This topic provides answers to some frequently asked questions about features of Security Center. The features include the anti-ransomware, antivirus, web tamper proofing, and application whitelist features.

How do I purchase the anti-ransomware capacity?

If you use the Basic edition of Security Center,you can go to the Security Center buy page to upgrade Security Center Basic to the Anti-virus, Advanced, Enterprise, or Ultimate edition, and purchase the anti-ransomware capacity. You can also purchase the Value-added Plan and purchase the anti-ransomware capacity. For more information, see Enable the anti-ransomware feature.

If you use the Anti-virus, Advanced, Enterprise, or Ultimate edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade Security Center. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use your cloud resources, the anti-ransomware feature is automatically enabled.

What is the anti-ransomware feature? Why do I have to pay for the anti-ransomware feature?

The anti-ransomware feature is a new feature of Security Center, which provides a general anti-ransomware solution. You must purchase the storage that is occupied by data backups in the anti-ransomware solution.

If you use the Anti-virus, Advanced, Enterprise, or Ultimate edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade Security Center. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use your cloud resources, the anti-ransomware feature is automatically enabled.

The general anti-ransomware solution allows you to block all types of ransomware and restore the files encrypted by ransomware. The general anti-ransomware solution allows you to back up important directories and files on your servers. We recommend that you purchase 50 GB of anti-ransomware capacity for each server, which costs only USD 2.25 per month.

What is the relationship between the anti-ransomware feature and Alibaba Cloud HBR?

The anti-ransomware feature uses the storage capability provided by Alibaba Cloud Hybrid Backup Recovery (HBR). If you have not activated Alibaba Cloud HBR, it is activated automatically after you purchase the anti-ransomware capacity and grant Security Center the permissions to use Alibaba Cloud HBR. No extra fees are charged to activate Alibaba Cloud HBR.

Is the data backup feature automatically enabled after I purchase the anti-ransomware capacity?

No, the feature is not automatically enabled.

After you purchase the anti-ransomware capacity, you must create and enable a protection policy. After you enable the protection policy, Security Center backs up server data to protect your servers against ransomware. For more information, see Create a protection policy.

After I enable the anti-ransomware feature, the data backup cache occupies a large amount of disk capacity. How do I clear the cache?

To accelerate data backup, the anti-ransomware feature caches data during the backup. By default, the data backup cache occupies disk capacity on your server. If a large amount of disk capacity is occupied by the cache under the path of C:\Program Files (x 86)\Alibaba\Aegis\hbr\cache on Windows servers or /usr/local/aegis/hbr/cache on Linux servers, you can clear the cache.

After I enable the anti-ransomware feature, the data backup cache occupies a large amount of capacity of drive C on my server. Can I change the directory in which the data backup cache is stored?

Yes, you can change the directory in which the data backup cache is stored.

You can modify the configuration file of the anti-ransomware client to change the directory in which the data backup cache is stored.

What do I do if the anti-ransomware client consumes excessive server CPU or memory resources?

Earlier versions of the anti-ransomware client may consume excessive server CPU or memory resources during data backup. This anti-ransomware client was upgraded on August 19, 2020 to resolve this issue. If you installed the anti-ransomware client after August 19, 2020, no actions are required. If you installed the anti-ransomware client on or before August 19, 2020, you must uninstall and reinstall the anti-ransomware client. To uninstall and reinstall the anti-ransomware client, perform the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-ransomware.
  3. Find the server on which the issue occurs and click Uninstall in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware client changes to Uninstalling. The anti-ransomware client is uninstalled in about 5 minutes.

  4. After the agent is uninstalled, click Install in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware client changes to Installing. The anti-ransomware client is installed in about 5 minutes.

Note If the issue persists after you perform the preceding steps, we recommend that you submit a ticket to contact Alibaba Cloud technical support.

What are the differences between the general anti-ransomware solution and the snapshot feature?

The following table lists the differences between the general anti-ransomware solution and the snapshot feature.

