Security Center Advanced Edition and Enterprise Edition can detect suspicious network connections and provide alerts.

Issue

The following alert is displayed in the Security Center console: Suspicious Network Connection-Access Malicious Domain.

Solution

  1. Log on to the Security Center console. On the Alerts page, click Suspicious Network Connection-Access Malicious Domain to open the alert details page.
  2. Check whether the process is executed by you based on the process path and ID displayed on the alert details page. If not, the process is a malicious process. Perform step 3.
    Note If you confirm that the alert is a false positive, click Ignore Once and the status of the alert will change to Handled in the Security Center console. You can also click Label as False Positive and Security Center will no longer send alerts for the preceding process.
  3. Identify all malicious processes related to the alert based on the malicious domain name, IP address, and port number displayed on the alert details page. Then, manually remove these malicious processes from your server.
  4. On the Alerts page, handle alerts and vulnerabilities.
    • Perform the Quarantine operation on webshell files in the Security Center console.
    • Manually delete the malicious process and clear the scheduled tasks of the process.
      Note On the Alerts page, select Unhandled Alerts and specify the Malicious Process type. On the alert details page, view the scheduled tasks and process path.
  5. Add a security group rule to block access to the malicious IP address in the outbound direction. For more information about how to add security group rules, see Add security group rules.