All Products
Search
Document Center

Security Center:Use the web tamper proofing feature

Last Updated:Nov 07, 2023

The web tamper proofing feature can monitor website directories and files in real time. The feature can also restore tampered files or directories by using backups when a website is being tampered with. This prevents the website from being inserted with illegal information and ensures that the website can run as expected. This topic describes how to use the web tamper proofing feature.

Background information

To make illegal profits or launch business attacks, attackers exploit vulnerabilities in websites to tamper with the websites, such as inserting hidden links. Tampering with web pages affects normal user access and may cause serious economic loss, damage to brand reputation, and political risks.

The Security Center agent automatically collects information about the processes that modify files in the protected directories of protected servers. The agent identifies suspicious processes and file changes in real time and generates alerts for or intercepts the suspicious processes that cause file changes.

Billing

Web tamper proofing is a value-added feature of Security Center. You can use the feature after you purchase it. For more information about the billing of web tamper proofing, see Billing.

Limits

The process whitelist of web tamper proofing is supported only for servers that run specific versions of operating systems and kernels. For more information about the supported versions of operating systems and kernels, see Supported versions of operating systems and kernels.

  • If the operating system and kernel versions of the servers that you want to protect are supported by the process whitelist, take note of the following items:

    • The maximum number of directories that you can add for protection is 10 for each server.

    • The maximum length of the full path to each protected file or directory is 1,000 characters.

  • If the operating system or kernel versions of the servers that you want to protect are not supported by the process whitelist, take note of the following items:

    • The maximum number of directories that you can add for protection is 10 for each server.

    • The maximum size of each protected directory is 20 GB.

    • The maximum number of folders in each protected directory is 20,000.

    • The maximum number of folder levels in each protected directory is 20.

    • The maximum size of each protected file is 20 GB.

    • The process whitelist does not take effect.

    • You cannot set Prevention Mode to Alert Mode.

    • The paths to the Network File System (NFS) cannot be protected.

Table 1. Supported versions of operating systems and kernels

Operating system

Operating system version

Kernel version

Windows (32-bit or 64-bit)

Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019

All versions

CentOS (64-bit)

