Create a protection policy

Data backup

• You can perform incremental backups to back up data to protect your servers against ransomware. After a protection policy is created, a large amount of CPU and memory resources are consumed when you back up all data in the protected directories for the first time. To avoid interruptions to your business, we recommend that you back up your data during off-peak hours. In subsequent backups, Security Center backs up only files that have been changed (new, deleted, or modified files). This reduces server resource consumption and prevents excessive consumption of the anti-ransomware capacity.
• Security Center starts a specific number of backup tasks based on the backup directories that you have specified in each protection policy.
  • Back up all directories
    • Linux operating system: Security Center generates only one backup task.
    • Windows operating system: Security Center generates one data backup task for each data disk. If your ECS instance runs a Windows operating system and has two data disks, C and D, Security Center generates two data backup tasks. These two tasks are started at the same time. Compared with a Linux ECS instance, the Windows ECS instance consumes more CPU and memory resources during backup.
      Notice We recommend that you schedule the data backup based on the CPU utilization and memory usage of your ECS instance that runs a Windows operating system.
  • Back up specified directories
    Security Center starts a data backup task for each directory. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large amount of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your business requirements.

    Note A more efficient backup process is under development. This backup process starts only one backup task for each client, reducing the resource overhead for data backups.

Procedure

You can select Recommendation Policy to quickly create a protection policy. You can also select Custom policy to create a custom protection policy. To create a custom protection policy, perform the following steps:

1. Log on to the Security Center console.
2. In the left-side navigation pane, choose Defense > Anti-Virus.
3. On the Anti-Virus page, click Add anti-ransomware policies.
4. On the General Anti-ransomware Solutions page, click Create Policies.
   You can also click the number under Unprotected Server(s) to go to the Create Policies pane.
5. In the Create Policies pane, configure the parameters.
   The following table describes the parameters.

   Parameter	Description
   Policy Name	The name of the protection policy.
   Select Assets	Select asset groups or select assets from asset groups. To select the assets to which you want to apply the protection policy, perform the following steps: In the Asset Group section, select an asset group. The system automatically selects all assets in the group. You can clear assets that no longer require protection in the Assets section. You can also enter an asset name in the search box in the Assets section to search for the specific asset. Fuzzy match is supported. Note To ensure that the anti-ransomware protection capacity is effectively utilized, you can apply only one protection policy to each ECS instance. You can add a maximum of 100 ECS instances to each protection policy. The anti-virus feature supports data backup for only Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies for only your ECS instances. The anti-ransomware data backup function is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou-Beijing Winter Olympics), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai). This function is not supported in other regions. You can select only ECS instances that reside in the supported regions.
   Protection Policies	Valid values: Recommendation Policy If you select Recommendation Policy, the following parameter settings are used by default: Protected Directories: All Directories (excluding system directories) Protected File Types: All File Types Start Time: a point in time within the range of 00:00:00 to 03:00:00 Backup policy execution interval: One Day Backup data retention period: Seven Days Backup Network Bandwidth Limit(MByte/s): 5 MB/s Custom policy If you select Custom policy, you must configure the parameters, including Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and Backup Network Bandwidth Limit(MByte/s).
   Protected Directories	The directories that you want to protect. Valid values: Specified directory: Specify one or more directories that you want to protect. Enter the addresses of the specified directories in the Directory address field. All directories: All directories of the specified assets are protected. You must specify Whether to exclude system directories. Note If you select All directories, we recommend that you select Excluded for Whether to exclude system directories. This allows you to prevent system conflicts.
   Whether to exclude system directories	Select Excluded or Not Excluded. If you select Excluded, the following directories in Windows and Linux operating systems are excluded: Windows: Windows\ python27\ Program Files (x86)\ Program Files\ ProgramData\ Boot\ $RECYCLE.BIN\ System Volume Information\ Users\Administrator\NTUSER.DAT pagefile.sys Linux: /bin/ /usr/bin/ /sbin/ /boot/ /proc/ /sys/ /srv/ /lib/ /selinux/ /usr/sbin/ /run/ /lib32/ /lib64/ /lost+found/
   Directory address	The address of the directory that you want to protect. If you want to protect more than one directory, click Add to add more directory addresses. If you want to delete an existing directory address, click Delete. Note You must set this parameter only if you select Specified directory for Protected Directories. Security Center starts a data backup task for each directory. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large amount of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your business requirements.
   Protected File Types	The file types that you want to protect. Valid values: Specify file type: Specify the file types that you want to protect. You must select a file type from the Select file type drop-down list. All File Types: All file types are protected.
   Select file type	Valid values: Document Picture Compressed Database Audio and video Script code Note You must set this parameter only if you select Specify file type for Protected File Types. You can select more than one file type. Security Center protects only the files of the selected file types.
   Start Time	The time when you want to start a data backup task. Data backup may consume a small amount of CPU and memory resources. We recommend that you set this parameter to a point in time during off-peak hours, such as 00:00:00. Note After a protection policy is created, a large amount of CPU and memory resources are consumed when you back up all data in the protected directories for the first time. To avoid interruptions to your business, we recommend that you back up your data during off-peak hours.
   Backup policy execution interval	The time interval between two data backup tasks. Default value: 1 Day. Valid values: Half a day One Day Three days Seven Days
   Backup data retention period	The retention period of backup data. Default value: 7 Days. Valid values: 7 Days 30 days Half a year One year Permanent
   Backup Network Bandwidth Limit(MByte/s)	The maximum bandwidth that can be consumed by a data backup task. Value range: 1 MB/s to unlimited. Note We recommend that you set an appropriate bandwidth limit based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures business stability.

