Security Center offers the Basic, Basic Anti-Virus, Advanced, and Enterprise editions. This topic describes the features supported by each edition.

  • The Basic edition

    The Basic edition offers basic Security Enhancement services for free. You can use the services to detect unusual logons to your servers, DDoS attacks, major server vulnerabilities, and cloud service configuration risks. If you select the Security Enhancement check box when you purchase an Elastic Compute Service (ECS) instance, the Basic edition of Security Center is activated automatically.

  • The Basic Anti-Virus edition

    The Basic Anti-Virus edition uses the subscription billing method and supports security alerts and the anti-virus feature.

  • The Advanced edition

    The Advanced edition uses the subscription billing method and provides security alerts, vulnerability detection and fixing, the anti-virus feature, and security reports.

  • The Enterprise edition

    The Enterprise edition uses the subscription billing method and provides security alerts, the anti-virus feature, vulnerability detection and fixing, baseline checks, asset fingerprints, and attack analysis.

Symbol descriptions

Symbols used in the following tables are described as follows:
  • ×: not supported by the current edition of Security Center.
  • √: supported by the current edition of Security Center.
  • Value-added: a value-added service. To use this value-added service, you must select it when you purchase Security Center, or separately purchase and activate it after you purchase Security Center.

Container security

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Container signature Signs trusted container images and verifies container image signatures to ensure that only trusted container images are deployed. Prevents unauthorized container images from starting and improves asset security. X X X Container signature
Container risk detection and alerts Check items:
  • Starting of malicious images

    Monitors open image sources such as Docker Hub in real time and generates alerts if an image that contains webshells or mining programs is deployed on your server.

  • Viruses and malicious programs

    Detects viruses, Trojans, mining programs, malicious scripts, and webshells in containers.

  • Intrusion into containers

    Detects intrusion into containers through Layer 7 vulnerabilities, unauthorized operations in containers, and application-to-application spreading of malicious scripts in containers.

  • Container escapes

    Detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

  • High-risk operation alerts

    Detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started by privilege escalation. Minimizes the risk of attackers exploiting these vulnerabilities.

X X X View and handle alert events

Security score

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Security score The Overview page in the Security Center console displays the security score based on the security states of your assets. A higher security score indicates fewer risks in your assets.

Assets page

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
The Server tab Displays security information about each protected server, such as the protection state, group, region, and Virtual Private Cloud network. View the security status of a server
The Cloud Product tab Displays security information about each protected Alibaba Cloud service. The information includes the services that contain risks and the type of each service, for example, Server Load Balancer (SLB), NAT Gateway, ApsaraDB for RDS, and ApsaraDB for MongoDB. View the security status of cloud services

The anti-virus feature

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Virus removal The security experts of Security Center conduct automatic analysis on the attack methods based on a large number of persistent virus samples. Alibaba Cloud developed the machine learning anti-virus engine based on the attack analysis. You can remove detected viruses with one click. X Overview
Protection against viruses Quarantines major ransomware, DDoS Trojans, mining programs, Trojans, malicious processes, backdoor programs, and worm viruses. X
Protection against ransomware Traps ransomware and supports data backup and restoration. X Value-added Value-added Value-added Create a protection policy

Playbook

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Playbook Allows you to manage tasks. Runs tasks to automatically fix vulnerabilities on multiple assets simultaneously. X X X Playbook overview

Classified protection compliance checks

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Classified protection compliance check Checks whether your assets comply with classified protection regulations, including regulations on communication networks, region borders, computing environments, and management centers. Classified protection compliance check

