Persistent viruses, such as ransomware and mining programs, have become major threats to network security. To prevent persistent viruses from intruding into your servers, Security Center provides the antivirus feature to scan for persistent viruses and generates alerts when persistent viruses are detected. This feature also supports virus deep cleaning and data backup.

Background information

The antivirus feature is a value-added service supported by the Basic Anti-Virus, Advanced, and Enterprise editions. The antivirus feature provides virus removal and data backup against ransomware. If you are using the Basic edition, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition before you can enable virus removal. If you are using the Basic Anti-Virus, Advanced, or Enterprise edition, you must purchase a specific amount of anti-ransomware capacity before you can enable data backup against ransomware.

Before you use the antivirus feature, we recommend that you turn on Virus Blocking on the Settings page. After you turn on Virus Blocking, Security Center automatically detects and removes trojans, ransomware, mining viruses, and DDoS trojans. For more information, see Proactive defense and Comparison between virus blocking and the anti-virus feature.

Note The antivirus feature supports a limited number of operating system versions. Servers that use unsupported operating system versions cannot use the data backup feature. For more information about supported operating system versions, see Supported operating system versions.


The antivirus feature provides a general anti-ransomware solution. For more information, see How it works. The antivirus feature also provides the following features:
  • Virus scan

    The security experts of Security Center conduct automatic analysis on attack methods based on a large number of persistent virus samples. Alibaba Cloud develops a machine learning antivirus engine based on the attack analysis. The virus scan feature uses the machine learning antivirus engine and a virus library that is updated in real time. This feature helps you detect viruses in a timely manner. You can create virus scan tasks to check whether your servers have been intruded by viruses. For more information, see Scan for viruses.

  • Alert management

    The antivirus feature allows you to manage virus alerts. You can perform deep cleaning tasks on persistent viruses, such as ransomware and mining programs. Virus deep cleaning can remove persistent viruses by terminating virus processes, quarantining malicious files, and removing inserted viruses. For more information, see Handle virus alerts.

  • Data backup
    The antivirus feature provides the anti-ransomware data backup feature. If your servers are intruded by ransomware, you can use the data backup feature to restore data and reduce losses. You can create protection policies to back up the data of core servers. For more information, see Create a protection policy. If you want to restore server data, you can create restoration tasks. For more information, see Create a restoration task.
    • The anti-ransomware feature supports data backup only for ECS instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies only for your ECS instance.
    • To protect your servers against ransomware, You can perform incremental backup to back up data. When you back up data for the first time, all data in the protected directories is backed up. If the data is modified, added, or deleted, extra space is consumed when Security Center backs up the data again.

How it works

Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous losses to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud has released a general anti-ransomware solution, which provides layer-by-layer protection against ransomware.

  • The anti-ransomware data backup feature is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai).
  • The anti-ransomware data backup feature is only supported by Elastic Computing Service (ECS) instances that are deployed in virtual private clouds (VPCs). ECS instances deployed in the classic network do not support the anti-ransomware data backup feature.
The general anti-ransomware solution provides a layer-by-layer protection system against ransomware:
  • Block recognized ransomware in real time

    Security Center has blocked a large amount of ransomware identified by the Alibaba Cloud intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential losses.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. At the same time, Security Center generates alerts to notify you of the potential threats.
    Note On the Settings page of the Security Center console, enable Anti-ransomware (Bait Capture) in the Proactive Defense section of the General tab. After you enable anti-ransomware (bait capture), Security Center sets trap directories on your servers to block potential ransomware. If you find a suspicious directory on your server, contact after-sales services or submit aticket to check whether the directory is a trap directory set by Security Center. Trap directories do not affect your workloads and are not malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware, Security Center also supports data backup. This feature periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios where files on your servers are encrypted, you can restore the data to ensure the security of your servers.

Supported operating system versions

Operating system Version
Windows 7, 8, and 10
Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019
RHEL 7.0, 7.2, and 7.4
CentOS 6.5, 6.9, 7.2, 7.3, 7.4, and 8.2
Ubuntu 14.04, 16.04, 18.40, and 20.04
SUSE Linux Enterprise Server 11, 12, and 15
Note Anti-ransomware allows you to install the anti-ransomware client for only the operating systems that are listed in the preceding table. If you use other operating systems and versions, you cannot install the anti-ransomware client or back up data. We recommend that you check whether the operating system version of your server is supported before you use the anti-ransomware feature.

Antivirus suggestions

When you use Security Center to block ransomware, perform the following steps:
  1. Before the process: Enable the antivirus feature and create protection polices

    The antivirus feature provides the data backup feature. You must enable the antivirus feature and create protection polices to protect your servers. For more information, see Enable the anti-ransomware feature and Create a protection policy.

  2. During the process: Handle ransomware alerts and create restoration tasks
    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts. For more information, see View and handle alerts. If the data on your servers has been encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.Ransomware alerts
  3. After the process: Scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
    • Regularly fix system vulnerabilities to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fix feature provided by Security Center. For more information, see Overview.
    • Do not use weak passwords on your servers. Enable two-factor authentication for servers that are important.
    • To reduce the risk of attacks, do not open unnecessary ports to the Internet.