Feature Data backup Antivirus capability Fee
Snapshot Provides a one-time backup for the system disk. You must restart the system to restore data. The antivirus capability is not supported. High. The snapshot feature backs up the entire disk. You cannot back up only a specific file. The snapshot feature is charged 0.02 USD per GB per month. For more information, see Snapshots.
General anti-ransomware solution Flexibly backs up files. You can restore a file that is backed up. You do not need to restart the system to restore data. The general anti-ransomware solution blocks known ransomware and generates alerts in real time. This solution traps unknown ransomware and restores encrypted data. Low. The general anti-ransomware solution supports file-level protection. Data backup fees are charged based on your actual usage. You do not need to back up the entire disk. For more information, see Billing.

What do I do if the anti-ransomware capacity that I purchased is insufficient?

If the anti-ransomware capacity that you purchased is insufficient, data backups may fail. We recommend that you change the Security Center specifications and purchase a specific amount of anti-ransomware capacity based on your business requirements. For more information, see Upgrade and downgrade Security Center.

What do I do if the status of a protection policy is abnormal?

If the status of a protection policy is abnormal, server data cannot be backed up based on the protection policy. We recommend that you handle the exception based on the causes that are provided on the General Anti-ransomware Solutions page. Possible causes and solutions:
  • Insufficient anti-ransomware capacity

    If the capacity used for data backup exceeds the purchased capacity, the current backup tasks are suspended and you cannot create restoration tasks. You must purchase sufficient anti-ransomware capacity to continue to use the anti-ransomware feature. For more information, see Upgrade and downgrade Security Center.

  • The Security Center agent is offline

    If the Security Center agent is offline, the status of protection policies is abnormal. You must handle the exception based on the causes. For more information, see Troubleshoot why the Security Center agent is offline.

  • Data backup errors

    An invalid directory in a restoration task or insufficient server disk capacity leads to data backup failures. In this case, the status of protection policies is abnormal. You must recreate a restoration task. In addition, you must ensure that a valid backup directory is specified and the server disk capacity is sufficient. After the new restoration task is complete, the status of protection policies changes to normal.

After I purchase the antivirus feature, can the existing features properly run?

Yes, after you purchase the antivirus feature, all existing features properly run.

Security Center provides the antivirus feature to scan for viruses, generate alerts, and perform deep cleaning against persistent viruses, such as ransomware and mining programs. The antivirus feature does not affect the existing features.

What capabilities does the antivirus feature provide?

Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous loss to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud releases a general anti-ransomware solution. This solution provides layer-by-layer protection against ransomware.

The antivirus feature provides the following capabilities against ransomware:
  • Block recognized ransomware in real time

    Security Center has blocked a large amount of ransomware recognized by the Alibaba Cloud intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential loss.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. In addition, Security Center generates alerts to notify you of the potential threats.
    Note On the Settings page of the Security Center console, turn on Anti-ransomware (Bait Capture) in the Proactive Defense section of the General tab. For more information, see Use proactive defense. After you turn on Anti-ransomware (Bait Capture), Security Center sets trap directories on your servers to block potential ransomware activities. If you find a suspicious directory on your server, contact after-sales services or submit a ticket to check whether the directory is a trap directory set by Security Center. Trap directories do not affect your workloads and are not malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware, Security Center supports data backup. This feature periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios in which files on your servers are encrypted, you can restore the data to ensure the security of your servers.

When you use Security Center to block ransomware, perform the following steps:
  1. Before the process: Enable the antivirus feature and create protection polices

    The antivirus feature provides the data backup capability. You must enable the antivirus feature and create protection polices to back up the core data of your servers. For more information, see Enable the anti-ransomware feature and Create a protection policy.