Vulnerability fixing

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Linux software vulnerabilities Linux software vulnerability detection compares software versions by using the Open Vulnerability and Assessment Language (OVAL®) matching engine. Alerts are generated when vulnerabilities recorded in the Common Vulnerabilities and Exposures (CVE) library are detected.
Note The Basic edition only supports automatic vulnerability scan, but does not support vulnerability fixing or quick scan tasks. To manually run quick scan tasks, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition. To fix detected vulnerabilities, you must upgrade Security Center to the Advanced or Enterprise edition.
Linux software vulnerabilities
Vulnerability fixing supports quick fixes of vulnerabilities and automatic creation of snapshots. A snapshot allows you to roll back the system to a specific snapshot to undo a fix. X X
Windows software vulnerabilities Windows software vulnerability detection obtains updates from Microsoft Updates for Windows operating systems, detects critical and other vulnerabilities, and generates alerts upon these vulnerabilities.
Note The Basic edition only supports automatic vulnerability scan, but does not support vulnerability fixing or quick scan tasks. To manually run quick scan tasks, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition. To fix detected vulnerabilities, you must upgrade Security Center to the Advanced or Enterprise edition.
Windows system vulnerability detection
Vulnerability fixing automatically identifies pre-downloaded patches required to fix vulnerabilities, and solves the issue that vulnerabilities cannot be fixed due to the lack of required patches. Alerts you of vulnerability fixes that require a system restart. This improves the efficiency of vulnerability fixing. X X
Web CMS vulnerabilities Detection of web content management system (CMS) vulnerabilities monitors web directories, recognizes common website builders, and checks the vulnerability library to identify vulnerabilities in website builders.
Note The Basic edition only supports automatic vulnerability scan, but does not support vulnerability fixing or quick scan tasks. To manually run quick scan tasks, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition. To fix detected vulnerabilities, you must upgrade Security Center to the Advanced or Enterprise edition.
Web-CMS vulnerabilities
Vulnerability fixing uses patches developed by Alibaba Cloud to replace or modify the source code. This allows you to fix vulnerabilities with one click. X X
Emergency vulnerabilities Provides temporary detection and fixes for emergency vulnerabilities.
Note The Basic edition only supports automatic vulnerability detection, but does not support vulnerability fixing or quick scan tasks. To manually run quick scan tasks, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition.
Emergency vulnerability detection
Application vulnerabilities Detects and fixes weak passwords, system service vulnerabilities, and application vulnerabilities.
Note Only the Enterprise edition supports this feature. To detect and fix application vulnerabilities on your assets, you must upgrade Security Center to the Enterprise edition.
X X X Application vulnerability detection
Vulnerabilities that require immediate fixes Fixes emergency vulnerabilities and lists the vulnerabilities that require immediate fixes. This enables you to quickly identify and fix high severity vulnerabilities. X X Overview

Baseline checks

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Baseline checks on servers Baseline checks assign tasks to check server configurations and generate alerts if configuration risks are detected.

Allows you to create a custom check policy. You can specify the check items, detection cycle, and the server group to which the policy applies. Currently, custom check scripts are not supported.

Allows you to create custom rules for weak passwords. Periodically checks whether your cloud service baseline contains the weak passwords based on your check policy. If weak passwords are detected, you will receive alerts.

Check items:
  • Account security

    Detects noncompliance with password policies, system weak passwords, and application weak passwords.

  • System configurations

    Detects potential risks in group policies, logon baseline policies, and registry configurations.

  • Database risks

    Detects risky configurations in ApsaraDB for Redis.

  • Compliance requirements

    Checks whether your servers are in compliance with baseline requirements, such as the CIS-Linux Centos7 Benchmark.

X X X Baseline checks
Baseline risk fixing Fixes risks of Alibaba Cloud security baseline and classified protection compliance baseline. X X X Manage failed check items

Cloud service configuration assessment

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Cloud service configuration assessment Detects potential risks in the configurations of Alibaba Cloud services, such as Elastic Compute Service (ECS) and ApsaraDB for RDS (RDS).
Check items:
  • ECS

    Checks whether the port access policies of security groups are set to a loose standard.

  • SLB

    Detects unnecessary ports that are open to the Internet, which makes the system vulnerable to attacks.

  • RDS

    Checks whether databases are open to the Internet and whether an access whitelist is configured.

  • Actiontrail

    Checks whether auditing of operation logs is enabled to facilitate event tracing.

  • MFA

    Checks whether two-factor authentication is enabled to protect your Alibaba Cloud accounts.

  • Others

    Checks whether the whitelist feature is enabled for SLB and whether RDS uses encrypted communications.

X X Configuration assessment overview

Security alerts

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Unusual process activities Traces intrusion sources based on real attack-defense scenarios in the cloud, creates a process whitelist, and generates alerts when unauthorized processes or intrusion attacks are detected.

Detection of suspicious processes builds about 1,000 process patterns for hundreds of processes, and analyzes suspicious processes by comparing them with these patterns.

Check items:
  • Reverse shells

    Detects suspicious command execution by Bash processes, and arbitrary command execution on servers under remote control.

  • Suspicious command execution in databases

    Detects suspicious command execution in databases, such as MySQL, PostgreSQL, SQL Server, Redis, and Oracle.

  • Unauthorized activities of application processes

    Detects unauthorized operations of application processes, such as Java, FTP, Tomcat, Docker containers, and Lsass.exe.

