Troubleshoot the issues that cause the abnormal status of the anti-ransomware agent and backup tasks - Security Center

If the status of the anti-ransomware agent or backup tasks is abnormal, Security Center cannot protect your important files or data. To prevent data loss or encryption caused by ransomware attacks, we recommend that you troubleshoot the issues that cause the abnormal status at the earliest opportunity. After you create an anti-ransomware policy for your server, the anti-ransomware agent on the server and backup tasks may be in an abnormal state. This topic describes how to troubleshoot the issues that cause the abnormal status.

Prerequisites

An anti-ransomware policy is applied to your server. For more information, see Create an anti-ransomware policy.

Troubleshoot the issues that cause the abnormal status of the anti-ransomware agent

View the causes of the abnormal status of the anti-ransomware agent

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
On the Anti-ransomware for Servers tab, view the servers on which the anti-ransomware agent is in an abnormal state.
Find an anti-ransomware policy and click the icon next to the policy name to view all servers to which the policy is applied.
Find a server on which the anti-ransomware agent is in an abnormal state and click the icon to view the causes of the status.
Troubleshoot the issues that cause the abnormal status based on the information in the Details message.

Causes of the abnormal status for the anti-ransomware agent and solutions

Important

If the error code that is returned is not included in the following table, you must collect the logs of the anti-ransomware agent and submit a ticket to contact technical support. The following list describes the logs that must be collected:

Installation logs of the anti-ransomware agent
- Windows servers: C:\Program Files (x86)\Alibaba\Aegis\PythonLoader\data\hbr.log
- Linux servers: /usr/local/aegis/PythonLoader/data/hbr.log
Backup logs of the anti-ransomware agent
- V1.0 anti-ransomware agent
  - Windows servers: C:\Program File (x86)\Alibaba\Aegis\hbr\logs
  - Linux servers: /usr/local/aegis/hbr/logs
- V2.0 anti-ransomware agent
  - Windows servers: C:\Program File (x86)\Alibaba\Aegis\hbrClient\logs
  - CoreOS servers: /opt/aegis/hbrClient/logs
  - Linux servers: /usr/local/aegis/hbrClient/logs

