Webshell detection scans servers and web directories for webshells and trojans at regular intervals. Security Center runs webshell detection tasks and generates alerts only when webshell detection is enabled. This topic describes how to enable webshell detection for your servers.

Background information

Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and allows you to quarantine webshell files with a few clicks.

Description of webshell detection:

  • Security Center scans the entire web directory early in the morning on a daily basis. Changes in files in the web directory trigger dynamic detection.
  • You can specify the assets on which Security Center scans for webshells.
  • You can quarantine, restore, or ignore the detected trojan files.


Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.


  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Webshell Detection section, click Manage.
  4. Select the servers for which you want to enable webshell detection.
    Select servers from the Detection Disabled section and click the rightwards arrow to move them to the Detection Enabled section. Webshell detection is enabled for the servers in the Detection Enabled section. To disable webshell detection for a server, move the server from the Detection Enabled section to the Detection Disabled section.Manage webshell detection settings
    Note We recommend that you enable webshell detection for all servers and pay attention to the alerts generated on your servers on which web services run.
  5. Click OK.

What to do next

After you enable webshell detection for your servers, you can view the alerts whose type is Webshell on the Alerts page. If you do not handle these alerts, they may pose threats to your servers. We recommend that you handle these alerts at the earliest opportunity. For more information, see View and handle alert events.