Security Center generates security alerts when it detects asset intrusions, malware infections, or abnormal behaviors. Prompt and proper handling of these alerts is crucial for ensuring business stability and data security. This topic describes how to follow the emergency response process to quickly evaluate risks, eliminate threats, and harden your system.
Evaluate security alerts
Before you handle a security event, assess the impact of the alert, analyze the attack, and identify false positives. This process helps prevent disruptions to your system. You can go to the alert details page to obtain information that helps you assess the situation.
Go to the alert details page
Log on to the Security Center console.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your asset is deployed: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Cloud Threat Detection and Response (CTDR) service, the path in the navigation pane on the left changes to .
On the CWPP tab, find the target alert and click Actions in the Details column.
ImportantYou can enable alert notifications in . This lets you quickly find a target alert based on the information in the notification, such as the alert name.
The Ultimate Edition supports filtering alerts by asset type. Above the alert list, you can click All, Host, Container, K8s, or Cloud Product to view alerts for the corresponding asset type.
Understand alert details
You can use the alert source tracing, Description, and other information to understand the basis for an alert, its occurrence count, and its possible causes. This information helps you determine whether the alert is a false positive and decide on an appropriate solution.
Alert description
The alert description explains the detected abnormality, potential risks, and associated threats. It also provides handling suggestions.
Example assessment:
As shown in the preceding figure:
Potential risk: The relevant configuration file was modified to create a logon back door.
Recommended action: Confirm with the relevant business department whether this process is part of normal business operations. If not, prioritize terminating the process and then investigate the system for other threats.
Alert source tracing
Security Center provides an automated attack source tracing feature. It integrates logs from multiple cloud products and uses data analytics to generate a visual intrusion event chain diagram. It also supports raw data previews. This feature helps you quickly identify the cause of an intrusion and develop an emergency response policy.
This feature is available only for servers that are protected by the Enterprise, Ultimate, Host Protection, or Hosts and Container Protection.
An automated attack source tracing chain is generated 10 minutes after a threat is detected. You can view this information 10 minutes after the alert is generated.
The automated attack source tracing information for a security alert is automatically purged three months after the alert is triggered. We recommend that you view this information promptly.
Use case:
Attack source tracing is suitable for emergency response and source tracing in cloud environments for use cases such as web intrusions, worm events, ransomware, and active connections to malicious download sources.
Example assessment:
In the source tracing area of the details page, check whether the attack chain is complete and valid. The more complete the attack chain, the more urgently you need to handle the alert.
Click a node in the source tracing graph. In the node details area on the left, check whether the attack target was reached. For example:
Check endpoint behavior: The attacker executed commands on the server, such as
whoamiandnet user.Check for data breaches: There are abnormal outbound connections, such as connections to a miner pool or C2 server, or sensitive files were read or uploaded.
Check for persistence traces: A back door account, scheduled task, or malicious service was created.
Click a node in the source tracing graph. In the node details area on the left, check whether the raw logs are verifiable, such as WAF block records, host process creation logs, or network connection logs.
Verifiable: Underlying logs exist to support the evidence, such as WAF block records or host process logs for executing malicious commands. This proves that the attack actually occurred. If the attack was blocked, you can mark the alert as "Handled" and you do not need to take further action. If the attack was not blocked, handle the alert as soon as possible.
Not verifiable: No supporting logs exist. This could be because the logs were deleted or the detection was bypassed. Be highly vigilant in this use case because it may be a sign of an advanced attack.
Sandbox detection
Security Center provides a sandbox detection feature. By running files in a secure and isolated environment, Security Center analyzes static and dynamic file behavioral data to safely analyze suspicious applications and detect malicious behavior. If security alerts are generated, you can handle malicious programs based on the sandbox detection results.
Not all malware alerts support the sandbox detection feature. The page indicates which alerts are supported.
In the security alert list, find the alert that you want to manage and click Actions in the Details column.
In the Sandbox section, view the sandbox detection results.