Error code	Information in the Details message	Cause	Solution
CLOUD_ASSIST_NOT_RUN	Cloud assistant Not started	Cloud Assistant is not started.	Log on to the Elastic Compute Service (ECS) console and check whether Cloud Assistant runs as expected. For more information, see O&M and monitoring FAQ.
RoleNotExist	Your Alibaba Cloud account is not authorized.	Your Alibaba Cloud account does not have the required permissions.	Log on to the Security Center console by using your Alibaba Cloud account or a Resource Access Management (RAM) user to which the AliyunRAMFullAccess policy is attached. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, click Authorize Now and assign the AliyunServiceRoleForHbrEcsBackup and AliyunServiceRoleForSas roles to the account that you use.
CLIENT_CONNECTION_ERROR	The client connection is abnormal. Check the ECS instance network and try again.	The network connection fails.	Perform the following operations to troubleshoot network connection issues: Log on to your ECS instance, run the `ping` or `telnet` command to test the connectivity between the ECS instance and the anti-ransomware endpoint, and then check whether firewall policies are configured for the ECS instance. For more information about anti-ransomware endpoints, see Anti-ransomware endpoints. After you troubleshoot network connection issues, perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Install in the Actions column.
ECS_ROLE_POLICY_NOT_EXIST	ecs role does not have AliyunECSAccessingHBRRolePolicy	The AliyunECSAccessingHBRRolePolicy policy is not attached to the RAM role that your ECS instance assumes, which causes the failure to install the anti-ransomware agent.	Perform the following operations to troubleshoot policy issues and then reinstall the anti-ransomware agent: Attach the AliyunECSAccessingHBRRolePolicy policy to the RAM role that your ECS instance assumes. For more information, see What can I do if the error message "The strategy of AliyunECSAccessingCloud BackupRolePolicy is missing on EcsRamRole. Please refer to the FAQ for authorization" appears when I install the Cloud Backup backup client on an ECS instance? Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Install in the Actions column. Important After you attach the AliyunECSAccessingHBRRolePolicy policy to the RAM role that your ECS instance assumes, the anti-ransomware agent is not automatically installed on the ECS instance.
CHECK_ACTIVATION_COMMAND_TIMEOUT	The activation command times out.	The installation of the anti-ransomware agent times out.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
ECS_STOPPED	The ECS instance is not started.	The anti-ransomware agent fails to be installed because the ECS instance is not started.	Perform the following operations to start the ECS instance and then reinstall the anti-ransomware agent: Log on to the ECS console and start the ECS instance. For more information, see Start an instance. Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Install in the Actions column.
UNINSTALL_FAILED	Failed to uninstall client	The anti-ransomware agent fails to be uninstalled because the execution of the Cloud Assistant command times out.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the server from which the anti-ransomware agent fails to be uninstalled and click Delete in the Actions column to remove the server from the anti-ransomware policy. Note The system requires approximately 2 minutes to remove the server from the anti-ransomware policy. Wait until the server is removed. Apply the anti-ransomware policy to the server. For more information, see Edit an anti-ransomware policy. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
INSTALL_FAILED	Installation failed	The anti-ransomware agent fails to be installed because the execution of the Cloud Assistant command times out.	Perform the following operations to reinstall the anti-ransomware agent: Make sure that the Security Center agent on the server is online. To check the status of the Security Center agent on a server, find the server in the list of servers that are protected by anti-ransomware policies, and view the value in the Agent Status column. If the Security Center agent on the server is offline, troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline. Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
AGENT_NOT_RUN_AFTER_INSTALLATION	Post-installation services not started	After you install the anti-ransomware agent, the agent is not started because some registry entries of the agent that you previously uninstall are retained.	Perform the following operations to clear the registry entries and reinstall the agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. Clear the following registry entries based on the version of the anti-ransomware agent that is installed: The registry entries of the V1.0 anti-ransomware agent `# The V1.0 anti-ransomware agent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\hybridbackup HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\hbrupdater` The registry entries of the V2.0 anti-ransomware agent # The V2.0 anti-ransomware agent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\hbrclient HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\hbrclientupdater HKEY_LOCAL_MACHINE\SOFTWARE\Alibaba, Inc.\Aliyun Hybrid Backup Service Client # 64-bit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B1F066FC-D85C-46F8-9ED7-88A4385AF9A6}}_is1 # 32-bit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A3FBAB2-A9B0-4F3B-951A-ABC72D58BA6D}}_is1 On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
FAILED_TO_DOWNLOAD_INSTALLER	Failed to download the installation package	The installation package of the anti-ransomware agent fails to be downloaded because the network connection fails.	Perform the following operations to troubleshoot network connection issues: Log on to your ECS instance, run the `ping` or `telnet` command to test the connectivity between the ECS instance and the anti-ransomware endpoint, and then check whether firewall policies are configured for the ECS instance. For more information about anti-ransomware endpoints, see Anti-ransomware endpoints. After you troubleshoot network connection issues, perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Install in the Actions column.
PRECHECK_COMMAND_FAILED	Preflight command failed	The execution of the Cloud Assistant command times out.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
INSTALL_COMMAND_TIMEOUT	Install Command timeout	The anti-ransomware agent fails to be installed because the installation command times out.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
ServiceUnavailable	ServiceUnavailable	Your Alibaba Cloud account does not have the required permissions, or the queries per second (QPS) exceeds the upper limit.	Log on to the Security Center console by using your Alibaba Cloud account. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, click Authorize Now and assign the AliyunServiceRoleForHbrEcsBackup and AliyunServiceRoleForSas roles to your Alibaba Cloud account. If the issue persists after the required permissions are granted, submit a ticket for consultation and start a live chat for support.
CONFLICT_WITH_EXISTING_AGENT	Conflict with existing client	The anti-ransomware agent fails to be installed because the agent is already installed.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
ACTIVATE_COMMAND_FAILED	An error occurs on the agent. You can reinstall the agent to restore normal service operations. If the issue persists, submit a ticket for consultation and start a live chat for support.	An error occurs on the anti-ransomware agent.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column. If the issue persists, submit a ticket for consultation and start a live chat for support.
CHECK_RUNNING_COMMAND_FAILED	Check service startup command failed	A service error occurs.	Perform the following operations to reinstall the anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column.
INSTALL_COMMAND_FAILED	Installation Command failed	The installation of the anti-ransomware agent is blocked by the security software installed on the server.	Uninstall the security software installed on the server. Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Install in the Actions column.