  • Unauthorized activities of system processes

    Detects unauthorized activities of system processes, such as PowerShell, Secure Shell (SSH), Remote Desktop Protocol (RDP), and samba daemon (smbd) sharing, and file copy activities of Secure Copy Protocol (SCP).

  • Other suspicious process activities

    Detects other suspicious process activities such as unusual access to Visual Basic Script (VBscript), unusual access to hosts, writing of crontab files, and webshell injection.

X Security alerts
Webshells Supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks.

Check items:

  • Server detection

    Monitors network directory changes on the server in real time.

  • Network detection

    Restores webshell files and identifies network protocols to detect webshells.

X
Webshell removal: quarantines detected webshell files in the Security Center console. You can restore quarantined files within 30 days. X
Unusual logons Provides basic logon detection.

Check items:

  • Logons from unapproved locations

    Automatically records locations where ECS instance logons usually occur. Allows you to manually add approved locations. Logons from unapproved locations trigger alerts.

  • Brute-force attacks

    Records details of successful logons to an ECS instance after multiple failed attempts. In this case, the password may have been cracked.

Provides advanced logon detection.

Check items:

  • Logons from unapproved IP addresses

    Allows you to specify approved IP addresses from which users can log on to an ECS instance. For example, IP addresses of bastion hosts and private networks of companies. Logons from unapproved IP addresses trigger alerts.

  • Logons from unapproved accounts

    Enables you to specify approved accounts that are allowed to log on to an ECS instance. Logons from unapproved accounts trigger alerts.

  • Logons from unapproved time periods

    Allows you to specify approved time periods, such as office hours, at which users are allowed to log on to an ECS instance. Logons at unapproved time periods trigger alerts.

X X
Malicious modification of sensitive files Monitors sensitive directories and files in real time, and generates alerts when suspicious reading, writing, or deleting operations are detected.
Check items:
  • Malicious modification of system files

    Detects whether Bash and ps commands are replaced, or whether hidden and unauthorized processes are running.

  • Removal of core website files

    Detects whether website files are deleted by attackers.

  • Trojan insertion

    Detects whether malicious code is inserted into a website where Trojans are automatically downloaded when users visit this website.

  • Other suspicious activities

    Detects whether ransomware has tampered with the logon pages of Linux and MySQL, or has inserted emails or Bitcoin wallet addresses.

X
Malicious processes Periodically scans processes, monitors process starting, and detects viruses and Trojans based on the anti-virus mechanism. Allows you to quickly terminate and quarantine malicious files in the Security Center console.
The virus library has the following characteristics:
  • Update mechanism

    The virus library is maintained in the cloud and dynmically updated by Alibaba Cloud. This minimizes the risk of potential losses caused by an outdated virus library.

  • Diverse virus samples

    Detects all types of viruses. Alibaba Cloud integrates with worldwide major anti-virus engines, and develops a sandbox and machine learning engine.

Check items:
  • Ransomware

    Detects ransomware that encrypts your files, such as WanaCry and CryptoLocker.

  • Attacks

    Detects DDoS Trojans, malicious scanning Trojans, and spam Trojans.

  • Mining programs

    Detects mining programs that consume server resources.

  • Bot programs

    Detects central control Trojans, malicious central control connections, and attack tools.

  • Other viruses

    Detects worms, Mirai, and infectious viruses.

X
Suspicious network connections Monitors connections between servers and networks, and generates alerts when suspicious connections are detected.
Check items:
  • Active connections to external networks

    Detects reverse and Bash shells that establish suspicious connections to external IP addresses.

  • Attacks

    Detects malicious software insertion that is used to launch malicious attacks, such as (Synchronize Sequence Numbers) SYN flood attacks, User Datagram Protocol (UDP) flood attacks, and Internet Control Message Protocol (ICMP) flood attacks.

  • Suspicious communications

    Detects suspicious webshell communications.

  • Unusual TCP packets sending

    Detects scan activities initiated by a process on your server that target other devices.

X
Others Check items:
  • Detects unusual disconnections of the Security Center agent.
  • Detects DDoS attacks.
X X
Suspicious accounts Detects suspicious accounts that attempt to log on to your system based on user behavior analysis. X
Intrusion events through applications Detects intrusion events that are conducted through applications, such as Microsoft SQL Server. X
Cloud service threats Detects unusual use of cloud services based on user behavior analysis. For example, an attacker uses your AccessKey pair to purchase a large number of ECS instances for mining. X
Precise defense Automatically quarantines common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, webshells, and computer worms. Security experts of Alibaba Cloud test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. X
The application whitelist Identifies programs as trusted, suspicious, and malicious based on the application whitelist to prevent unauthorized programs from running. X X X Value-added
Persistent webshells Detects persistent webshells on your servers.