6. Click OK.
   After you create and enable a protection policy, Security Center installs the anti-ransomware client on your ECS instance. Then, Security Center backs up the data in the protected directories of your ECS instance based on the backup settings that you specified in the protection policy.

What to do next

After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up the file directories that you specified in the protection policy. For more information, see Enable or disable a protection policy.

Related operations

• View the status of the anti-ransomware client
  After a protection policy is created, you must check the status of the anti-ransomware client on the General Anti-ransomware Solutions page. Security Center can back up data for your ECS instance only when the anti-ransomware client is in the Client online state. If the status of the anti-ransomware client is Uninstalled, failed, or Exception, Security Center cannot back up data by using the protection policy. You must troubleshoot the exception to the anti-ransomware client. You can use one of the following methods to troubleshoot the exception:

  • Follow the instructions on the General Anti-ransomware Solutions page to troubleshoot the exception to the anti-ransomware client. For more information, see Troubleshoot the abnormal status of the anti-ransomware client.
  • Contact Alibaba Cloud security engineers. To do so, submit aticket.
• Install an anti-ransomware client
  After a protection policy is created, Security Center installs the anti-ransomware client on your ECS instance. If your ECS instance is not started or is configured with specific firewall policies, Security Center may fail to install the anti-ransomware client on your ECS instance. If the anti-ransomware client cannot be installed, troubleshoot the fault. Then, go to the General Anti-ransomware Solutions page and install the anti-ransomware client. For more information about how to install an anti-ransomware client, see Manage a protection policy.
• Uninstall an anti-ransomware client
  Notice

  • After the anti-ransomware client is uninstalled, Security Center deletes the server data that is backed up by the client. Deleted backup data cannot be recovered. We recommend that you exercise caution with the uninstallation of an anti-ransomware client.
  • After Security Center deletes the server data that is backed up by the client, it releases the corresponding anti-ransomware protection capacity. The anti-ransomware protection capacity is updated 12 to 48 hours after the release. We recommend that you wait for a sufficient amount of time before you recheck the anti-ransomware protection capacity.
  If you want to upgrade the anti-ransomware client, you can navigate to the General Anti-ransomware Solutions page. Then, uninstall the anti-ransomware client and reinstall the client.