Troubleshoot the issues that cause the abnormal status of backup tasks

View the causes of the abnormal status of backup tasks

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
In the upper-right corner of the Anti-ransomware page, click Backup Tasks.
In the Backup Tasks panel, select Failed from the status drop-down list.
Find a backup task and click the icon in the Status column to view the causes of failure.
Troubleshoot the issues that cause the abnormal status based on the information in the Details message.

Causes of the abnormal status for backup tasks and solutions

Error code	Information in the Details message	Cause	Solution
EXPIRED	The backup task timed out	Network connection errors occur. The backup task is stopped because the server is restarted when the anti-ransomware agent runs the backup task on the server. The ECS instance stops running. The backup task times out because a large number of files need to be backed up. The version of the anti-ransomware agent is outdated and needs to be upgraded.	If network connection errors occur, check whether the `MQTT Connection Lost.` message is included in the backup logs. If the message is included, optimize network settings. If the ECS instance stops running, check whether the ECS instance is connected or whether a restart task is running during the backup period. If the backup task times out because a large number of files need to be backed up, modify the anti-ransomware policy and remove directories that you do not need to back up.
SOURCE_NOT_EXIST	Backup source path does not exist	The backup directory that you specified in the anti-ransomware policy does not exist.	Specify another backup directory in the anti-ransomware policy.
OPEN_VAULT_FAILED	Failed to open backup Library	Access to Object Storage Service (OSS) during backups failed. We recommend that you check your network settings. The difference between the local time of your server and the system time of OSS exceeds the threshold.	In the ECS log named hbrclient.log, find the endpoint of OSS. The endpoint is in the `oss-xxx.aliyuncs.com` or `oss-xxx-internal.aliyuncs.com` format. In the ECS instance, run the `ping` or `telnet` command to check whether the endpoint of OSS can be accessed. Check whether firewalls and security groups allow network requests that are sent from the anti-ransomware agent. Check whether security software blocks network connections. If `ErrorCode=RequestTime TooSkewed, Errorhessage="The difference between the request time and the current time is too large."` is included in the backup logs of the anti-ransomware agent, check the local time on your server. If the difference between the local time and the system time of OSS exceeds 15 minutes, change the time value that is displayed on your server to the system time of OSS, and then restart the anti-ransomware agent. The system time and time zone of OSS is the same as the time and time zone of the region in which the ECS instance resides. If the ECS instance resides in a region in the Chinese mainland, the time zone of the ECS instance is UTC+8. If the ECS instance resides in a region outside the Chinese mainland, the time zone of the ECS instance is the time zone of the region. `systemctl restart hbrclient`
INTERNAL_ERROR	An internal error occurred.	An internal error occurred in the backup feature. In most cases, the error occurs in V1.0 anti-ransomware policies.	On the Anti-ransomware page, find the required V1.0 anti-ransomware policy and click Upgrade in the Actions column to upgrade the policy version to V2.0. If the issue persists, collect logs of the anti-ransomware agent and submit a ticket to contact technical support.
InternalError	An internal error occurred.
killed	The backup process is terminated by the system	In most cases, the system forcefully terminates the process if the CPU utilization or memory usage is excessively high. As a result, the backup fails.	Log on to the ECS console. On the Monitoring tab of the instance details page, view the CPU utilization or memory usage during the backup period. If the backup process consumes a large amount of resources, limit the resources that can be occupied by the backup process. For more information, see How do I resolve OOM issues on a Cloud Backup client?
CreateSnapshotFailed	Failed to create a backup snapshot when the backup is about to end	If a backup snapshot failed to be created when the backup is about to end, OSS cannot be accessed at this point in time.	You can submit a ticket to contact technical support.
CONNECT_TO_VAULT_FAILED	Failed to access the backup vault	Access to OSS failed during backups.	Check network settings. In the ECS log named hbrclient.log, find the endpoint of OSS. The endpoint is in the `oss-xxx-internal.aliyuncs.com` format. In the ECS instance, run the `ping` or `telnet` command to check whether the endpoint of OSS can be accessed.