Unlimited

2.6.32 series

  • 2.6.32-220.el6.x86_64

  • 2.6.32-279.el6.x86_64

  • 2.6.32-358.6.2.el6.x86_64

  • 2.6.32-358.el6.x86_64

  • 2.6.32-431.17.1.el6.x86_64

  • 2.6.32-431.23.3.el6.x86_64

  • 2.6.32-431.el6.x86_64

  • 2.6.32-573.22.1.el6.x86_64

  • 2.6.32-642.1.1.el6.x86_64

  • 2.6.32-642.11.1.el6.centos.plus.x86_64

  • 2.6.32-642.11.1.el6.x86_64

  • 2.6.32-642.13.1.el6.x86_64

  • 2.6.32-642.15.1.el6.x86_64

  • 2.6.32-642.4.2.el6.x86_64

  • 2.6.32-642.6.2.el6.centos.plus.x86_64

  • 2.6.32-642.6.2.el6.x86_64

  • 2.6.32-642.el6.x86_64

  • 2.6.32-696.1.1.el6.x86_64

  • 2.6.32-696.10.1.el6.x86_64

  • 2.6.32-696.10.2.el6.x86_64

  • 2.6.32-696.13.2.el6.x86_64

  • 2.6.32-696.16.1.el6.x86_64

  • 2.6.32-696.18.7.el6.x86_64

  • 2.6.32-696.20.1.el6.x86_64

  • 2.6.32-696.23.1.el6.x86_64

  • 2.6.32-696.28.1.el6.x86_64

  • 2.6.32-696.3.1.el6.x86_64

  • 2.6.32-696.3.2.el6.x86_64

  • 2.6.32-696.30.1.el6.x86_64

  • 2.6.32-696.6.3.el6.x86_64

  • 2.6.32-696.el6.x86_64

  • 2.6.32-754.11.1.el6.x86_64

  • 2.6.32-754.12.1.el6.x86_64

  • 2.6.32-754.14.2.el6.x86_64

  • 2.6.32-754.15.3.el6.x86_64

  • 2.6.32-754.17.1.el6.x86_64

  • 2.6.32-754.18.2.el6.x86_64

  • 2.6.32-754.2.1.el6.x86_64

  • 2.6.32-754.22.1.el6.x86_64

  • 2.6.32-754.23.1.el6.x86_64

  • 2.6.32-754.24.3.el6.x86_64

  • 2.6.32-754.25.1.el6.x86_64

  • 2.6.32-754.27.1.el6.x86_64

  • 2.6.32-754.28.1.el6.x86_64

  • 2.6.32-754.29.1.el6.x86_64

  • 2.6.32-754.29.2.el6.x86_64

  • 2.6.32-754.3.5.el6.x86_64

  • 2.6.32-754.30.2.el6.x86_64

  • 2.6.32-754.31.1.el6.x86_64

  • 2.6.32-754.33.1.el6.x86_64

  • 2.6.32-754.35.1.el6.x86_64

  • 2.6.32-754.6.3.el6.x86_64

  • 2.6.32-754.9.1.el6.x86_64

  • 2.6.32-754.el6.x86_64

3.10.0 series

  • 3.10.0-123.9.3.el7.x86_64

  • 3.10.0-229.el7.x86_64

  • 3.10.0-327.10.1.el7.x86_64

  • 3.10.0-327.13.1.el7.x86_64

  • 3.10.0-327.22.2.el7.x86_64

  • 3.10.0-327.36.3.el7.x86_64

  • 3.10.0-327.el7.x86_64

  • 3.10.0-514.10.2.el7.x86_64

  • 3.10.0-514.16.1.el7.x86_64

  • 3.10.0-514.21.1.el7.x86_64

  • 3.10.0-514.26.2.el7.x86_64

  • 3.10.0-514.6.2.el7.x86_64

  • 3.10.0-514.el7.x86_64

  • 3.10.0-693.11.1.el7.x86_64

  • 3.10.0-693.11.6.el7.x86_64

  • 3.10.0-693.17.1.el7.x86_64

  • 3.10.0-693.2.2.el7.x86_64

  • 3.10.0-693.21.1.el7.x86_64

  • 3.10.0-693.5.2.el7.x86_64

  • 3.10.0-693.el7.x86_64

  • 3.10.0-862.11.6.el7.x86_64

  • 3.10.0-862.14.4.el7.x86_64

  • 3.10.0-862.2.3.el7.x86_64

