This topic answers the frequently asked questions about the anti-virus, web tamper protection, and application whitelist features.

How can I purchase the anti-ransomware capacity?

Users of the Basic edition can go to the Security Center buy page to upgrade Security Center and purchase the anti-ransomware capacity at the same time. For more information, see Purchase Security Center.

Users of the Advanced or Enterprise edition can upgrade the specification to purchase the anti-ransomware capacity. For more information, see Upgrade and downgrade. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use Hybrid Backup Recovery (HBR), the anti-ransomware function is automatically enabled.

What functions does the anti-virus feature provide? Why do I have to make a purchase to use it?

The anti-virus feature is a new feature provided by Security Center, and provides general anti-ransomware solutions. You are charged separately for the capacity used for data backup in the anti-ransomware function.

Users of the Advanced or Enterprise edition can upgrade the specification to purchase the anti-ransomware capacity. For more information, see Upgrade and downgrade. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use Hybrid Backup Recovery (HBR), the anti-ransomware function is automatically enabled.

The general anti-ransomware solutions allow you to block all types of ransomware and restore the files encrypted by ransomware. The general anti-ransomware solutions allow you to enable data backup for important directories and files on your servers. We recommend that you purchase 40 GB as the anti-ransomware capacity for each server, which only costs USD 54 per month.

Are other services affected after I purchase the anti-virus feature?

No.

The anti-virus feature is a new feature provided by Security Center, and provides general anti-ransomware solutions. You are charged separately for the capacity used for data backup in the anti-ransomware function.

What is the relationship between the anti-virus feature and Alibaba Cloud Hybrid Backup Recovery (HBR)?

The anti-virus feature uses the storage capability provided by HBR. If you have not activated HBR, HBR is activated automatically after you purchase the anti-virus feature and grant Security Center the permissions to use HBR. Activating HBR does not incur extra fees.

How can I use the anti-virus feature?

Ransomware has been a major threat to enterprises or individuals. If the key data or files stored on the servers are encrypted by attackers, typically paying the ransom is the only solution. Ransomware has caused tremendous losses to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud has released general anti-ransomware solutions, which provides layer-by-layer protection against ransomware.

Security Center provides the following features against ransomware:
  • Block recognized ransomware in real time

    Based on the Alibaba Cloud intelligence library, Security Center has blocked a large amount of ransomware identified in the intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential losses.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. At the same time, Security Center generates alerts to notify you of the potential threats.
    Note Security Center sets trap directories on your servers to block potential ransomware. If you find any suspicious directory on your server, contact after-sales services or Submit a ticket to check whether this directory is a trap directory set by Security Center. Trap directories do not affect your workloads, nor are they malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware protection, Security Center also supports data backup. This function periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios where files in your servers are encrypted, you can restore the data to ensure the security of your servers.

When you use Security Center to block ransomware, follow these instructions:
  1. Before the process: activate the anti-virus feature and create protection policies

    The anti-virus feature provides the data backup function. You must activate the anti-virus feature and create protection polices to protect your servers. For more information, see Activate the anti-virus feature and Create a protection policy.

  2. During the process: handle ransomware alerts and create restoration tasks

    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts. For more information, see View and handle alert events. If the data on your servers has been encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.

  3. After the process: scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you follow these suggestions:
    • Fix system vulnerabilities regularly to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fix feature provided by Security Center. For more information, see Overview.
    • Avoid using weak passwords on your servers. Enable two-factor authentication for important servers.
    • Avoid exposing unnecessary ports to the Internet to reduce the risk of attack events.

Is the data backup function automatically enabled after I purchase the anti-ransomware capacity?

No.

After you purchase the anti-ransomware capacity, you must create and enable a protection policy. After you enable the protection policy, Security Center enables the data backup function to protect your servers against ransomware. For more information about how to create a protection policy, see Create a protection policy.

What are the differences between general anti-ransomware solutions and snapshots?

The following table lists the differences between general anti-ransomware solutions and snapshots:

Feature Data backup Anti-virus capability Fee
Snapshots Provides a one-time backup for the system disk. A system restart is required to restore data. No. High. For more information, see Snapshot billing.
General anti-ransomware solutions Flexibly backs up files. You can restore any file that has been backed up. You do not need to restart the system to restore data. Blocks known ransomware and generates alerts in real time. Traps unknown ransomware and restores encrypted data. Low. For more information, see Billing methods.