  2. During the process: Handle ransomware alerts and create restoration tasks
    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts at the earliest opportunity. For more information, see View and handle alert events. If the data on your servers is encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task. Ransomware alerts
  3. After the process: Scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
    • Regularly fix system vulnerabilities to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fixing feature provided by Security Center. For more information, see Overview.
    • Enable two-factor authentication for servers that are important. Do not use weak passwords on your servers.
    • Make sure that only necessary ports are accessible over the Internet.

If the remaining validity period of Security Center is three years, can I purchase web tamper proofing for one year?

No, the validity period of web tamper proofing must be the same as the validity period of Security Center.

Can web tamper proofing protect files of any size?

Yes, web tamper proofing can protect files of any size.

If my server stores more than 3 MB of files, can web tamper proofing protect the excessive files that exceed 3 MB? Can web tamper proofing protect files whose total size is not larger than 3 MB?

Yes, web tamper proofing can protect files of any size. Web tamper proofing can protect the files on your servers regardless of whether the total file size is larger than 3 MB.

Why is the 30006 error code returned when I enable web tamper proofing?

If the 30006 error code is returned when you enable web tamper proofing, the web tamper proofing program is blocked by third-party security software on your server. Third-party security software includes SafeDog and Yunsuo. We recommend that you add the process of the Security Center agent to the whitelists of the third-party security software on your server. You can also disable the blocking feature of the third-party security software.

What are the requirements for the local backup directory of web tamper proofing?

The local backup directory of web tamper proofing is where backup files of your websites are stored. The directory can be empty. If you want to protect multiple directories of a server, you can restore the backup files in different directories or in the same directory.

What do I do if I receive a message that indicates that a protected directory is invalid?

When you specify a protected directory in Windows, use a backslash (\) instead of a forward slash (/).

Configuration errors of a protected directory
Note A protected directory cannot contain the following characters:

/;*?""<>|

Why does web tamper proofing remain disabled after I specify a protected directory?

After you specify a protected directory, you must turn on the tamper proofing switch and ensure that the Security Center agent runs as expected to enable web tamper proofing.

We recommend that you perform the following steps:
  • After you specify a protected directory, check whether the tamper proofing switch is turned on. You must turn on the tamper proofing switch for the protected directory before web tamper proofing can take effect.
  • After you complete the preceding steps, check whether the Security Center agent runs as expected. You can log on to the Security Center console, choose Defense > Tamper Protection and then click the Management tab to view the status of a server. If the status is Exception, we recommend that you reinstall the Security Center agent. For more information, see Install the Security Center agent.
  • Check whether the server has sufficient disk capacity. If the server does not have sufficient disk capacity, clean up the disk in a timely manner.

Can I write files to a protected directory?

No, you cannot write files to a protected directory. After you specify a protected directory, you cannot write files to the directory. To write files to the protected directory, you must remove the directory from the protected server.

After a protected directory is specified, what do I do if web tamper proofing does not immediately take effect?

After you specify a protected directory, web tamper proofing does not immediately take effect and you can still write files to the directory. To enable web tamper proofing, you must go to the Management tab, turn off Protection for the server where the directory is located, and then turn on Protection again.

Turn on the tamper proofing switch for a server

After I enable web tamper proofing, what do I do if the website content and images cannot be modified or updated?

You can use one of the following two methods to resolve this issue:
  • Disable web tamper proofing and update the website content. After the update is complete, enable web tamper proofing. For more information about how to enable web tamper proofing, see Enable the web tamper proofing feature.
  • Exclude website paths that you want to modify from the protected directory.
Note Web tamper protection allows you to add Linux and Windows processes to a whitelist. This ensures that protected files are updated in real time. For more information, see Add blocked processes to the whitelist.

What do I do if I receive an email or text message that notifies me of a webshell detected on my server?

If you receive an email or text message that notifies you of a webshell detected on your server, your server is attacked. A webshell file is also implanted into the server. The attacker may manipulate the data on your website or database. You can quarantine the webshell file in Security Center. We recommend that you locate and fix the vulnerability. Otherwise, the attacker may exploit the vulnerability.