After an attacker gains control over a server, the attacker typically implants webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include scheduled crontab tasks, self-starting tasks, and system file replacement.

X
Web application threats Detects intrusion events that are conducted through web applications. X
Malicious scripts Detects malicious scripts on servers.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker may use scripts for further attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBscript.

X
Threat intelligence Provides third-party threat intelligence sources. X Value-added Value-added Value-added
Malicious network activities Identifies unusual network behaviors based on log data, such as network content and host activities. Malicious network activities typically include intrusions into a host through open networks, and unusual activities of the intruded host. X

Attack analysis

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Attack analysis Displays the details of web attacks and brute-force attacks against your server. Traces the source IP addresses where attacks are initiated and finds the flaws of the attacks. X X X Attack analysis

AccessKey pair leak detection

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
AccessKey leak detection Dynamically monitors code hosting platforms such as GitHub to detect AccessKey leaks in source code that may be accidentally uploaded by company employees. AccessKey leak detection

Log analysis

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Log analysis Supports retrieval and analysis of raw log data, including process starting events, external network connections, system logon events, five tuples, DNS queries, security logs, and alert logs.
Note Only the users of the Enterprise edition can view network logs. The Advanced edition users cannot view network logs. In the Security Center console, users of the Advanced edition can only view security and host logs on the Log Analysis page in the Security Center console.
X Value-added Value-added Value-added Log analysis

Asset fingerprints

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Asset fingerprints Dynamically collects the following server fingerprint information:
  • Ports

    Collects and displays port listening information to track open ports.

  • Accounts

    Collects information about server accounts and relevant permissions, and checks privileged accounts to track privilege escalation activities.

  • Processes

    Collects and displays process snapshots to track trusted processes and detect suspicious processes.

  • Software

    Checks software installation information, and quickly locates affected assets when high-risk vulnerabilities are detected.

  • Scheduled tasks

    Collects information about scheduled tasks to record task paths of your assets.

  • Middleware

    Collects information about the middleware. This allows you to learn about the middleware in your assets as needed.

X X X Overview

Security reports

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Security reports Allows you to configure security reports. After you enable this feature, Security Center sends daily security statistics to the specified recipients through emails. X X X Security reports

Extensions

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
The application whitelist Allows you to add servers that need high-level defense to the whitelist. Identifies programs as trusted, suspicious, or malicious based on the whitelist to prevent unauthorized programs from running. X Value-added Value-added Value-added Application whitelist
Tamper protection Dynamically monitors website directories and restores maliciously modified files or directories. Protects websites from malicious modification, Trojans, hidden links, and uploads of violent and illicit contents.

Allows you to add trusted Windows and Linux processes to the whitelist. The processes added to the whitelist are no longer blocked.

X Value-added Value-added Value-added Tamper protection

Multi-account control

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
Multi-account control Allows you to manage multiple Alibaba Cloud accounts and resource accounts. Enables you to monitor the security status of accounts under a resource directory. X X X Multi-account control

The Settings page

Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Related topic
The Settings page Allows you to configure Security Center features, such as virus removal, webshell detection, container threat detection, security control, access control, and protection modes and self-protection of the Security Center agent.
Note To configure these features, log on to the Security Center console and click Settings in the left-side navigation pane.
Settings
The Security Center agent supports new protection modes: the high-security prevention mode and safeguard mode for major activities. This allows the Security Center agent to protect your assets in different scenarios. Manage protection modes
Self-protection of the Security Center agent prevents the agent from being maliciously uninstalled. This ensures that Security Center runs as expected. X X Client protection
Notifications Allows you to customize alert notifications, such as the notification method and the risk level of the alerts that you want to receive. Alert settings
Installation and uninstallation of the Security Center agent Allows you to install and uninstall the Security Center agent. Install or uninstall the Security Center agent

Threat detection limits

When Security Center detects risks, it sends security alerts to you without delay. You can process security alerts, scan for vulnerabilities, analyze attacks, and check security settings in the Security Center console. Security Center can analyze alerts and automatically trace attacks. This helps you protect your assets. Security Center supports a wide array of protection features. We recommend that you also install the latest system patches on your server, and use multiple security services, such as Cloud Firewall and Web Application Firewall (WAF), to better protect your assets against attacks.

Note Due to the rapid adaption of attacks, viruses, and the variation of the workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to better protect your assets against attacks.