  • 3.10.0-862.3.2.el7.x86_64

  • 3.10.0-862.3.3.el7.x86_64

  • 3.10.0-862.6.3.el7.x86_64

  • 3.10.0-862.9.1.el7.x86_64

  • 3.10.0-862.el7.x86_64

  • 3.10.0-957.1.3.el7.x86_64

  • 3.10.0-957.10.1.el7.x86_64

  • 3.10.0-957.12.1.el7.x86_64

  • 3.10.0-957.12.2.el7.x86_64

  • 3.10.0-957.21.2.el7.x86_64

  • 3.10.0-957.21.3.el7.x86_64

  • 3.10.0-957.27.2.el7.x86_64

  • 3.10.0-957.5.1.el7.x86_64

  • 3.10.0-957.el7.x86_64

  • 3.10.0-1062.1.1.el7.x86_64

  • 3.10.0-1062.1.2.el7.x86_64

  • 3.10.0-1062.12.1.el7.x86_64

  • 3.10.0-1062.18.1.el7.x86_64

  • 3.10.0-1062.4.1.el7.x86_64

  • 3.10.0-1062.4.2.el7.x86_64

  • 3.10.0-1062.4.3.el7.x86_64

  • 3.10.0-1062.7.1.el7.x86_64

  • 3.10.0-1062.9.1.el7.x86_64

  • 3.10.0-1062.el7.x86_64

  • 3.10.0-1127.10.1.el7.x86_64

  • 3.10.0-1127.13.1.el7.x86_64

  • 3.10.0-1127.18.2.el7.x86_64

  • 3.10.0-1127.19.1.el7.x86_64

  • 3.10.0-1127.8.2.el7.x86_64

  • 3.10.0-1127.el7.x86_64

  • 3.10.0-1160.11.1.el7.x86_64

  • 3.10.0-1160.15.2.el7.x86_64

  • 3.10.0-1160.2.2.el7.x86_64

  • 3.10.0-1160.21.1.el7.x86_64

  • 3.10.0-1160.24.1.el7.x86_64

  • 3.10.0-1160.25.1.el7.x86_64

  • 3.10.0-1160.31.1.el7.x86_64

  • 3.10.0-1160.36.2.el7.x86_64

  • 3.10.0-1160.41.1.el7.x86_64

  • 3.10.0-1160.42.2.el7.x86_64

  • 3.10.0-1160.45.1.el7.x86_64

  • 3.10.0-1160.49.1.el7.x86_64

  • 3.10.0-1160.53.1.el7.x86_64

  • 3.10.0-1160.59.1.el7.x86_64

  • 3.10.0-1160.6.1.el7.x86_64

  • 3.10.0-1160.62.1.el7.x86_64

  • 3.10.0-1160.66.1.el7.x86_64

  • 3.10.0-1160.el7.x86_64

  • 3.10.0-1160.71.1.el7.x86_64

  • 3.10.0-1160.76.1.el7.x86_64

  • 3.10.0-1160.80.1.el7.x86_64

  • 3.10.0-1160.83.1.el7.x86_64

4.18.0 series

  • 4.18.0-80.11.2.el8_0.x86_64

  • 4.18.0-147.3.1.el8_1.x86_64

  • 4.18.0-147.5.1.el8_1.x86_64

  • 4.18.0-147.8.1.el8_1.x86_64

  • 4.18.0-193.el8.x86_64

  • 4.18.0-193.1.2.el8_2.x86_64

  • 4.18.0-193.6.3.el8_2.x86_64

  • 4.18.0-193.14.2.el8_2.x86_64

  • 4.18.0-193.19.1.el8_2.x86_64

  • 4.18.0-193.28.1.el8_2.x86_64

  • 4.18.0-240.1.1.el8_3.x86_64

  • 4.18.0-240.10.1.el8_3.x86_64

  • 4.18.0-240.15.1.el8_3.x86_64

  • 4.18.0-240.22.1.el8_3.x86_64

  • 4.18.0-305.3.1.el8.x86_64

  • 4.18.0-305.7.1.el8_4.x86_64

  • 4.18.0-305.10.2.el8_4.x86_64

  • 4.18.0-305.12.1.el8_4.x86_64

  • 4.18.0-305.19.1.el8_4.x86_64

  • 4.18.0-305.25.1.el8_4.x86_64

  • 4.18.0-348.2.1.el8_5.x86_64

  • 4.18.0-348.7.1.el8_5.x86_64

  • 4.18.0-358.el8.x86_64

  • 4.18.0-365.el8.x86_64

Ubuntu (64-bit)

