This topic provides answers to some commonly asked questions about the anti-virus feature and the web tamper proofing feature.

How can I purchase the anti-ransomware capacity?

If you are using the Basic edition, you can go to the Security Center buy page to upgrade Security Center and purchase the anti-ransomware capacity. For more information, see Purchase Security Center.

If you are using the Basic Anti-Virus, Advanced, or Enterprise edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use Hybrid Backup Recovery (HBR), the anti-ransomware function is automatically enabled.

What is the anti-virus feature? Why do I have to pay for the anti-virus feature?

The anti-virus feature is a new feature of Security Center that provides a general anti-ransomware solution. You must purchase the storage that is occupied by data backups in the anti-ransomware solution.

If you are using the Basic Anti-Virus, Advanced, or Enterprise edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use Hybrid Backup Recovery (HBR), the anti-ransomware function is automatically enabled.

The general anti-ransomware solution allows you to block all types of ransomware and restore the files encrypted by ransomware. The general anti-ransomware solution allows you to enable data backup for important directories and files on your servers. We recommend that you purchase 40-GB storage capacity for each server. The cost of 40 GB of storage is USD 1.8 per month.

After I purchase the anti-virus feature, can the existing features run properly?

Yes, after you purchase the anti-virus feature, all existing features run properly.

The anti-virus feature is a new feature of Security Center that provides a general anti-ransomware solution. You must purchase the storage that is occupied by data backups in the anti-ransomware solution.

What is the relationship between the anti-virus feature and Alibaba Cloud HBR?

The anti-virus feature uses the storage capability provided by Alibaba Cloud HBR. If you have not activated Alibaba Cloud HBR, Alibaba Cloud HBR is activated automatically after you purchase the anti-virus feature and grant Security Center the permissions to use Alibaba Cloud HBR. No extra fees are required to activate Alibaba Cloud HBR.

What functions does the anti-virus feature provide?

Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous losses to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud has released a general anti-ransomware solution, which provides layer-by-layer protection against ransomware.

The anti-virus feature provides the following functions against ransomware:
  • Block recognized ransomware in real time

    Based on the Alibaba Cloud intelligence library, Security Center has blocked a large amount of ransomware identified by the intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential losses.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. At the same time, Security Center generates alerts to notify you of the potential threats.
    Note Security Center sets trap directories on your servers to block potential ransomware. If you find a suspicious directory on your server, contact after-sales services or submit aticket to check whether this directory is a trap directory set by Security Center. Trap directories do not affect your business and they are not malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware, Security Center also supports data backup. This function periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios where files in your servers are encrypted, you can restore the data to ensure the security of your servers.

When you use Security Center to block ransomware, perform the following steps:
  1. Before the process: Enable the anti-virus feature and create protection polices

    The anti-virus feature provides the data backup function. You must enable the anti-virus feature and create protection polices to protect your servers. For more information, see Enable the anti-ransomware feature and Create a protection policy.

  2. During the process: Handle ransomware alerts and create restoration tasks
    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts. For more information, see View and handle alert events. If the data on your servers has been encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task.Ransomware alerts
  3. After the process: Scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
    • Fix system vulnerabilities regularly to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fixing feature provided by Security Center. For more information, see Overview.
    • Do not use weak passwords on your servers. Enable two-factor authentication for important servers.
    • To reduce the risk of attacks, do not open unnecessary ports to the Internet.

Is the data backup function automatically enabled after I purchase the anti-ransomware capacity?

No, the function is not automatically enabled.

After you purchase the anti-ransomware capacity, you must create and enable a protection policy. After you enable the protection policy, Security Center enables the data backup function to protect your servers against ransomware. For more information about how to create a protection policy, see Create a protection policy.

What do I do if the anti-ransomware client consumes excessive server CPU or memory resources?

Earlier versions of the anti-ransomware client may consume excessive server CPU or memory resources during data backup. This anti-ransomware client was upgraded on August 19, 2020 to resolve this issue. If you installed the anti-ransomware client after August 19, 2020, no actions are required. If you installed the anti-ransomware client on or before August 19, 2020, you must uninstall and reinstall the anti-ransomware client. Perform the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-Virus.
  3. On the Anti-Viruspage, click Add anti-ransomware policies.
  4. Find the server on which the issue occurs and click Uninstall in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware client changes to Uninstalling. Typically, the anti-ransomware client is uninstalled in about 5 minutes.

  5. After the uninstallation is complete, click Install in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware client changes to Installing. Typically, the anti-ransomware client is installed in about 5 minutes.

Note If the issue persists after you perform the preceding steps, we recommend that you submit aticket to contact Alibaba Cloud security engineers.

What are the differences between the general anti-ransomware solution and the snapshot feature?

The following table lists the differences between the general anti-ransomware solution and snapshots.

Feature Data backup Anti-virus capability Fee
Snapshot Provides a one-time backup for the system disk. A system restart is required to restore data. The anti-virus capability is not supported. High. For more information, see Snapshot billing.
General anti-ransomware solution Flexibly backs up files. You can restore any file that is backed up. You do not need to restart the system to restore data. The general anti-ransomware solution blocks known ransomware and generates alerts in real time. This solution traps unknown ransomware and restores encrypted data. Low. For more information, see Billing methods.

