Ransomware has become a major threat to network security. Security Center provides protection, generates alerts, and backs up data to prevent ransomware from compromising your core servers. You can create anti-ransomware protection policies for your core servers. This topic describes how to create a protection policy.

Prerequisites

A specific amount of anti-ransomware capacity is purchased. The permission to use anti-ransomware is granted. For more information, see Activate the anti-virus feature.

Background information

  • The anti-virus feature is a value-added service supported by the Basic Anti-Virus, Advanced, and Enterprise editions. The anti-virus feature provides virus removal and data backup against ransomware. If you are using the Basic edition, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition before you can enable virus removal. If you are using the Basic Anti-Virus, Advanced, or Enterprise edition, you must purchase a specific amount of anti-ransomware capacity before you can enable data backup against ransomware.
  • The anti-virus feature supports data backup for only Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies for only your ECS instances.
  • To ensure that the anti-ransomware protection capacity is effectively utilized, you can apply only one protection policy to each ECS instance. You can add a maximum of 100 ECS instances to each protection policy.
  • Anti-ransomware data backup is performed by using an anti-ransomware client that is installed on your ECS instance. You can back up data only when the status of the anti-ransomware client is normal. After a protection policy is created, we recommend that you monitor the status of the anti-ransomware client. This allows you to troubleshoot exceptions in a timely manner when the anti-ransomware client becomes abnormal. For more information, see View the status of an anti-ransomware client.
Note
  • The anti-ransomware feature supports a limited number of operating system versions. You cannot back up data for ECS instances that run unsupported operating system versions. For more information about the supported operating system versions, see Supported operating system versions.
  • The anti-ransomware data backup function is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou-Beijing Winter Olympics), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai).
  • The anti-ransomware data backup function is only supported by Elastic Computing Service (ECS) instances that are deployed in virtual private clouds (VPCs). ECS instances deployed in the classic network do not support the anti-ransomware data backup function.

Data backup

  • You can perform incremental backups to back up data to protect your servers against ransomware. After a protection policy is created, a large amount of CPU and memory resources are consumed when you back up all data in the protected directories for the first time. To avoid interruptions to your business, we recommend that you back up your data during off-peak hours. In subsequent backups, Security Center backs up only files that have been changed (new, deleted, or modified files). This reduces server resource consumption and prevents excessive consumption of the anti-ransomware capacity.
  • Security Center starts a specific number of backup tasks based on the backup directories that you have specified in each protection policy.
    • Back up all directories
      • Linux operating system: Security Center generates only one backup task.
      • Windows operating system: Security Center generates one data backup task for each data disk. If your ECS instance runs a Windows operating system and has two data disks, C and D, Security Center generates two data backup tasks. These two tasks are started at the same time. Compared with a Linux ECS instance, the Windows ECS instance consumes more CPU and memory resources during backup.
        Notice We recommend that you schedule the data backup based on the CPU utilization and memory usage of your ECS instance that runs a Windows operating system.
    • Back up specified directories
      Security Center starts a data backup task for each directory. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large amount of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your business requirements.
      Note A more efficient backup process is under development. This backup process starts only one backup task for each client, reducing the resource overhead for data backups.

Procedure

You can select Recommendation Policy to quickly create a protection policy. You can also select Custom policy to create a custom protection policy. To create a custom protection policy, perform the following steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-Virus.
  3. On the Anti-Virus page, click Add anti-ransomware policies.
  4. On the General Anti-ransomware Solutions page, click Create Policies.
    You can also click the number under Unprotected Server(s) to go to the Create Policies pane.Entry for unprotected servers
  5. In the Create Policies pane, configure the parameters.
    Create a protection policyThe following table describes the parameters.
    Parameter Description
    Policy Name The name of the protection policy.
    Select Assets Select asset groups or select assets from asset groups. To select the assets to which you want to apply the protection policy, perform the following steps:
    • In the Asset Group section, select an asset group. The system automatically selects all assets in the group. You can clear assets that no longer require protection in the Assets section.
    • You can also enter an asset name in the search box in the Assets section to search for the specific asset. Fuzzy match is supported.
    Note
    • To ensure that the anti-ransomware protection capacity is effectively utilized, you can apply only one protection policy to each ECS instance. You can add a maximum of 100 ECS instances to each protection policy.
    • The anti-virus feature supports data backup for only Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies for only your ECS instances.
    • The anti-ransomware data backup function is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou-Beijing Winter Olympics), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai). This function is not supported in other regions. You can select only ECS instances that reside in the supported regions.
    Protection Policies Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the following parameter settings are used by default:
      • Protected Directories: All Directories (excluding system directories)
      • Protected File Types: All File Types
      • Start Time: a point in time within the range of 00:00:00 to 03:00:00
      • Backup policy execution interval: One Day
      • Backup data retention period: Seven Days
      • Backup Network Bandwidth Limit(MByte/s): 5 MB/s
    • Custom policy

      If you select Custom policy, you must configure the parameters, including Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and Backup Network Bandwidth Limit(MByte/s).

