Security Center Advanced Edition and Enterprise Edition can detect suspicious network connections.

Issue

The following alert is displayed in the Security Center console: Suspicious Network Connection-Active Connection to Malicious Download Source.

Solution

  1. Log on to the Security Center console. On the Alerts page, click Suspicious Network Connection-Active Connection to Malicious Download Source to open the alert details page.
  2. Check whether the process is executed by you based on the process path and ID displayed on the alert details page. If not, the process is a malicious process. Perform step 3.
    Note If the process is executed by you, it is a normal process. Click Ignore Once and the status of the alert will change to Handled in the Security Center console. If the alert is reported for consecutive times, you can click Label as False Positive and Security Center will no longer send alerts for the process.
  3. Identify all malicious processes related to the alert based on the process path and ID displayed on the alert details page. Then, manually remove these malicious processes from your server.
  4. If the IP address of the malicious process is displayed on the alert details page, you can add a security group rule to block access to the malicious IP address. For more information about how to add security group rules, see Add security group rules.