, suspicious, and malicious processes.
  • Process Name: the name of the process.
  • Hash: the hash function of the process. The hash function is used to ensure that the process is unique and is not forged.
  • Path: the file path of the process on the server.
  • Degree of Trustability: the degree of trustability for the process. This parameter is determined by Security Center. Valid values: 0% (malicious process), 60% (suspicious process), and 100% (trusted process).
    Note We recommend that you focus on the 0% trustability processes.
  • Actions: the operations that you can perform on the process. You can determine whether to add the process to the whitelist based on the services deployed on your server. You can perform the following operations:
    • Add to Whitelist: Add a trusted process to the whitelist.
    • Remove from Whitelist: After a process is removed from the whitelist, Security Center identifies the process as untrusted and generates an alert when this process starts.