Persistent viruses, such as ransomware and mining programs, have become major threats to network security. To prevent persistent viruses from intruding into your servers, Security Center provides the anti-virus feature to scan for persistent viruses and generates alerts when persistent viruses are detected. This feature also supports virus deep cleaning and data backup.

Background information

The anti-virus feature is a value-added service supported by the Basic Anti-Virus, Advanced, and Enterprise editions. The anti-virus feature provides virus removal and data backup against ransomware. If you are using the Basic edition, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition before you can enable virus removal. If you are using the Basic Anti-Virus, Advanced, or Enterprise edition, you must purchase a specific amount of anti-ransomware capacity before you can enable data backup against ransomware.

Before you use the anti-virus feature, we recommend that you turn on Virus Blocking on the Settings page. After you turn on Virus Blocking, Security Center automatically detects and removes trojans, ransomware, mining viruses, and DDoS trojans. For more information, see Virus detection and Comparison between virus blocking and the anti-virus feature.

Note The anti-virus feature supports a limited number of operating system versions. Servers that use unsupported operating system versions cannot use the data backup function. For more information about supported operating system versions, see Supported operating system versions.


The anti-virus feature provides a general anti-ransomware solution. For more information, see How the anti-virus feature works. The anti-virus feature also provides the following functions:
  • Virus scan

    The security experts of Security Center conduct automatic analysis on the attack methods based on a large number of persistent virus samples. Alibaba Cloud develops the machine learning anti-virus engine based on the attack analysis. The virus scan function uses the machine learning anti-virus engine and a virus library that is updated in real time. The virus scan function can detect viruses at the earliest opportunity. You can create virus scan tasks to check whether your servers have been intruded by viruses. For more information, see Scan for viruses.

  • Alert management

    The anti-virus feature provides the alert management function, which allows you to manage virus alerts. You can perform deep cleaning tasks against persistent viruses, such as ransomware and mining programs. Virus deep cleaning can remove persistent viruses by terminating virus processes, quarantining malicious files, and removing inserted viruses. For more information, see Handle virus alerts.

  • Data backup
    The anti-virus feature provides the anti-ransomware data backup function. If your servers are intruded by ransomware, you can use the data backup function to restore data and reduce losses. You can create protection policies to back up the data of core servers. For more information, see Create a protection policy. If you want to restore server data, you can create restoration tasks. For more information, see Create a restoration task.
    • The anti-virus feature only supports data backup for Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for external servers. You can create protection policies only for your ECS instances.
    • You can perform incremental backup to back up data to protect your servers against ransomware. When you back up data for the first time, all data in the protected directories is backed up. If the data is modified, added, or deleted, extra space is consumed when Security Center backs up the data again.

How the anti-virus feature works

Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous losses to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud has released a general anti-ransomware solution, which provides layer-by-layer protection against ransomware.

  • The anti-ransomware data backup function is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou-Beijing Winter Olympics), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai).
  • The anti-ransomware data backup function is only supported by Elastic Computing Service (ECS) instances that are deployed in virtual private clouds (VPCs). ECS instances deployed in the classic network do not support the anti-ransomware data backup function.
The general anti-ransomware solution provides a layer-by-layer protection system against ransomware:
  • Block recognized ransomware in real time

    Based on the Alibaba Cloud intelligence library, Security Center has blocked a large amount of ransomware identified by the intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential losses.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. At the same time, Security Center generates alerts to notify you of the potential threats.
    Note Security Center sets trap directories on your servers to block potential ransomware. If you find a suspicious directory on your server, contact after-sales services or submit aticket to check whether this directory is a trap directory set by Security Center. Trap directories do not affect your business and they are not malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware, Security Center also supports data backup. This function periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios where files in your servers are encrypted, you can restore the data to ensure the security of your servers.

Supported operating system versions

Anti-virus suggestions

When you use Security Center to block ransomware, perform the following steps:
  1. Before the process: Enable the anti-virus feature and create protection polices

    The anti-virus feature provides the data backup function. You must enable the anti-virus feature and create protection polices to protect your servers. For more information, see Activate the anti-virus feature and Create a protection policy.

  2. During the process: Handle ransomware alerts and create restoration tasks
    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts. For more information, see View and handle alert events. If the data on your servers has been encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.Ransomware alerts
  3. After the process: Scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
    • Fix system vulnerabilities regularly to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fixing feature provided by Security Center. For more information, see Overview.
    • Do not use weak passwords on your servers. Enable two-factor authentication for important servers.
    • To reduce the risk of attacks, do not open unnecessary ports to the Internet.