Example assessment:
Behavior Tag: This section tags the features of malicious files and highlights the high-risk operations they perform. Red indicates the intrusion behaviors that require the most attention.
ATT&CK Matrix: This section shows the runtime process flow of the sandbox detection and highlights the high-risk operations performed by the malicious file. Red indicates the intrusion behaviors that require the most attention.
Quick guide for handling alerts
If you verify the alert information and determine that it is normal behavior or does not need to be handled, you can choose to ignore or add the alert to a whitelist.
If you encounter a persistent virus threat or the same alert repeatedly, handle it in the console and then perform security hardening by following the instructions in Security hardening and attack prevention.
Alert type | Alert name | Recommended action |
Malware | Mining program | |
DDoS Trojan | ||
Trojan program | ||
Malicious program | ||
Exploit program | ||
Suspicious PowerShell command | ||
Back door program | ||
Reverse shell back door | ||
Infectious virus | ||
Unusual logon | Malicious IP logon | |
Successful brute-force attack on ECS | ||
Logon from an uncommon account to an ECS instance | ||
Logon from an uncommon location to an ECS instance | ||
Back door account logon | ||
Web shell | Web shell file detected | |
Log or image file that contains web shell code | ||
Trojan or hotlinking back door file detected | ||
Arbitrary file write back door detected | ||
Abnormal process behavior | Abnormal command execution in Java application | |
Suspicious process path | ||
Network proxy forwarding behavior | ||
Suspicious PowerShell command | ||
Persistence back door creation behavior | ||
SSH back door | ||
Suspicious encoded command | ||
Suspicious command execution | ||
Malicious script | Malicious script code execution | |
Precise Defense | Bypassing security software | |
Cloud product threat detection | RAM user logon from an uncommon location |
|
Hacking tool using an AccessKey |
| |
Abnormal role permission traversal behavior |
| |
RAM user logs on to the console and performs sensitive operations | ||
Other | Security Center agent is abnormally offline |
Manually handle alerts
If you handle an event that is aggregated from Security Center alerts using the security event handling feature, Security Center automatically updates the status of the related alerts on the CWPP tab. You do not need to manually update the alert status.
Procedure
Log on to the Security Center console.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your asset is deployed: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Cloud Threat Detection and Response service, the path in the navigation pane on the left changes to .
On the Alert page, on the CWPP tab, find the target alert. In the Actions column, click Handle, select a handling method for the alert, and then click Handle Now.
NoteThe handling methods vary based on the alert type. The methods displayed in the console are the ones available for use.
You can add remarks as needed. The remarks can include the reason for handling the alert and the name of the operator. This helps you manage handled alerts.
Handling methods
The handling methods are categorized as follows:
Threat removal: Directly removes and blocks known security threats, repairs infections, prevents new attacks, and blocks threat sources to protect assets.
Alert suppression: Used to handle false positives or known and acceptable risks. You can use methods such as whitelisting and ignoring to mark the current alert as invalid or not requiring action. You can also control whether subsequent alerts are generated.
Troubleshooting: Troubleshoots abnormalities in the Security Center agent for auxiliary diagnosis.
Threat removal
Virus Detection and Removal
Common use cases
Confirm malicious activity: This method is used when Security Center detects a malicious process, such as a virus, trojan, or ransomware, and you need to immediately stop it from damaging the system.
Emergency response: This method is used when you need to quickly contain the spread of a virus or the risk of a data breach to prevent the threat from spreading to other servers.
Pre-check
A virus scan may cause service interruptions. To prevent disruptions to normal business operations, check the source file before you handle the alert. Common checks include the following:
Verify file properties: Confirm whether the file is a virus by checking its file path, signature, and hash value. This helps prevent you from accidentally terminating system or business files.
Assess business dependencies: Check whether the file is called by critical services, such as
nginxandmysqlrelated components.
Description
Immediately terminate the virus process and move the virus file to the quarantine area. Quarantined files cannot be executed, accessed, or spread.