Unlimited

3.x.x series

  • 3.13.0-32-generic

  • 3.13.0-65-generic

  • 3.13.0-86-generic

  • 3.13.0-145-generic

  • 3.13.0-164-generic

  • 3.13.0-170-generic

  • 3.19.0-80-generic

4.4.0 series

  • 4.4.0-62-generic

  • 4.4.0-63-generic

  • 4.4.0-79-generic

  • 4.4.0-93-generic

  • 4.4.0-96-generic

  • 4.4.0-104-generic

  • 4.4.0-117-generic

  • 4.4.0-124-generic

  • 4.4.0-142-generic

  • 4.4.0-146-generic

  • 4.4.0-148-generic

  • 4.4.0-151-generic

  • 4.4.0-154-generic

  • 4.4.0-157-generic

  • 4.4.0-161-generic

  • 4.4.0-170-generic

  • 4.4.0-174-generic

  • 4.4.0-176-generic

  • 4.4.0-177-generic

  • 4.4.0-178-generic

  • 4.4.0-179-generic

  • 4.4.0-184-generic

  • 4.4.0-194-generic

  • 4.4.0-198-generic

  • 4.4.0-210-generic

4.15.0 series

  • 4.15.0-23-generic

  • 4.15.0-42-generic

  • 4.15.0-45-generic

  • 4.15.0-48-generic

  • 4.15.0-52-generic

  • 4.15.0-54-generic

  • 4.15.0-62-generic

  • 4.15.0-66-generic

  • 4.15.0-70-generic

  • 4.15.0-72-generic

  • 4.15.0-88-generic

  • 4.15.0-91-generic

  • 4.15.0-96-generic

  • 4.15.0-101-generic

  • 4.15.0-106-generic

  • 4.15.0-109-generic

  • 4.15.0-112-generic

  • 4.15.0-117-generic

  • 4.15.0-118-generic

  • 4.15.0-121-generic

  • 4.15.0-122-generic

  • 4.15.0-124-generic

  • 4.15.0-128-generic

  • 4.15.0-135-generic

  • 4.15.0-145-generic

  • 4.15.0-147-generic

  • 4.15.0-143-generic

  • 4.15.0-151-generic

  • 4.15.0-162-generic

  • 4.15.0-166-generic

  • 4.15.0-169-generic

  • 4.15.0-170-generic

  • 4.15.0-173-generic

  • 4.15.0-175-generic

  • 4.15.0-177-generic

  • 4.15.0-181-generic

  • 4.15.0-189-generic

  • 4.15.0-190-generic

  • 4.15.0-192-generic

  • 4.15.0-193-generic

  • 4.15.0-196-generic

  • 4.15.0-197-generic

  • 4.15.0-200-generic

  • 4.15.0-202-generic

5.4.0 series

  • 5.4.0-31-generic

  • 5.4.0-47-generic

  • 5.4.0-70-generic

  • 5.4.0-77-generic

  • 5.4.0-86-generic

  • 5.4.0-90-generic

  • 5.4.0-92-generic

  • 5.4.0-94-generic

  • 5.4.0-100-generic

  • 5.4.0-102-generic

  • 5.4.0-106-generic

  • 5.4.0-108-generic

  • 5.4.0-110-generic

  • 5.4.0-113-generic

  • 5.4.0-122-generic

  • 5.4.0-123-generic

  • 5.4.0-125-generic

  • 5.4.0-131-generic

  • 5.4.0-132-generic

  • 5.4.0-135-generic

Anolis OS (64-bit)

Unlimited

3.10.0 series

  • 3.10.0-1062.an7.x86_64

  • 3.10.0-1160.an7.x86_64

  • 3.10.0-1160.59.1.0.1.an7.x86_64

  • 3.10.0-1160.62.1.0.1.an7.x86_64

  • 3.10.0-1160.66.1.0.1.an7.x86_64

  • 3.10.0-1160.71.1.0.1.an7.x86_64

  • 3.10.0-1160.76.1.0.1.an7.x86_64

  • 3.10.0-1160.80.1.0.1.an7.x86_64

  • 3.10.0-1160.81.1.0.1.an7.x86_64

4.18.0 series

  • 4.18.0-348.2.1.an8_4.x86_64

  • 4.18.0-348.12.2.an8.x86_64

  • 4.18.0-348.20.1.an8_5.x86_64

  • 4.18.0-348.23.1.an8_5.x86_64

  • 4.18.0-372.9.1.an8.x86_64

  • 4.18.0-372.16.1.an8_6.x86_64

  • 4.18.0-372.19.1.an8_6.x86_64

  • 4.18.0-372.26.1.an8_6.x86_64

  • 4.18.0-372.32.1.an8_6.x86_64

4.19.91 series

  • 4.19.91-25.2.an7.x86_64

  • 4.19.91-25.7.an7.x86_64

  • 4.19.91-26.an7.x86_64

  • 4.19.91-26.4.an7.x86_64

  • 4.19.91-26.5.an7.x86_64

  • 4.19.91-26.6.an7.x86_64

  • 4.19.91-27.an7.x86_64

  • 4.19.91-25.7.an8.x86_64

  • 4.19.91-25.8.an8.x86_64

  • 4.19.91-26.an8.x86_64

  • 4.19.91-26.1.an8.x86_64

  • 4.19.91-26.4.an8.x86_64

  • 4.19.91-26.5.an8.x86_64

  • 4.19.91-26.6.an8.x86_64

RHEL

Unlimited

  • 2.6.32-220.el6.x86_64

  • 2.6.32-431.el6.x86_64

  • 2.6.32-754.35.1.el6.x86_64

  • 3.10.0-1062.el7.x86_64

  • 3.10.0-1127.el7.x86_64

  • 3.10.0-1160.71.1.el7.x86_64

  • 4.18.0-80.el8.x86_64

  • 4.18.0-372.9.1.el8.x86_64

Alibaba Cloud Linux (64-bit)

