The web tamper proofing feature monitors changes of directories and files in real time and blocks suspicious file changes. On the Tamper Protection page, you can view the status and details of web tamper proofing for your servers. This topic describes how to view the status of web tamper proofing for your servers.

Prerequisites

The web tamper proofing feature is enabled to protect your servers. For more information, see Activate the feature and Enable tamper protection.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Protection tab, view the details of web tamper proofing for your servers.
    You can view the following web tamper proofing items:
    • Statistical itemsStatistics

      In the statistics overview module, you can view the total number of changed files on the current day and in the last 15 days, the number of protected servers and directories, the number of suspicious processes blocked by web tamper proofing, the number of processes in a whitelist, the total number of web tamper proofing licenses purchased for your current account.

    • Distribution of protected file types

      Protected file types include TXT, PNG, MSI, and ZIP. You can also add more types of files for protection as required.

      Note All types of files can be added for web tamper proofing.
    • Top five files with the largest number of changes

      This module shows the names and paths of the five files with the largest number of changes in the last 15 days.

    • Top five suspicious processes that are blocked

      This module displays the five suspicious processes that are most frequently blocked by web tamper proofing in the last 15 days.

    • Details of web tamper proofing alertsAlert details

      The web tamper proofing feature helps you block all suspicious changes to files on your servers. On the alert details page, you can view the alerts of these changes, including the severity, alert name, affected servers, changed directories, suspicious process name, and protection status.

      Note
      • If the number of alerts exceeds 100, we recommend that you process these alerts at your earliest opportunity.
      • Only the alerts at the Medium level are displayed in the console.
      • Only alerts in the Defended state are displayed. This indicates that the web tamper proofing feature has blocked the suspicious processes that attempted to make unauthorized file changes. If the blocked process is required in your workloads, you can add the process to a whitelist of web tamper proofing to enable it. For more information, see Add blocked processes to the whitelist.