WarningEnding a process may cause services that depend on it to become abnormal. For example, this can happen if the virus is disguised as a legitimate process.
If the quarantined file is a business file into which malicious code is injected, such as a core application component, quarantining the file may cause a service interruption.
A successfully quarantined file can be restored with one click within 30 days. The restored file reappears in the security alert list, and Security Center continues to monitor it. For more information about how to restore files, see View and restore quarantined files.
NoteFiles that are not restored within 30 days are automatically purged and cannot be recovered.
Follow-up actions
Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.
Deep Cleanup
Deep Cleanup is a specialized scanning feature developed by the Security Center security expert team for persistent and stubborn viruses.
Common use cases
A deep scan is a specialized solution for stubborn and infectious viruses. These viruses have the following characteristics:
Infecting host files: The virus infects system files, application files, or personal documents by injecting malicious code into them.
Difficult to eradicate: A normal virus scan may only delete the parent virus but fail to repair infected files, causing the problem to recur.
NoteIf you are not dealing with this type of virus, use the regular "Virus scan" feature first.
Pre-check
A Deep Cleanup may pose risks such as accidental file deletion, service interruption, and data integrity issues. To prevent disruptions to normal business operations, check the source file before you handle the alert. Common checks include the following:
Verify file properties: Confirm whether the file is a virus by checking its file path, signature, and hash value. This helps prevent you from accidentally terminating system or business files.
Assess business dependencies: Check whether the file is called by critical services, such as
nginxandmysqlrelated components.
Description
It cleans up stubborn viruses by terminating malicious virus processes, quarantining malicious files, and clearing the persistence mechanisms of virus trojans.
It also provides a snapshot creation feature. You can create snapshots to back up data so that if useful data is accidentally cleared during a deep scan, you can restore it from the snapshot.
ImportantCreating and retaining snapshots incurs fees. The fees are charged by the snapshot product. The default billing method is pay-as-you-go. For more information about the fees, contact pre-sales support.
Follow-up actions
Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.
Quarantine
Common use cases
This method is used when you confirm that a file is a malicious file, such as a back door program or virus, and you need to immediately stop it from running.
Description
The system moves the suspicious file to the quarantine area. Quarantined files cannot be executed, accessed, or spread.
WarningIf the quarantined file is a business file into which malicious code is injected, such as a core application component, quarantining the file may cause a service interruption.
A successfully quarantined file can be restored with one click within 30 days. The restored file reappears in the security alert list, and Security Center continues to monitor it. For more information about how to restore files, see View and restore quarantined files.
NoteFiles that are not restored within 30 days are automatically purged and cannot be recovered.
Follow-up actions
Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.
End Process
Common use cases
This method is primarily used to handle alerts related to abnormal process behavior, such as MySQL executing abnormal commands or a web vulnerability exploit leading to abnormal command execution.
Description
Security Center attempts to end the process. If it fails, you can try to manually terminate the process with the
kill [process ID]command, and then select the "Manually Handled" option.NoteYou can find the process ID on the alert details page under More Information.
Block
Common use cases
This method is primarily used for IP-based attack use cases, such as unusual logons and brute-force attacks.
Description
A security group defense rule is generated to block access from the malicious IP address.
You can click Details to view the basic information of the generated defense rule, such as Assets, Rule Direction, Port Range, and Rule Direction.
Security Center automatically selects a blocking mechanism based on the client installation status. The supported blocking mechanisms are as follows:
Security Center: This interception mechanism uses the AliNet plug-in. If you use the Advanced, Enterprise or Ultimate edition of Security Center and enable the Malicious Network Behavior Prevention feature, Security center automatically uses the AliNet plug-in to block logons. For more information about how to enable the Malicious Network Behavior Prevention feature, see Proactive Defense.
ECS Security Group: When you enable a system rule, a security group rule is automatically created. If the system rule expires or is disabled, the security group rule is automatically deleted.