Unlimited

4.4.95 series

  • 4.4.95-1.al7.x86_64

  • 4.4.95-2.al7.x86_64

  • 4.4.95-3.al7.x86_64

4.19.91 series

  • 4.19.24-7.al7.x86_64

  • 4.19.24-7.14.al7.x86_64

  • 4.19.81-17.al7.x86_64

  • 4.19.81-17.1.al7.x86_64

  • 4.19.81-17.2.al7.x86_64

  • 4.19.91-18.al7.x86_64

  • 4.19.91-19.1.al7.x86_64

  • 4.19.91-21.al7.x86_64

  • 4.19.91-21.2.al7.x86_64

  • 4.19.91-22.1.al7.x86_64

  • 4.19.91-22.2.al7.x86_64

  • 4.19.91-23.al7.x86_64

  • 4.19.91-24.al7.x86_64

  • 4.19.91-24.1.al7.x86_64

  • 4.19.91-25.1.al7.x86_64

  • 4.19.91-25.3.al7.x86_64

  • 4.19.91-25.6.al7.x86_64

  • 4.19.91-25.7.al7.x86_64

  • 4.19.91-25.8.al7.x86_64

  • 4.19.91-26.al7.x86_64

  • 4.19.91-26.1.al7.x86_64

  • 4.19.91-26.4.al7.x86_64

  • 4.19.91-26.6.al7.x86_64

  • 4.19.91-26.5.al7.x86_64

  • 4.19.91-27.al7.x86_64

5.10.x series

  • 5.10.23-5.al8.x86_64

  • 5.10.60-9.al8.x86_64

  • 5.10.84-10.2.al8.x86_64

  • 5.10.84-10.3.al8.x86_64

  • 5.10.84-10.4.al8.x86_64

  • 5.10.112-11.al8.x86_64

  • 5.10.112-11.1.al8.x86_64

  • 5.10.112-11.2.al8.x86_64

  • 5.10.134-12.al8.x86_64

  • 5.10.134-12.1.al8.x86_64

  • 5.10.134-12.2.al8.x86_64

  • 5.10.134-13.al8.x86_64

Prerequisites

The Security Center agent is installed on the server for which you want to enable web tamper proofing. For more information, see Install the Security Center agent.

Step 1: Purchase the quota for web tamper proofing

After you enable web tamper proofing for a server, the quota is consumed by one. Before you use web tamper proofing, make sure that the quota for web tamper proofing is sufficient within the current Alibaba Cloud account.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.

  3. Perform the following operations based on your business scenarios.

    • Did not purchase the quota for web tamper proofing

      1. On the Tamper Protection page, click Upgrade Now.

      2. Perform the following operations based on the edition of Security Center:

        • Basic edition: In the Select a product version panel, select an edition. On the Security Center page, configure the Edition and Protected Servers parameters. You must set the Web Tamper Proofing parameter to Yes and configure the Quota for Web Tamper Proofing parameter based on the number of servers for which you want to enable web tamper proofing. If you want to separately purchase web tamper proofing, set the Edition parameter to Value-added Plan. For more information about how to select an edition of Security Center and purchase other value-added features, see Purchase Security Center.

        • Paid edition: In the Select a product version panel, click Upgrade. On the Upgrade page, set the Web Tamper Protection parameter to Yes and configure the Quota for Web Tamper Proofing parameter based on the number of servers for which you want to enable web tamper proofing.

      3. Click Buy Now and complete the payment.

    • Purchased the quota for web tamper proofing

      If the quota for web tamper proofing is 0 or insufficient, you can click Upgrade Now in the upper-right corner of the Tamper Protection page to purchase a sufficient quota for web tamper proofing.

Step 2: Enable web tamper proofing for servers

You can enable web tamper proofing for a server only once. If you want to protect multiple directories on the server, you can add multiple directories for protection.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.

  3. If this is the first time that you use web tamper proofing, click Add Servers for Protection.

    If this is not the first time that you use web tamper proofing, click the Management tab on the Tamper Protection page and click Add Server.

  4. In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.

  5. In the Add Directory step, configure the parameters and click Enable Protection.

    By default, the whitelist mode is used. In whitelist mode, you must specify the formats of files that require protection. In blacklist mode, you must specify the formats of files that do not require protection. To switch to the blacklist mode, click Blacklist Mode.

    • Whitelist Mode

      In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.

      Parameter

      Description

      Protected Directory

      The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Protected File Formats

      The formats of the files that you want to protect.

      You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.

      Prevention Mode

      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.

      • Alert Mode: Security Center identifies suspicious processes and file modifications and generates alerts for the suspicious processes and file modifications.

        Important

        If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating system and kernel versions, see Supported versions of operating systems and kernels.

      Local Backup Directory

      The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup directory for Linux servers and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for Windows servers. You can change the default backup directories.

      Example

      If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

    • Blacklist Mode

      In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.

      Parameter

      Description

      Protected Directory

      The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /Directory name/ format. Example: /tmp/.

      Excluded Sub-Directories

      The path to the subdirectories that do not require protection.

      Enter a value in the Subdirectory name/ format. Example: dir1/dir0/.

      Excluded File Formats

      The formats of the files that do not require protection.

      Excluded Files

      The files that do not require protection.

      Enter a value in the Subdirectory name/File name format. Example: dir2/file3.

      Prevention Mode

      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.

