All Products
Search
Document Center

Security Center:Use the virus detection and removal feature

Last Updated:Nov 02, 2023

The virus detection and removal feature of Security Center uses the machine learning-based antivirus engine that is provided by Alibaba Cloud and a virus library that is updated in real time. You can use the feature to scan the items in your system that are vulnerable to attacks. The items include persistent startup items, active processes, kernel modules, sensitive directories, and public keys that are used in SSH backdoors. You can also use the feature to clean up malicious threats on servers in an efficient manner. This topic describes how to use the virus detection and removal feature.

Background information

Before you use the virus detection and removal feature, we recommend that you enable the Malicious Behavior Defense feature. After you enable the Malicious Behavior Defense feature, Security Center automatically blocks malicious behavior to intercept threats such as common trojans, ransomware, mining viruses, and DDoS trojans. For more information about how to enable the Malicious Behavior Defense feature, see Use proactive defense.

The following list describes the types of viruses that can be detected and removed by the virus detection and removal feature and the scan items that are supported:

  • Virus types: ransomware, mining programs, DDoS trojans, trojans, backdoor programs, malicious programs, high-risk programs, worms, suspicious programs, and self-mutating trojans.

  • Scan items: active processes, hidden processes, Docker processes, kernel modules, installed programs, dynamic-link library hijacks, services, scheduled tasks, startup items, and sensitive directories.

Note

Full scan is not supported. This helps reduce the consumption of server resources.

Limits

Only the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Step 1: Scan for viruses

The virus detection and removal feature scans all servers that are protected by Security Center to detect persistent viruses, such as ransomware and mining programs. You can perform immediate scan tasks or configure periodic scan tasks.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal.

  3. If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.

    After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.

  4. On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.

    Perform an immediate scan task

    1. On the Virus Detection and Removal page, click Immediate Scan or Scan Again.

    2. In the Scan Settings panel, configure the Scan Mode and Scope parameters.

      Parameter

      Description

      Scan Mode

      Select a scan mode. Valid values:

      • Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.

      • Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.

        Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.

      Scope

      Select the assets that you want to scan. You can select assets based on the following types:

      • All Assets: If you select this option, all assets are scanned.

      • By Asset: If you select this option, you can select the servers that you want to scan.

      • By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.

      • By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

    3. Click OK.

      Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.

    Configure a periodic scan task

    1. On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.

    2. In the Scan Settings panel, configure the Scan Cycle, Scan Mode, and Scope parameters.

      Parameter

      Description

      Scan Cycle

      Specify the interval and period for automatic scan.

      Scan Mode

      Select a scan mode. Valid values:

      • Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.

      • Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.

        Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.

      Scope

      Select the assets that you want to scan. You can select assets based on the following types:

      • All Assets: If you select this option, all assets are scanned.

      • By Asset: If you select this option, you can select the servers that you want to scan.

      • By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.

      • By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

    3. Click OK.

      Security Center automatically scans the specified assets based on the configurations.

  5. Optional. On the Virus Detection and Removal page, click Task Management in the upper-right corner to view the status and progress of the scan task.

Step 2: Handle alerts

Security Center provides complete capabilities to handle the threats that are detected. Security Center allows you to perform in-depth virus detection and removal with a few clicks. The following methods are used for in-depth virus detection and removal of persistent viruses: detect and remove malicious virus processes, quarantine malicious files, and remove persistence of viruses and trojans. After a scan task is complete, we recommend that you view the scan results and handle the viruses that are detected at the earliest opportunity to ensure that your servers are not affected.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal.

  3. Go to the Alerts page. You can use one of the following methods:

    • To handle alerts for a single server, open the list of check results, find the server for which you want to handle alerts, and then click Handle in the Actions column.

    • To handle alerts for multiple servers in a batch, select the servers and click Batch Handle.

  4. In the Alert Process panel, select a processing method.

    Process Method

    Description

    Deep cleanup

    Performs in-depth virus detection on a server and removes the detected viruses. Security Center conducted tests and analysis on persistent viruses and developed the Deep cleanup method to remove persistent viruses. You can view the details of this method in the console.

    If you use the Deep cleanup method, you can enable auto-snapshot to back up your system disks before you remove the viruses. This helps prevent data loss when you remove viruses.

    Whitelist

    Adds an alert to the whitelist. If the alert event reoccurs after the alert is added to the whitelist, Security Center no longer generates alerts.

    Ignore

    Ignores an alert. After the alert is ignored, the status of the alert changes to Ignored. If the alert event reoccurs, Security Center generates alerts.

    Handled manually

    If you manually handled an alert, select Handled manually. The status of the alert changes to Handled.

  5. Click Next.

    The system starts to handle alerts. After the process is complete, you can view the handling results and the status of the alerts.

Step 3: Configure alert notifications

On the System Configuration > Notification Settings page, you can configure severities and methods for notifications on alerts. For more information, see Configure notification settings.

image.png