The Rule Validity Period is the effective time of the blocking rule. The default validity period is 6 hours and cannot be changed.
The generated blocking rule can be viewed in on the Defense Against Brute-force Attacks tab under System Rules.
NoteTo terminate the blocking policy early, you can turn off the enable switch in the system rules.
Alert suppression
Security Center provides the Add to Whitelist and Ignore methods to suppress alerts. For specific alerts, it also supports Do Not Intercept Rule, Defense Without Notification, and Manually Handled.
Differences
Difference | Add to Whitelist | Ignore |
Use case | Permanent exception issues | Suitable for temporary, occasional false positives or known issues. |
Scope of impact |
| Only handles the current alert and has no effect on subsequent alerts. |
Add to Whitelist
After you add an alert to the whitelist, you will no longer be notified of the same alert or alerts that match the whitelist rule. Use this option with caution.
Common use cases
The current alert is a false positive, or you need to add a permanent exception rule. For example, if a suspicious process with abnormal outbound TCP packets is actually a normal business interaction, or if suspicious scanning behavior is actually normal network detection, you need to set a whitelist rule to avoid such false positives.
Result description
For the current alert
This alert is marked as "Handled", and the alert status changes to Manually Add to Whitelist.
When the same alert occurs again, no new alert data is generated, but the latest occurrence time of this alert is updated.
For subsequent alerts
If a specific whitelist rule is set, when an alert that matches the custom whitelist rule occurs again, the alert is automatically moved to the handled list with the status Automatically Add to Whitelist, and no alert notification is sent.
Set a specific whitelist rule (optional)
In the alert handling dialog box, click the Add to Whitelist tab. Click Create Rule to add a new rule. Click
to delete a rule.ImportantIf you set multiple rules, the relationship between them is "OR". The rule takes effect if any one of the conditions is met.
Ensure precision when you configure rules to avoid an overly broad scope. For example, setting "Path contains: /data/" might mistakenly whitelist other sensitive subdirectories and increase security risks.
Each rule has four configuration boxes from left to right, as described below:
Alert information field: On the details page, under More Information, you can see which alert information fields are supported for the current alert.
Condition type: Supports operations such as regular expression matching, greater than, equal to, less than, and contains. Some rules are described as follows:
Regular expression: You can use regular expressions to accurately match specific patterns. For example, to whitelist all content in the "/data/app/logs/" folder, you can set the rule "Path matches regex: ^/data/app/logs/.*". This matches all files or processes in that folder and its subdirectories.
Contains keyword: Set a rule "Path contains: D:\programs\test\". All events whose path contains this folder are whitelisted.
Condition value: Supports constants and regular expressions.
Applicable assets:
All assets: Takes effect for new assets and all existing assets.
Only for the current asset: Takes effect only for the asset that is involved in the current alert.
Cancel whitelisting
Cancel an automatic whitelist rule
ImportantThis action affects only subsequently generated alerts. Alerts that match the whitelist rule are no longer automatically whitelisted.
This has no effect on already handled alerts. The alert status remains unchanged.
Log on to the . In the navigation pane on the left, choose .
NoteIf you have purchased the Cloud Threat Detection and Response (CTDR) service, in the navigation pane on the left, choose .
In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.
On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Automatically Add to Whitelist.
Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.
Cancel whitelisting for an alert
ImportantAfter you cancel the whitelisting, the alert reappears in the Unhandled alert list. You must re-evaluate and handle the alert.
Log on to the . In the navigation pane on the left, choose .
NoteIf you have purchased the Cloud Threat Detection and Response (CTDR) service, in the navigation pane on the left, choose .
On the CWPP tab, set the Handled or Not filter to Handled.
Find the alert data that you want to remove from the whitelist and click the Remove from Whitelist button in the Actions column to cancel the whitelisting for the current alert.
NoteYou can also select multiple alert data items and click the Remove from Whitelist button at the bottom of the list to perform a batch cancellation.