      • Alert Mode: Security Center identifies suspicious processes and file modifications and generates alerts for the suspicious processes and file modifications.

        Important

        If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating system and kernel versions, see Supported versions of operating systems and kernels.

      Local Backup Directory

      The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup directory for Linux servers and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for Windows servers. You can change the default backup directories.

      Important

      Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.

      Example

      If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, only the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

  6. On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the 开关 icon in the Protection column to enable web tamper proofing for the server.

    If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.

    The following table describes the statuses that are available in the Status column.

    Status

    Description

    Suggestion

    Initializing

    Web tamper proofing is being initialized.

    The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.

    Running

    Web tamper proofing is enabled and runs as expected.

    None.

    Exception

    An error occurred during the initialization of web tamper proofing.

    Move the pointer over Exception, view the causes, and then click Retry.

    Not Initialized

    The switch in the Protection column is turned off.

    Turn on the switch in the Protection column.

Step 3: View the protection status

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.

  3. On the Protection tab of the Tamper Protection page, view the details.

    • Statistical items

      In the statistics overview module, you can view the total numbers of modified files on the current day and in the last 15 days, the numbers of protected servers and directories, the number of suspicious processes that are intercepted by web tamper proofing, the number of processes that are added to the whitelist, and the purchased quota for web tamper proofing within your Alibaba Cloud account.

    • Distribution of protected file formats

      Protected file formats include TXT, PNG, MSI, and ZIP. You can also add more formats for protection based on your business requirements.

      Note

      All formats of files can be added for protection.

    • Top five file changes

      This section shows the top five files that are most frequently modified in descending order in the last 15 days. You can view the names of the files and paths to the files.

    • Top five suspicious processes that are blocked

      This section shows the top five suspicious processes that are most frequently intercepted in descending order in the last 15 days. You can view the names of the processes and the number of processes.

    • Details of alerts triggered by web tamper proofing

      Web tamper proofing helps you intercept all suspicious modifications to the files on your server. In the alert list, you can view the details about alerts for these modifications. The details include the severity level, alert name, affected assets, path to the modified files, process name, and protection status.

      Note
      • If an alert is reported more than 100 times or the number of times that a process writes on files exceeds 100, we recommend that you handle the alert at your earliest opportunity.

      • The severity level of alerts is Medium.

      • The status of alerts is Defended. The alerts are triggered when web tamper proofing intercepts suspicious processes that modify files without authorization. If an intercepted process is required in your workloads, you can add the process to the whitelist to allow the process. For more information, see Step 4: (Optional) Add a process to the whitelist.

Step 4: (Optional) Add a process to the whitelist

If web tamper proofing detects that a process modifies the files that are protected, web tamper proofing intercepts the process. If you confirm that the process is normal and want the process to modify the files, you can add the process to the whitelist.

You can add a process to the whitelist only if the operating system and kernel versions of your server are supported by the process whitelist. For more information about the supported versions of operating systems and kernels, see Supported versions of operating systems and kernels.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.

  3. On the Protection tab of the Tamper Protection page, add a normal process to the whitelist.

    Important

    Attackers may exploit the processes in the whitelist to compromise your server. We recommend that you add processes to the whitelist only if the processes are trusted.

    • Add a process for which an alert event is generated to the whitelist

      1. In the alert event list of the Protection tab, find a process that you want to add to the whitelist and click Handle in the Actions column.

      2. In the dialog box that appears, select Whitelist for Process Method and click OK.

        A process may run on multiple servers or run in multiple directories on the same server. If you want to add the process to the whitelist, select Process servers with the same process at the same time.

    • Add multiple processes for which alert events are generated to the whitelist at a time

      1. In the alert event list on the Protection tab, find and select the processes that you want to add to the whitelist.

      2. Click Whitelist below the list. In the message that appears, click OK.

      You can click the number below Whitelist to go to the Process Management panel. In the upper-right corner of the panel, click Enter the whitelist. In the dialog box that appears, configure Process Path and Server Name/IP to add multiple suspicious processes to the whitelist at a time.查看白名单

    • View the processes in the whitelist or remove processes from the whitelist

      You can click the number below Whitelist to go to the Process Management panel. In the Process Management panel, you can view the information about the suspicious processes that are added to the whitelist. The information includes the server on which the processes run, the paths to the processes, and the numbers of times that the processes change files.

      In the Process Management panel, you can find the suspicious process that you want to remove and click Cancel whitelist in the Actions column. You can also select multiple suspicious processes and click Cancel whitelist below the list to remove the processes from the whitelist at a time.

FAQ