Persistent viruses, such as ransomware and mining programs, have become major threats to network security. To prevent these viruses from intruding your servers, Security Center provides the anti-virus feature to scan for these viruses and generate alerts when the viruses are detected. This feature also supports virus deep cleaning and data backup.

Background information

The anti-virus feature is a value-added service only supported by the Advanced or Enterprise edition of Security Center. If you are using the Basic edition, you must upgrade Security Center to the Advanced or Enterprise edition and purchase anti-ransomware capacity before you can activate the anti-virus feature.

Before you use the anti-virus feature, we recommend that you turn on the Virus Blocking switch on the Settings page. After you turn on the Virus Blocking switch, Security Center automatically detects and removes major Trojans, ransomware, mining viruses, and DDoS Trojans. For more information, see The anti-virus feature.

The anti-virus feature supports a limited number of operating system versions. Servers that use unsupported operating system versions cannot back up data. For more information about supported operating system versions, see Operating system versions supported by the anti-virus feature.

Note The Anti-Virus feature is now available in the following regions: Singapore, Indonesia, Australia, US, Germany, China (Hong Kong), China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou) and China (Hohhot).

Features

The anti-virus feature provides general anti-ransomware solutions. For more information, see How the anti-virus feature works. The anti-virus feature also provides the following functions:
  • Virus scan

    The security experts of Security Center conduct automatic analysis on the attack methods based on a large number of persistent virus samples. Alibaba Cloud developed the machine learning anti-virus engine based on the attack analysis. The virus scan function uses the machine learning anti-virus engine and a virus library that is updated in real time. The virus scan function can help you detect viruses at the earliest opportunity. You can create virus scan tasks to check whether your servers have been intruded by viruses.

  • Alert management

    The anti-virus feature provides the alert management function, which allows you to manage virus alerts. You can perform deep cleaning tasks against persistent viruses, such as ransomware and mining programs. Virus deep cleaning can remove persistent viruses by terminating virus processes, quarantine malicious files, and removing inserted viruses. For more information, see Handle virus alerts.

  • Data backup
    The anti-virus feature provides the data backup function. If your servers are intruded by ransomware, you can use the data backup function to restore data and reduce losses. You can create protection policies to back up the data of core servers. For more information, see Create a protection policy. If you want to restore server data, you can create restoration tasks. For more information, see Create a restoration task.
    Note
    • The anti-virus feature only supports data backup for Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for external servers. You can create protection policies only for your ECS instances.
    • If the data has not been modified when you back it up for multiple times, the used anti-ransomware capacity will not increase.

How the anti-virus feature works

Ransomware has been a major threat to enterprises or individuals. If the key data or files stored on the servers are encrypted by attackers, typically paying the ransom is the only solution. Ransomware has caused tremendous losses to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud has released general anti-ransomware solutions, which provides layer-by-layer protection against ransomware.

General anti-ransomware solutions provide a layer-by-layer protection system against ransomware:
  • Block recognized ransomware in real time

    Based on the Alibaba Cloud intelligence library, Security Center has blocked a large amount of ransomware identified in the intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential losses.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. At the same time, Security Center generates alerts to notify you of the potential threats.
    Note Security Center sets trap directories on your servers to block potential ransomware. If you find any suspicious directory on your server, contact after-sales services or Submit a ticket to check whether this directory is a trap directory set by Security Center. Trap directories do not affect your workloads, nor are they malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware protection, Security Center also supports data backup. This function periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios where files in your servers are encrypted, you can restore the data to ensure the security of your servers.

Operating system versions supported by the anti-virus feature

System Supported version
Windows 7, 8, and 10
Windows Server 2008 R2, 2012, 2012 R2, 2016 and 2019
RHEL 7.0, 7.2, and 7.4
CentOS 6.5, 6.9, 7.2, 7.3, and 7.4
Ubuntu 14.04 and 16.04
SUSE Linux Enterprise Server 11, 12, and 15
Note The anti-virus feature supports a limited number of operating system versions. Servers that use unsupported operating system versions cannot use the data backup function.

Anti-virus suggestions

When you use Security Center to block ransomware, follow these instructions:
  1. Before the process: activate the anti-virus feature and create protection policies

    The anti-virus feature provides the data backup function. You must activate the anti-virus feature and create protection polices to protect your servers. For more information, see Activate the anti-virus feature and Create a protection policy.

  2. During the process: handle ransomware alerts and create restoration tasks

    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts. For more information, see View and handle alert events. If the data on your servers has been encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.

  3. After the process: scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you follow these suggestions:
    • Fix system vulnerabilities regularly to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fix feature provided by Security Center. For more information, see Overview.
    • Avoid using weak passwords on your servers. Enable two-factor authentication for important servers.
    • Avoid exposing unnecessary ports to the Internet to reduce the risk of attack events.