Ignore
"Ignore" is only a status management operation. It does not resolve the underlying security problem that triggered the alert.
Use this option only after you fully confirm that the alert is a false positive or a known and accepted risk to avoid masking real attacks.
We recommend that you periodically review the list of "Ignored" alerts, for example, on a weekly or monthly basis.
Common use cases
Confirmed as a false positive or low priority.
Temporary/Known issue: The issue to which the alert points exists but is a known and accepted risk, or it is a temporary, non-malicious state, such as an authorized internal penetration test or abnormal behavior during a specific maintenance window. You do not intend or are unable to fix the root cause immediately but need to clear the current alert list.
Test or debug environment: In a non-production environment, such as a development or testing environment, expected and non-security-affecting alerts frequently appear. These alerts interfere with normal monitoring and need to be temporarily silenced.
Result description
For the current alert: This alert is marked as "Handled", and the alert status changes to Ignored.
For subsequent alerts: This operation has no effect. Security Center will generate a new alert if the same type of event occurs again.
Cancel ignore
Log on to the . In the navigation pane on the left, choose .
NoteIf you have purchased the Cloud Threat Detection and Response (CTDR) service, in the navigation pane on the left, choose .
On the CWPP tab, set the Handled or Not filter to Handled.
Find the alert data that you want to stop ignoring and click the Cancel Ignore button in the Actions column to cancel the ignore status for the current alert.
NoteYou can also select multiple alert data items and click the Cancel Ignore button at the bottom of the list to perform a batch cancellation.
Do Not Intercept Rule
Use case
This method currently supports only handling alerts that are generated by the Adaptive WebShell Communication Block rule. You can find the rule in under Malicious Behavior Defense > System Defense Rule.
Description
The system does not block requests to the corresponding URI and no longer generates alerts.
Defense Without Notification
You will not be separately notified of subsequent identical alerts. Use this option with caution.
Use case
This method is used for alerts of the Precise Defense type. These alerts are generated by rules in under Malicious Behavior Defense.
Description
Current alert: This alert is marked as "Handled".
Subsequent alerts: When the same defense rule is hit again, the generated alert event is automatically moved to the handled list, and no alert notification is sent.
Cancel the Defend without notification rule
Log on to the . In the navigation pane on the left, choose .
NoteIf you have purchased the Cloud Threat Detection and Response (CTDR) service, in the navigation pane on the left, choose .
In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.
On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Defense Without Notification.
Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.
Manually Handled
If you have manually handled the alert, select Manually Handled. The status of the current alert is updated to Manually Handled.
Troubleshooting
Use case
This method only supports handling the Security Center agent is abnormally offline alert.
Description
The client diagnostic program of Security Center collects data related to the client on the local machine, such as network, process, and log data, and reports the data to Security Center for analysis.
This check consumes a certain amount of CPU and memory resources. Use this feature only after careful evaluation.
Select a diagnostic mode:
Standard Mode
This mode collects client-related log data and reports the data to Security Center for analysis.
Enhancement Mode
This mode collects client-related data, such as network, process, and log data, and reports the data to Security Center for analysis.
After you click Handle Now, a diagnostic task is generated. You can view the diagnostic task result and progress in in the upper-right corner under Agent Task Management. For more information, see Client troubleshooting.
NoteIf a solution is provided in the Result column, follow the recommended solution.
If no solution is provided in the Result column, click Download Diagnostic Logs in the Actions column. Provide the exported diagnostic log and your Alibaba Cloud account ID to technical support for further analysis.
Tutorials on how to handle common virus alerts
Security hardening and attack prevention
Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus isolation to provide precise defense and include more security check items.
Tighten access control: Open only necessary service ports, such as 80 and 443. Configure strict IP address whitelists for management ports, such as 22 and 3389, and for database ports, such as 3306.
NoteFor Alibaba Cloud ECS servers, see Manage Security Groups.
Set complex server passwords: Create complex passwords that contain uppercase letters, lowercase letters, digits, and special characters for your servers and applications.
