Persistent viruses, such as ransomware and mining programs, have become major threats to network security. To prevent persistent viruses from intruding into your servers, Security Center provides the antivirus feature to scan for persistent viruses and generates alerts when persistent viruses are detected. This feature also supports virus deep cleaning and data backup.
Only the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center support this feature. If you use the Basic edition, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Feature.
Before you use the antivirus feature, we recommend that you turn on Virus Blocking on the Settings page. After you turn on Virus Blocking, Security Center automatically detects and removes common trojans, ransomware, mining viruses, and DDoS trojans. For more information, see Use proactive defense and Comparison between the virus blocking feature and the anti-virus feature.
- Virus scan
The security experts of Security Center conduct automatic analysis on attack methods based on a large number of persistent virus samples. Alibaba Cloud develops a machine learning antivirus engine based on the attack analysis results. Virus scan uses the machine learning antivirus engine and a virus library that is updated in real time. Virus scan allows you to detect viruses at the earliest opportunities. You can create virus scan tasks to check whether your servers are intruded by viruses. For more information, see Scan for viruses.
- Alert management
The antivirus feature allows you to manage virus alerts. You can perform deep cleaning tasks on persistent viruses, such as ransomware and mining programs. Virus deep cleaning can remove persistent viruses by terminating virus processes, quarantining malicious files, and removing inserted viruses. For more information, see Handle virus alerts.
- Data backup
The antivirus feature provides the capability of anti-ransomware data backup. If your servers are intruded by ransomware, you can use data backup to restore data and reduce loss. You can create protection policies to back up the data of core servers. For more information, see Create a protection policy. If you want to restore server data, you can create restoration tasks. For more information, see Create a restoration task.Note
- The anti-ransomware feature supports data backup only for ECS instances. This feature does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies only for your ECS instances.
- To protect your servers against ransomware, you can perform incremental data backup. When you back up data for the first time, all data in the protected directories are backed up. When you back up the data again, only the files that involve data changes are backed up. The data changes include addition, modification, and deletion.
How it works
Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous loss to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud releases a general anti-ransomware solution. This solution provides layer-by-layer protection against ransomware.
- Block recognized ransomware in real time
Security Center has blocked a large amount of ransomware recognized by the Alibaba Cloud intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential loss.
- Trap and block new ransomware
Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. In addition, Security Center generates alerts to notify you of the potential threats.Note On the Settings page of the Security Center console, turn on Anti-ransomware (Bait Capture) in the Proactive Defense section of the General tab. For more information, see Use proactive defense. After you turn on Anti-ransomware (Bait Capture), Security Center sets trap directories on your servers to block potential ransomware activities. If you find a suspicious directory on your server, contact after-sales services or submit a ticket to check whether the directory is a trap directory set by Security Center. Trap directories do not affect your workloads and are not malicious. Trap directories cannot be manually deleted.
- Restore infected files
In addition to anti-ransomware, Security Center supports data backup. This feature periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios in which files on your servers are encrypted, you can restore the data to ensure the security of your servers.
Supported operating system versions
|Windows||7, 8, and 10|
|Windows Server||2008 R2, 2012, 2012 R2, 2016, and 2019|
|Red Hat Enterprise Linux (RHEL)||7.0, 7.2, and 7.4|
|CentOS||6.5, 6.9, 7.2, 7.3, 7.4, 7.6, 7.7, 7.8, 7.9, and 8.2|
|Ubuntu||14.04, 16.04, 18.40, and 20.04|
|SUSE Linux Enterprise Server||11, 12, and 15|
- Before the process: Enable the antivirus feature and create protection polices
The antivirus feature provides the data backup capability. You must enable the antivirus feature and create protection polices to back up the core data of your servers. For more information, see Enable the anti-ransomware feature and Create a protection policy.
- During the process: Handle ransomware alerts and create restoration tasks
Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts at the earliest opportunity. For more information, see View and handle alert events. If the data on your servers is encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.
- After the process: Scan for server vulnerabilities and reinforce security
To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
- Regularly fix system vulnerabilities to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fixing feature provided by Security Center. For more information, see Overview.
- Enable two-factor authentication for servers that are important. Do not use weak passwords on your servers.
- Make sure that only necessary ports are accessible over the Internet.