What do I do if the anti-ransomware capacity that I purchased is insufficient?

If the anti-ransomware capacity that you purchased is insufficient, data backups may fail. We recommend that you change the Security Center specifications and purchase a specific amount of anti-ransomware capacity based on your requirements. For more information, see Upgrade and downgrade.

What do I do if the status of a protection policy is abnormal?

If the status of a protection policy is abnormal, server data cannot be backed up based on the protection policy. We recommend that you handle the exception based on the causes that are provided on the General Anti-ransomware Solutions page. Possible causes and solutions:
  • Insufficient anti-ransomware capacity

    If the capacity used for data backup has exceeded the purchased capacity, the current backup tasks are suspended and you cannot create restoration tasks. You must purchase sufficient anti-ransomware capacity to continue using the anti-ransomware feature. For more information, see Upgrade and downgrade.

  • The Security Center agent is offline

    If the Security Center agent is offline, the status of protection policies is abnormal. You must handle the exception based on the causes. For more information, see Troubleshoot why the Security Center agent is offline.

  • Data backup errors

    An invalid directory in a restoration task or insufficient server disk capacity leads to data backup failures. In this case, the status of protection policies is abnormal. You must recreate a restoration task. In addition, you must ensure sure that a valid backup directory is specified and that the server disk capacity is sufficient. After the new restoration task is complete, the status of protection policies changes to normal.

If the remaining validity period of Security Center is three years, can I purchase web tamper proofing for one year?

No, the validity period of web tamper proofing must be the same as the validity period of Security Center.

Can web tamper proofing protect files of any size?

Yes, web tamper proofing can protect files of any size.

If my server stores more than 3 MB of files, can web tamper proofing protect the excessive files that exceed 3 MB? Can web tamper proofing protect files whose total size is not larger than 3 MB?

Yes, web tamper proofing can protect files of any size. Web tamper proofing can protect the files on your servers regardless of whether the total file size is larger than 3 MB.

Why is the 30006 error code returned when I enable web tamper proofing?

If the 30006 error code is returned when you enable web tamper proofing, the web tamper proofing program of Security Center is blocked by third-party security software on your server such as SafeDog. We recommend that you add the Security Center agent process to the whitelists of the third-party security software on your server. You can also disable the blocking feature of the third-party security software.

What are the requirements for the local backup directory of web tamper proofing?

The local backup directory of web tamper proofing is where backup files of your websites are stored. The directory can be empty. If you want to protect multiple directories of the same server, you can restore the backup files in different directories or in the same directory.

What do I do if I receive a message that indicates that a protected directory is invalid?

When you specify a protected directory in Windows, use a backslash (\) instead of a forward slash (/).

Configuration errors of a protected directory
Note A protected directory cannot contain the following characters:

/ ; * ? " " < > |

Why does web tamper proofing remain disabled after I specify a protected directory?

After you specify a protected directory, you must turn on the tamper proofing switch and ensure that the Security Center agent functions as expected to enable web tamper proofing.

We recommend that you perform the following steps:
  • After you specify a protected directory, check whether the tamper proofing switch is turned on. You must turn on the tamper proofing switch for the protected directory before web tamper proofing can take effect.
  • After you complete the preceding steps, check whether the Security Center agent functions as expected. You can log on to Security Center console, choose Defense > Tamper Protection, and then click the Management tab to view the status of a server. If the status is Exception, we recommend that you reinstall the Security Center agent. For more information, see Install the Security Center agent.
  • Check whether the server has sufficient disk space. If the server does not have sufficient disk space, clean up the disk in a timely manner.

Can I write files to a protected directory?

No, you cannot write files to a protected directory. After you specify a protected directory, you cannot write files to the directory. To write files to the protected directory, you must remove the directory from the protected server.

After a protected directory is specified, what do I do if web tamper proofing does not take effect immediately?

After you specify a protected directory, web tamper proofing does not take effect immediately and you can still write files to the directory. To enable web tamper proofing, you must go to the Management tab, turn off Protection for the server where the directory is located, and then turn on Protection again.

Turn on the tamper proofing switch for a server

After I enable web tamper proofing, what do I do if the website content and images cannot be modified or updated?

You can use one of the following two methods to resolve this issue:
  • Disable web tamper proofing and update the website content. After the update is complete, enable web tamper proofing. For more information about how to enable web tamper proofing, see Enable tamper protection.
  • Exclude the website from the protected directory.
Note Web tamper proofing allows you to add Linux and Windows server processes to whitelists. Web tamper proofing helps you update protection files in real time. For more information, see Add blocked processes to the whitelist.

What do I do if I receive an email or text message that notifies me of a webshell detected on my server?

If you receive an email or text message that notifies you of a webshell detected on your server, your server is attacked and a webshell file is implanted to the server. The attacker may manipulate the data on your website or database. You can isolate the webshell file in Security Center. We recommend that you locate and fix the vulnerability. Otherwise, the attacker may exploit the vulnerability.