AppError: ErrorCode=TooManyConcurrentJobs, ErrorMessage=TooManyConcurrentJobs	A large number of backup tasks are running, and new backup tasks cannot be run	A large amount of data needs to be backed up, or a subsequent backup task is run when the previous backup task is not complete due to the slow backup speed.	Perform the following operations in turn: Specify a longer backup interval or exclude directories and files that you do not need to back up when you configure an anti-ransomware policy. If no historical backup data exists or no historical backup data is required, remove the server from the anti-ransomware policy. For more information, see Manage servers that are added to an anti-ransomware policy. Perform the following operation to add the server to the anti-ransomware policy again: Select the server when you modify the anti-ransomware policy. For more information, see Edit an anti-ransomware policy. If the issue persists, submit a ticket to contact technical support.
EcsStopped	The ECS instance is not started.	The ECS instance is stopped.	Check the status of the ECS instance and whether the ECS instance is stopped due to overdue payments.
EcsReleased	The ECS instance is released	The ECS instance is released.	None.
ClientDisconnectedAegisClientNotOnline	The Security Center agent and the anti-ransomware agent are offline	The Security Center agent and the anti-ransomware agent are offline.	Check the status of the Security Center agent. Make sure that the Security Center agent is online. For more information, see Troubleshoot why the Security Center agent is offline. Check the status of the anti-ransomware agent. Make sure that the anti-ransomware agent is online. Perform the following operations to check the network connection status of the ECS instance: Log on to your ECS instance, run the `ping` or `telnet` command to test the network connectivity between the ECS instance and the anti-ransomware endpoint, and then check whether firewall policies are configured for the ECS instance. For more information about anti-ransomware endpoints, see Anti-ransomware endpoints.
ClientDisconnected	The anti-ransomware agent is offline	The anti-ransomware agent is offline.	Check the status of the anti-ransomware agent. Make sure that the anti-ransomware agent is online. Perform the following operations to check the network connection status of the ECS instance: Log on to your ECS instance, run the `ping` or `telnet` command to test the network connectivity between the ECS instance and the anti-ransomware endpoint, and then check whether firewall policies are configured for the ECS instance. For more information about anti-ransomware endpoints, see Anti-ransomware endpoints.
OOM	The memory usage is high	If a large amount of file data is stored in the backup directory, the memory usage is high. If the memory usage exceeds the upper limit, the system forcefully terminates the backup process, and the backup fails.	For more information, see OOM error occurs.
JOB_CANCELED	The backup task is automatically disabled	The backup task is disabled because the anti-ransomware policy that is applied to the server is disabled or the anti-ransomware capacity is exhausted.	Check whether the anti-ransomware policy is disabled. If the anti-ransomware policy is enabled, check whether the anti-ransomware capacity is exhausted. You can view the used capacity and total capacity on the Anti-ransomware page.
FILE_CACHE_NO_SPACE	The space used to store the file cache is insufficient	The space of the disk on which the file cache is located is less than 1 GB, which is the default threshold.	Resize the disk or change the directory of the file cache. For more information, see Use the cache feature to accelerate data backup.
ApplicationFileNotExist	The files related to the anti-ransomware agent are missing	The files related to the anti-ransomware agent are missing due to accidental deletion by third-party security software or users.	Add the process of the anti-ransomware agent to the whitelist of the third-party security software on your server and then reinstall the agent.
0xC0000142	The backup process on the Windows operating system fails to initialize	Security software imposes limits. A process conflict occurs. The files related to the anti-ransomware agent are missing.	Add the process of the anti-ransomware agent to the whitelist of the third-party security software on your server and then reinstall the agent.
3221225794
1	The backup process is exceptionally terminated (If the backup process named ids is exceptionally terminated and the exception is not handled or recorded, the system reports an error. The error code is 1 or 2.)	In scenarios when the V1.0 anti-ransomware agent is installed, the error code 1 or 2 indicates that the error is not recorded or handled .	Perform the following operations to install the V2.0 anti-ransomware agent: Log on to the Security Center console. On the Anti-ransomware page, click the Anti-ransomware for Servers tab. On this tab, find the required server and click Uninstall in the Actions column to uninstall the anti-ransomware agent from the server. After you uninstall the anti-ransomware agent, the status of the agent for the server changes to Not Installed. On the Anti-ransomware for Servers tab, find the required server and click Install in the Actions column. If the issue persists, submit a ticket to contact technical support.
2

Security Center:Troubleshoot the issues that cause the abnormal status of the anti-ransomware agent and backup tasks