Upgrade software: Promptly update your applications to the latest official versions. Avoid using old versions that are no longer maintained or that have known security vulnerabilities.
Perform regular backups: Create a periodic snapshot policy for important data and system disks.
NoteIf you use an Alibaba Cloud ECS server, see Create an automatic snapshot policy.
Fix vulnerabilities promptly: Regularly use the Vulnerability Fix feature in Security Center to fix important system vulnerabilities and application vulnerabilities.
Reset the server system (use with caution).
If a virus deeply infects the system and is associated with underlying system components, we strongly recommend that you back up important data and then reset the server's system. You can perform the following steps:
Create a snapshot to back up important data on the server. For more information, see Create a snapshot.
Reinitialize the operating system of the server. For more information, see Reinitialize a system disk.
Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.
Attach the disk to the server on which you reinstalled the operating system. For more information, see Attach a data disk.
FAQ
Alert handling issues
What should I do if an alert recurs after being handled (repeatedly infected with the same virus)?
The issue may recur for the following reasons:
Weak password: The SSH, RDP, or database password is too simple.
Unpatched vulnerabilities: Applications such as Redis, XXL-JOB, and WebLogic have high-risk vulnerabilities.
Latent back door: The initial cleanup was not thorough and left a hidden back door.
Data contamination: A backup or snapshot that contains the virus was restored.
Solutions:
Perform security hardening by following the instructions in Security hardening and attack prevention.
After you handle the virus, we recommend that you back up data and then restart the server and applications.
WarningRestarting the server causes a brief service interruption. During this time, websites, applications, and other services that run on the server are inaccessible. This may affect user experience or business process continuity. Perform this operation during off-peak hours.
Some applications that are deployed on the server do not have an automatic startup mechanism or depend on specific environment variables. They usually need to be manually restarted. Otherwise, the application service becomes unavailable. For example, this applies to specific versions of message queues. Evaluate the restart plan in advance.
If the issue persists after the restart, back up the data and then reset the server system.
Why can't I delete a virus file (trojan, mining)?
The file and its parent directory have been assigned hidden permissions. You must use the
chattr -icommand to remove the 'i' permission from the file and its parent directory before you can delete the file.My server has a DDoS trojan alert. I have manually deleted the file, but the alert persists. Why?
The file was not completely deleted. You can use the following solution:
If you are using the Free Edition of Security Center, you can activate a 7-day free trial of the Enterprise or Ultimate Edition. You can also refer to Purchase Security Center and upgrade to the Anti-virus or Enterprise Edition.
After the activation, go to the security alert handling interface, find the DDoS Trojan alert, click the Handle button, and select Virus scan. The system automatically ends the trojan process and quarantines the file. For more information, see Virus scan.
Console feature issues
What should I do if an alert shows that a file does not exist?
This may occur because the virus was removed by another method or it cleared its own traces. You can click Ignore or Manually Handled in the alert list to clear this alert.
I received a security alert, but there is no related data in the console. Why?
Check your current Security Center edition. The Free Edition has limited features. We recommend that you refer to Purchase Security Center and upgrade to the Anti-virus or Enterprise Edition.
Use the virus scan feature to scan and handle the alert.
How do I handle multiple alerts (batch handle alerts)?
Currently, Security Center supports batch handling of security alerts only for the following actions: whitelisting, ignoring, removing from whitelist, and canceling ignore.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your asset is deployed: Chinese Mainland or Outside Chinese Mainland. Go to the security alert list and select the alerts that you want to handle in a batch.
Click the Ignore Once, Add to Whitelist, Remove from Whitelist, or Cancel Ignore button.
Why is the security alert handle button grayed out?
Check your current Security Center edition. The Free Edition does not support handling security alerts. You can activate a 7-day free trial or upgrade to the Anti-virus or Enterprise Edition. For more information, see Purchase Security Center.
The types of security alerts that are supported by each edition vary. For more information, see Security alert types.