To ensure the security of your assets, we recommend that you view the security alerts that are generated by Security Center on your assets and handle the security alerts at the earliest opportunity. This topic describes how to view and handle security alerts.
View security alerts
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Alerts page, view security alerts.
NoteIf Blocked is displayed in the Alert Name column, Security Center terminates the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.
If Strict Mode is displayed in the Alert Name column, the alert detection mode of a server is Strict Mode. After Strict Mode is enabled, Security Center detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. For more information, see Enable features on the Host Protection Settings tab.
Handle security alerts
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Alerts page, find the security alert that you want to manage and click Handle in the Actions column. In the dialog box that appears, select a processing method to handle the security alert and click Process Now.
NoteDifferent types of security alerts support different processing methods. The processing methods displayed in the Security Center console shall prevail.
You can add a note based on your business requirements. For example, you can enter the reason for handling the security alert and the user who handles the security alert. This helps manage security alerts that are handled.
Method
Description
Virus Detection and Removal
If you select Virus Detection and Removal, you can terminate the malicious process for which the security alert is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services.
If you confirm that the security alert is a positive, you can use one of the following methods to manually handle the security alert:
End the process.: terminates the malicious process.
End the process file and isolate the source file: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see View and restore quarantined files.
WarningIf malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable.
A quarantined file can be restored within 30 days. After the restoration, the security alert generated for the file is displayed in the security alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Add to Whitelist
If the security alert is a false positive, you can add the security alert to the whitelist. You can also specify a whitelist rule to add security alerts that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the security alert Exploit Kit Behavior and specify a rule to add the security alerts generated for commands that contain aa to the whitelist. After the configuration, the status of the security alert changes to Handled. Security Center no longer generates security alerts for the commands that contain aa. In the handled security alert list, you can remove the security alert from the whitelist.
NoteIf you select this method, the security alert that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same security alert as the selected security alert if the condition in the rule is met. For more information about the security alerts that can be added to the whitelist of Security Center, see What security alerts can I add to the whitelist?
If Security Center generates a security alert on a normal process, the security alert is considered a false positive. Common false positives include a security alert generated for Unusual TCP Packets. The security alert notifies you that your server initiated suspicious scans on other devices.
Ignore
If you select Ignore, the status of the security alert changes to Ignored. Security Center still generates this security alert in the subsequent detection.
NoteIf one or more security alerts can be ignored or are false positives, you can select the security alerts and click Ignore Once or Add to Whitelist below the security alert list of the Alerts page.
Deep cleanup
After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the Deep cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.
Isolation
If you select Isolation, Security Center quarantines webshell files. The quarantined files can no longer threaten your services.
WarningIf malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable.
A quarantined file can be restored within 30 days. After the restoration, the security alert generated for the file is displayed in the security alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Block
If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.
End process
If you select End process, Security Center terminates the process for which the security alert is generated.
Troubleshooting
If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed.
You can select one of the following modes for troubleshooting:
Standard
In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis.
Strict
In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.
Handled manually
If you select this method, it indicates that you have handled the risks for which the security alert is generated.
Batch unhandled (combine the alert triggered by the same rule or type)
If you select this method, you can select multiple security alerts to handle at a time. Before you handle multiple security alerts at a time, we recommend that you view the details of the security alerts.
Do Not Intercept Rule
If you do not want Security Center to block requests whose URI matches blocking rules, select Do Not Intercept Rule. After you select Do Not Intercept Rule, Security Center no longer blocks requests that use the URI or generates security alerts.
Defense Without Notification
If you select this method, the same security alerts are automatically added to the handled security alert list. Security Center no longer notifies you of the security alerts. Proceed with caution.
Disable Alerting Defense Rule
If you select this method, the system disables the automatic defense rule. Proceed with caution.
After you handle the security alert, the status of the security alert changes from Unhandled to Handled.
View statistics about security alerts
Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the security alerts on your assets and on the enabled and disabled alert types. You can view the statistics about security alerts and the enabled alert types.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
In the upper part of the Alerts page, view the statistics about security alerts.
Parameter
Description
Operation
Alerting Server(s)
The number of servers for which security alerts are generated.
Click the number below Alerting Server(s) to go to the Server tab of the Host page. On the Server tab, view the details of servers for which security alerts are generated.
Urgent Alerts
The number of unhandled Urgent security alerts.
Click the number below Urgent Alerts. The system displays the urgent security alerts on the Alerts page. You can view and handle the Urgent security alerts.
NoteWe recommend that you handle the Urgent security alerts at the earliest opportunity.
All Alerts
The total number of unhandled security alerts.
View the details of all unhandled security alerts on the Alerts page. For more information, see View and handle security alerts.
Precise Defense
The number of viruses that are automatically quarantined by the Malicious Behavior Defense feature.
Click the number below Precise Defense. The system displays the related security alerts on the Alerts page. You can view all the viruses that are automatically quarantined by the Malicious Behavior Defense feature.
NoteYou can ignore the security alerts for the viruses that are quarantined by Security Center.
IP blocking / All
IP blocking: the number of blocked IP addresses after the defense policies against brute-force attacks are enabled.
All: the number of IP addresses blocked by all the defense policies against brute-force attacks that are created.
Click a number below IP blocking / All. In the IP Policy Library panel, you can view the enabled IP address blocking policies or the IP address blocking policies that are created. For more information about IP address blocking policies, see Configure alert settings.
Number Of Quarantined Files
The number of files that are quarantined by Security Center based on handled security alerts.
Click the number below Number Of Quarantined Files. In the Quarantine panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see View and restore quarantined files.
View the statistics about archived security alerts
If more than 100 security alerts exist, Security Center automatically archives only the security alerts that were handled prior to 30 days ago. Archived security alerts are no longer displayed in the Security Center console. If you want to view the statistics about archived security alerts, you can download the file of archived security alerts to your computer.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
In the upper-right corner of the Alerts page, click Archive data.
In the Archive data dialog box, view the file of archived security alerts.
Click Download in the Download link column to download the file of archived security alerts to your computer.
The file of archived security alerts is in the XLSX format. It takes 2 to 5 minutes to download a file of archived security alerts. The time required by a download operation varies based on the network bandwidth and the file size.
After you download the file, you can view the information about security alerts in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of security alerts. It also provides information about affected assets, names of the affected assets, suggestions for handling the security alerts, and points in time at which security alerts were generated.
NoteIf a security alert is in the Expired state, the security alert has been generated within the last 30 days but you have not handled the security alert. We recommend that you handle the security alerts generated by Security Center at the earliest opportunity.
View and restore quarantined files
Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. If you confirm that the quarantined file is not exposed to security risks, you can restore the quarantined file with a few clicks within 30 days after the file is quarantined.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
In the upper-right corner of the Alerts page, click Quarantine.
In the Quarantine panel, view information about quarantined files or restore the quarantined files.
You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.
You can also restore a quarantined file: Find the file and click Restore in the Actions column. The restored file is displayed in the security alert list again.