Ransomware has become a major threat to cybersecurity. Security Center provides protection, generates alerts, and backs up data to protect your server from ransomware. You can create anti-ransomware policies based on which data on your server is backed up. This topic describes how to create a protection policy.

Prerequisites

A specific amount of anti-ransomware capacity is purchased. The permissions to use anti-ransomware are granted. For more information, see Enable the anti-ransomware feature.

Background information

  • After you create a protection policy, Security Center automatically backs up data in protected directories on your server. If your server is attacked by ransomware, you can restore data based on the backups. This avoids impacts on your services.
  • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy. You can add a maximum of 100 servers to each protection policy.
  • The anti-ransomware client that is installed on your Elastic Compute Service (ECS) instance is used to back up data. You can back up data only if the client is running properly. After a protection policy is created, we recommend that you monitor the status of the anti-ransomware client and handle its exceptions in a timely manner. For more information, see Related operations.
Note
  • Only users of the Security Center Basic Anti-Virus, Advanced, and Enterprise editions can create anti-ransomware protection policies. If you want to create such policies, you must upgrade your Security Center service to one of these editions.
  • The servers on which you want to create protection policies must meet requirements. For more information about the requirements, see Server requirements.

Supported regions

The anti-ransomware data backup feature is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai).

Server requirements

You can use the anti-ransomware feature only if your server meets the following conditions:

  • Your server is an Alibaba Cloud ECS instance. The anti-ransomware feature supports data backup only for ECS instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies only for your ECS instance.
  • Your ECS instance is deployed in a virtual private cloud (VPC). The data backup feature is supported only by ECS instances that are deployed in VPCs. ECS instances that are deployed in the classic network do not support the data backup feature.
  • The operating system version of your server is supported by the anti-ransomware feature. Otherwise, the data backup feature is unavailable. For more information about supported operating systems, see Supported operating system versions.

Data backup

  • You can incrementally back up data to protect your server against ransomware. If this is the first time you back up all data in protected directories based on a protection policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up your data during off-peak hours. In subsequent backups, Security Center backs up only files that are newly added, modified, or deleted. This reduces server resource consumption and prevents excessive consumption of the anti-ransomware capacity.
  • Security Center starts a specific number of backup tasks based on the backup directories that you specify in each protection policy.
    • Back up all directories
      • Linux operating systems: Security Center generates only one backup task.
      • Windows operating systems: Security Center generates one data backup task for each data disk. If your server runs a Windows operating system and has two data disks, C and D, Security Center generates two data backup tasks. These two tasks start at the same time. A Windows server consumes more CPU and memory resources than a Linux server during backup.
        Notice We recommend that you schedule the data backup based on the CPU utilization and memory usage of your server that runs a Windows operating system.
    • Back up specific directories
      Security Center starts a data backup task for each directory specified in the protection policy. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large number of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your requirements.
      Note A more efficient backup process is under development. This backup process starts only one backup task on each client, which reduces the resource overheads for data backups. The process will be available soon.

Procedure

You can select Recommendation Policy or Custom policy to create a custom protection policy. To create a custom protection policy, perform the following steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-ransomware.
  3. On the General Anti-ransomware Solutions page, click Create Policies.
    You can also click the number below Unprotected Server(s) to go to the Create Policies panel. Entry for unprotected servers
  4. In the Create Policies panel, configure the parameters.
    ProcedureThe following table describes the parameters.
    Parameter Description
    Policy Name The name of the protection policy.
    Select Assets The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets to which you want to apply the protection policy, perform the following operations as needed:
    • In the Asset Group section, select an asset group. The system automatically selects all assets in the group. You can clear assets that no longer require protection in the Assets section.
    • In the Assets section, enter an asset name in the search box to search for the specific asset. Fuzzy match is supported.
    Note
    • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy. You can add a maximum of 100 servers to each protection policy.
    • The anti-ransomware feature supports data backup only for ECS instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies only for your ECS instance.
    • The anti-ransomware data backup feature is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai). This feature is not supported in other regions. You can select only ECS instances that reside in the supported regions.
    Protection Policies Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the following parameter settings are used by default:
      • Protected Directories: All Directories (excluding system directories)
      • Protected File Types: All File Types
      • Start Time: a point in time within the range of 00:00:00 to 03:00:00
      • Backup policy execution interval: One Day
      • Backup data retention period: Seven Days
      • Backup Network Bandwidth Limit(MByte/s): 5MB
    • Custom policy

      If you select Custom policy, you must configure the following parameters: Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and Backup Network Bandwidth Limit(MByte/s).