What should I do if the purchased anti-ransomware capacity is insufficient?

Insufficient anti-ransomware capacity may lead to data backup failures. We recommend that you upgrade the Security Center specification and purchase sufficient anti-ransomware capacity. For more information, see Upgrade and downgrade.

What should I do if the status of a protection policy is abnormal?

When the status of a protection policy is abnormal, server data cannot be backed up based on the protection policy. We recommend that you troubleshoot the causes on the General anti-ransomware solutions page and follow the instructions to manage the situation. Possible causes and solutions are as follows:
  • Insufficient anti-ransomware capacity

    If the capacity used for data backup has exceeded the purchased capacity, the current backup tasks are suspended and you cannot create new restoration tasks. You must purchase sufficient anti-ransomware capacity to continue using the anti-ransomware function. For more information, see Upgrade and downgrade.

  • The Security Center agent is offline

    If the Security Center agent is offline, the status of protection policies is abnormal. You must troubleshoot the causes and handle the situation. For more information, see Identify why the agent is offline.

  • Data backup errors

    An invalid directory in a restoration task or insufficient server disk capacity leads to data backup failures. This makes the status of protection policies abnormal. You must recreate a restoration task and make sure that a valid directory is specified and that the server disk capacity is sufficient. After the new restoration task is performed, the status of protection policies changes to normal.

Why is the 30006 error code returned when I enable tamper protection feature?

If the 30006 error code is returned when you enable the tamper protection feature, the tamper protection program of Security Center is blocked by third-party security software such as SafeDog or jowto lock on your server. We recommend that you add the Security Center agent process to the whitelist of the third-party security software on your server. Alternatively, you can disable the blocking feature of the third-party security software.

What are the requirements for the local backup directory of tamper protection?

The local backup directory is where backup files of your websites are stored. The directory can be empty. If you want to protect multiple directories of the same server, you can restore the backup files in different directories or in the same directory.

What should I do if I receive a message indicating that a protected directory is invalid?

Use a backward slash (\) instead of a forward slash (/) when you specify the protected directory.

Configuration errors of a protected directory
Note When you specify a protected directory, the path of the protected directory cannot contain the following characters:

/;*?"" <>|

Why does tamper protection remain disabled after I specify a protected directory?

After you specify a protected directory, you must turn on the protection switch and make sure that the Security Center agent is normal. Only when the preceding requirements are met, tamper protection is enabled.

We recommend that you follow these steps:
  • After you specify a protected directory, check whether the protection switch is turned on. You must turn on the protection switch for the protected directory before tamper protection can take effect.
  • After you complete the preceding steps, check whether the Security Center agent is normal. You can log on to Security Center console, choose Defense > Tamper Protection, and then click the Management tab to view the status of a target server. If the status is Exception, we recommend that you reinstall the Security Center agent. For more information, see Install the Security Center agent.
  • Check whether the server has sufficient disk space. If not, clean the disk in a timely manner.

Can I write files to a protected directory that has been specified?

No. After you specify a protected directory, you cannot write files to the directory. To write files to the protected directory, you must remove the directory from the protected server.

What can I do if tamper protection does not take effect immediately after a protected directory is specified?

Tamper protection does not take effect immediately after you specify the protected directory, and you can still write files to the directory. In this case, you must go to the Management tab, turn off the Protection switch for the server where the directory is located, and then turn on the Protection switch again.

Restart tamper protection for a server

What can I do if the website content and images cannot be modified or updated after I enable tamper protection?

To solve this issue, choose one of the following methods:
  • Disable tamper protection and update the website content. After the update is complete, enable tamper protection. For more information about how to enable tamper protection, see Enable tamper protection.
  • Exclude the website from the protected directory.
Note Tamper protection allows you to add Linux and Windows processes to the whitelist, which updates protection files in real time. For more information, see Add blocked processes to the whitelist.

What should I do if I receive an email or SMS message that notifies me of a webshell on my server?

If you receive an email or SMS that notifies you of a webshell on your server, your server has been attacked and a webshell file has been implanted to the server. The attacker may manipulate the data on your website or database. You can quarantine the webshell file in Security Center. We recommend that you locate and fix the vulnerability. Otherwise, the attacker may exploit this vulnerability again.