Use the application whitelist feature - Security Center - Alibaba Cloud Documentation Center

Security Center provides the application whitelist feature that prevents unauthorized programs from running on your servers. The application whitelist feature ensures a trusted running environment for your servers. This topic describes how to use the application whitelist feature.

Usage notes

The application whitelist feature is in public preview. You cannot apply for a trial of the feature. If you applied for a trial of the feature and the feature is in-use, you can continue to use the feature.

Background information

The application whitelist feature allows you to add the servers that require special protection to the whitelist. After you add specific programs to the whitelist, Security Center identifies trusted, suspicious, and malicious programs. This prevents the programs that are not added to the whitelist from running on your servers. This feature protects your servers from untrusted and malicious programs and improves resource usage.

After you create an application whitelist policy, you can apply it to a server that requires special protection to detect suspicious or malicious programs. If Security Center detects a program that is not in the whitelist, Security Center generates an alert for this program.

Note

If a program that is not in the application whitelist starts, an alert is generated. The program may be a normal program that is newly started or a malicious program that is inserted into your compromised server. If the program is a normal program, a frequently used program, or a third-party program installed by you, we recommend that you add the program to the application whitelist. After you add the program to the application whitelist, Security Center no longer generates alerts for this program the next time the program starts. If the program is malicious, we recommend that you immediately delete this program and check whether the configuration files such as cron tasks are tampered with.

Step 1: Create an application whitelist policy

Log on to the Security Center console. In the top navigation bar, select China as the region of the asset that you want to protect.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Application Whitelist.
On the Policies tab, click Create Policy.
In the Create Whitelist Policy panel, configure the parameters and click Next.
- Policy Name: the name of the application whitelist policy.
- Intelligent Learning Duration: the duration for Security Center to perform intelligent learning. Valid values: 1, 3, 7, and 15. Unit: days. The intelligent learning feature uses machine learning to automatically collect and categorize large amounts of alert data. This facilitates Security Center to identify suspicious or malicious programs.
- Servers for Intelligent Learning: the servers to which you want to apply the application whitelist policy.

Click Create Without Applying.

After the application whitelist policy is created, the policy details are displayed in the policy list on the Policies tab.

Parameter	Description
Policy Name	The name of the application whitelist policy.
Servers	The number of servers to which the application whitelist policy is applied.
Status	The status of the policy. Applied: Intelligent learning is complete. The policy has been applied to servers. Pending Confirmation: Intelligent learning is complete. The policy must be confirmed and enabled. After intelligent learning is complete, you must turn on the switch in the Policy Status column to enable this policy. The policy takes effect only after it is enabled. Security Center automatically identifies the programs on your servers as trusted, suspicious, or malicious. Paused: Intelligent learning is manually paused. You can click Continue in the Actions column to resume intelligent learning. Learning: Intelligent learning is in progress. After you create an application whitelist policy, Security Center performs intelligent learning based on the policy. The status of a new application whitelist policy is Learning.
Applications	The number of programs of each type on all servers to which the policy is applied. The program types include Trusted, Suspicious, and Malicious.
Actions	The operations that you can perform on a policy. You can perform the following operations: Apply: Add or remove servers to which the policy is applied in the Apply Whitelist Policy panel. Modify: Modify the policy in the Modify Whitelist Policy panel. You can change the values of Policy Name and Intelligent Learning Duration, and add or remove the servers on which intelligent learning is automatically performed. Pause Learning: Pause intelligent learning. Continue: Resume intelligent learning. After you click Continue, the status of the policy changes to Learning. You can view the learning progress of the policy in the Status column. Delete: Delete the policy. After the policy is deleted, the servers to which the policy is applied are no longer protected by the policy.

Step 2: Apply the created application whitelist policy to servers

Before you apply application whitelist policies to servers, you must purchase sufficient quota for the application whitelist feature.

Log on to the Security Center console. In the top navigation bar, select China as the region of the asset that you want to protect.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Application Whitelist.
On the Servers tab of the Application Whitelist page, click Add Server.
In the Add Server panel, configure the parameters.
The following list describes the parameters in the Add Server panel:
- Whitelist Policy: Select the created application whitelist policy from the drop-down list.
- Event Handling: The default value is Alert, which indicates that Security Center generates an alert when a suspicious program is detected.
  If a program that is not in the application whitelist starts, Security Center automatically generates an alert. You can click the number in the Suspicious Events column to go to the Alerts tab of the server details page and view the alert details.
- Servers: Select the server to which you want to apply the application whitelist policy. You can select multiple servers.
  To search for a server, enter the server name in the Servers search box and click the search icon. Fuzzy match is supported.
Click OK. The application whitelist policy is applied to the selected servers.
After the application whitelist is created, you can view the protected servers and the name of the application whitelist policy in the server list on the Servers tab.
The Servers tab displays the following information about a protected server:
- Server Name/IP: the name and IP address of the server to which the application whitelist policy is applied.
- Whitelist Policy: the name of the application whitelist policy that is applied to the server.
- Suspicious Events: the number of programs that are not in the application whitelist and have started. If a suspicious program starts on the server, Security Center generates alerts.
- Event Handling: The default value is Alert, which indicates that Security Center generates an alert when a suspicious program is detected.
  If a program that is not in the application whitelist starts, Security Center automatically generates an alert. You can click the number in the Suspicious Events column to go to the Alerts tab of the server details page and view the alert details.
- Actions: After you click Delete in the Actions column, the application whitelist policy no longer applies to the server.
  After you click Delete in the Actions column, the application whitelist policy becomes invalid for the server. In this case, if a program that is added to the whitelist starts on this server, Security Center generates an alert.

Add a program to or remove a program from an application whitelist

After you configure an application whitelist policy for your server, you can view the detailed information in the server list on the Servers tab. The information includes the details of the protected server and the name of the application whitelist policy that is applied to the server. You can click a policy name in the Whitelist Policy column to view the programs running on the server. You can also view the number of trusted, suspicious, and malicious programs and their detailed information.

The following information about each program on the server is displayed:

Type: the type of the program. Programs are classified into trusted, suspicious, and malicious programs.
Process Name: the name of the program.
Hash: the hash function of the program. A hash function is used to identify whether a program is unique. This helps protect servers against malicious programs.
Path: the file path of the program on the server.
Degree of Trustability: the degree of trustability for the program. This parameter is determined by Security Center. Valid values: 0%, 60%, and 100%. The value 0% indicates malicious programs, 60% indicates suspicious programs, and 100% indicates trusted programs.
Note
We recommend that you handle the program whose Degree of Trustability is 0% at the earliest opportunity.
Actions: the operations that can be performed on the program. You can determine whether to add the program to the whitelist based on the services deployed on your server. You can perform the following operations:
- Add to Whitelist: If you trust the program, add it to the whitelist.
- Remove from Whitelist: After you remove the program from the whitelist, Security Center identifies the program as untrusted. If this program starts, Security Center generates an alert.