    Protected Directories The directories that you want to protect. Valid values:
    • Specified directory: Only specified directories of the specific assets are protected. Enter the addresses of the specified directories in the Directory address field.
    • All directories: All directories of the specific assets are protected. You must set Whether to exclude system directories.
      Note If you select All directories, we recommend that you select Excluded for Whether to exclude system directories. This prevents system conflicts.
    Whether to exclude system directories Valid values: Excluded and Not Excluded. If you select Excluded, the following directories in Windows and Linux operating systems are excluded:
    • Windows:
      • Windows\
      • python27\
      • Program Files (x86)\
      • Program Files\
      • ProgramData\
      • Boot\
      • $RECYCLE.BIN\
      • System Volume Information\
      • Users\Administrator\NTUSER.DAT
      • pagefile.sys
    • Linux:
      • /bin/
      • /usr/bin/
      • /sbin/
      • /boot/
      • /proc/
      • /sys/
      • /srv/
      • /lib/
      • /selinux/
      • /usr/sbin/
      • /run/
      • /lib32/
      • /lib64/
      • /lost+found/
      • /var/lib/kubelet/
    Directory address The address of the directory that you want to protect. If you want to protect more than one directory, click Add to add more directory addresses. If you want to delete a directory address, click Delete.
    Note
    • You must set this parameter only when you select Specified directory for Protected Directories.
    • Security Center starts a data backup task for each directory specified in the protection policy. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large number of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your requirements.
    Protected File Types The file types that you want to protect. Valid values:
    • Specify file type: Only the files of the specified types are protected. You must select a file type from the Select file type drop-down list.
    • All File Types: All files are protected.
    Select file type Valid values:
    • Document
    • Picture
    • Compressed
    • Database
    • Audio and video
    • Script code
    Note
    • You must set this parameter only when you select Specify file type for Protected File Types.
    • You can select multiple file types. Security Center protects only the files of the selected file types.
    Start Time The time at which you want to start a data backup task. Data backup may consume a small number of CPU and memory resources. We recommend that you set this parameter to a point in time during off-peak hours, such as 00:00:00.
    Note If this is the first time you back up all data in protected directories based on a protection policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up your data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: One Day. Valid values:
    • Half a day
    • One Day
    • Three days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days. Valid values:
    • 7 Days
    • 30 Days
    • Half a year
    • One year
    • Permanent
    Backup Network Bandwidth Limit(MByte/s) The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 Mbit/s to unlimited.
    Note We recommend that you configure an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures business stability.
  5. Click OK.
    After you create and enable a protection policy, Security Center installs the anti-ransomware client on your ECS instance. Then, Security Center backs up data in the protected directories of your ECS instance based on the backup settings that you specified in the protection policy.

What to do next

After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up the file directories that you specified in the protection policy. For more information, see Enable or disable a protection policy. Enable a protection policy

Related operations

  • View the status of the anti-ransomware client
    After a protection policy is created, you must check the status of the anti-ransomware client on the General Anti-ransomware Solutions page. Security Center can back up data for your server only if the anti-ransomware client is in the Client online state. If the status of the anti-ransomware client is Not Installed, failed, or Exception, data backup fails. You must handle the exception in the anti-ransomware client. You can use one of the following methods to handle the exception:
    • Follow the instructions on the General Anti-ransomware Solutions page.
    • To contact Alibaba Cloud security engineers, submit aticket.
  • Install the anti-ransomware client
    After a protection policy is created, Security Center automatically installs the anti-ransomware client on your ECS instance. If your ECS instance is not started or is configured with specific firewall policies, Security Center may fail to install the anti-ransomware client on the instance. If the anti-ransomware client cannot be installed, address the issue. Then, go to the General Anti-ransomware Solutions page and manually install the anti-ransomware client. For more information about how to manually install the anti-ransomware client, see Manage servers that are added to a protection policy. Install the anti-ransomware client in hybrid cloud
  • Uninstall the anti-ransomware client
    Notice
    • After the anti-ransomware client is uninstalled, Security Center deletes the server data that is backed up by the client. Deleted backup data cannot be recovered. Exercise caution when you uninstall the anti-ransomware client.
    • After Security Center deletes the server data that is backed up by the client, it releases the anti-ransomware capacity. The anti-ransomware capacity is updated within 12 to 48 hours after the release. We recommend that you recheck the anti-ransomware capacity after a sufficient amount of time.
    If you want to update the anti-ransomware client, go to the General Anti-ransomware Solutions page. Then, uninstall and reinstall the anti-ransomware client. Uninstall the anti-ransomware client in hybrid cloud