    Protected Directories The directories that you want to protect. Valid values:
    • Specified directory: Specify one or more directories that you want to protect. Enter the addresses of the specified directories in the Directory address field.
    • All directories: All directories of the specified assets are protected. You must specify Whether to exclude system directories.
      Note If you select All directories, we recommend that you select Excluded for Whether to exclude system directories. This allows you to prevent system conflicts.
    Whether to exclude system directories Select Excluded or Not Excluded. If you select Excluded, the following directories in Windows and Linux operating systems are excluded:
    • Windows:
      • Windows\
      • python27\
      • Program Files (x86)\
      • Program Files\
      • ProgramData\
      • Boot\
      • $RECYCLE.BIN\
      • System Volume Information\
      • Users\Administrator\NTUSER.DAT
      • pagefile.sys
    • Linux:
      • /bin/
      • /usr/bin/
      • /sbin/
      • /boot/
      • /proc/
      • /sys/
      • /srv/
      • /lib/
      • /selinux/
      • /usr/sbin/
      • /run/
      • /lib32/
      • /lib64/
      • /lost+found/
    Directory address The address of the directory that you want to protect. If you want to protect more than one directory, click Add to add more directory addresses. If you want to delete an existing directory address, click Delete.
    Note
    • You must set this parameter only if you select Specified directory for Protected Directories.
    • Security Center starts a data backup task for each directory. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large amount of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your business requirements.
    Protected File Types The file types that you want to protect. Valid values:
    • Specify file type: Specify the file types that you want to protect. You must select a file type from the Select file type drop-down list.
    • All File Types: All file types are protected.
    Select file type Valid values:
    • Document
    • Picture
    • Compressed
    • Database
    • Audio and video
    • Script code
    Note
    • You must set this parameter only if you select Specify file type for Protected File Types.
    • You can select more than one file type. Security Center protects only the files of the selected file types.
    Start Time The time when you want to start a data backup task. Data backup may consume a small amount of CPU and memory resources. We recommend that you set this parameter to a point in time during off-peak hours, such as 00:00:00.
    Note After a protection policy is created, a large amount of CPU and memory resources are consumed when you back up all data in the protected directories for the first time. To avoid interruptions to your business, we recommend that you back up your data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: 1 Day. Valid values:
    • Half a day
    • One Day
    • Three days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days. Valid values:
    • 7 Days
    • 30 days
    • Half a year
    • One year
    • Permanent
    Backup Network Bandwidth Limit(MByte/s) The maximum bandwidth that can be consumed by a data backup task. Value range: 1 MB/s to unlimited.
    Note We recommend that you set an appropriate bandwidth limit based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures business stability.
  6. Click OK.
    After you create and enable a protection policy, Security Center installs the anti-ransomware client on your ECS instance. Then, Security Center backs up the data in the protected directories of your ECS instance based on the backup settings that you specified in the protection policy.

What to do next

After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up the file directories that you specified in the protection policy. For more information, see Enable or disable a protection policy.Enable a protection policy

Related operations

  • View the status of the anti-ransomware client
    After a protection policy is created, you must check the status of the anti-ransomware client on the General Anti-ransomware Solutions page. Security Center can back up data for your ECS instance only when the anti-ransomware client is in the Client online state. If the status of the anti-ransomware client is Uninstalled, failed, or Exception, Security Center cannot back up data by using the protection policy. You must troubleshoot the exception to the anti-ransomware client. You can use one of the following methods to troubleshoot the exception:
  • Install an anti-ransomware client
    After a protection policy is created, Security Center installs the anti-ransomware client on your ECS instance. If your ECS instance is not started or is configured with specific firewall policies, Security Center may fail to install the anti-ransomware client on your ECS instance. If the anti-ransomware client cannot be installed, troubleshoot the fault. Then, go to the General Anti-ransomware Solutions page and install the anti-ransomware client. For more information about how to install an anti-ransomware client, see Manage a protection policy.Install an anti-ransomware client in hybrid cloud
  • Uninstall an anti-ransomware client
    Notice
    • After the anti-ransomware client is uninstalled, Security Center deletes the server data that is backed up by the client. Deleted backup data cannot be recovered. We recommend that you exercise caution with the uninstallation of an anti-ransomware client.
    • After Security Center deletes the server data that is backed up by the client, it releases the corresponding anti-ransomware protection capacity. The anti-ransomware protection capacity is updated 12 to 48 hours after the release. We recommend that you wait for a sufficient amount of time before you recheck the anti-ransomware protection capacity.
    If you want to upgrade the anti-ransomware client, you can navigate to the General Anti-ransomware Solutions page. Then, uninstall the anti-ransomware client and reinstall the client.Uninstall an anti-ransomware client in hybrid cloud