If suspicious processes attempt to make unauthorized file changes, the feature of web tamper proofing detects the changes and blocks the processes in real time. If the blocked processes are required in your workloads, you can add the processes to the whitelist of web tamper proofing to allow the processes to be executed. This topic describes how to add the processes that are blocked by web tamper proofing to the whitelist.

Background information

Web tamper proofing allows you to add multiple normal processes to the whitelist at a time. You can add blocked processes to the whitelist on Windows and Linux servers.

Limits

You can add blocked processes to the whitelist and enable the alerting mode of web tamper proofing only if your server runs the required OS and kernel. If the versions of the OS and kernel do not meet the requirements, you cannot add blocked processes to the whitelist or enable the alerting mode of web tamper proofing. The following table describes the versions of the OS and kernel.
OS version Kernel version
  • CentOS 6.3
  • CentOS 6.5
  • CentOS 6.6
  • CentOS 6.7
  • CentOS 6.8
  • CentOS 6.9
  • CentOS 6.10
  • CentOS 7.0-1406
  • CentOS 7.1-1503
  • CentOS 7.2-1511
  • CentOS 7.3-1611
  • CentOS 7.4-1708
  • CentOS 7.5-1804
  • CentOS 7.6-1810
  • CentOS 7.7-1908
  • CentOS 7.8-2003
  • CentOS 7.9-2009
  • 2.6.32-**, which indicates all the CentOS kernels whose version numbers start with 2.6.32
  • 3.10.0-**, which indicates all the CentOS kernels whose version numbers start with 3.10.0
  • CentOS 8.0-1905
  • CentOS 8.1-1911
  • CentOS 8.2-2004
  • CentOS 8.3-2011
  • 4.18.0-80.11.2.el8_0.x86_64
  • 4.18.0-147.5.1.el8_1.x86_64
  • 4.18.0-147.8.1.el8_1.x86_64
  • 4.18.0-193.el8.x86_64
  • 4.18.0-193.6.3.el8_2.x86_64
  • 4.18.0-193.28.1.el8_2.x86_64
  • 4.18.0-240.1.1.el8_3.x86_64
  • 4.18.0-240.15.1.el8_3.x86_64
Ubuntu 14.04
  • 3.13.0-32-generic
  • 3.13.0-65-generic
  • 3.13.0-86-generic
  • 3.13.0-145-generic
  • 3.13.0-164-generic
  • 3.13.0-170-generic
  • 3.19.0-80-generic
  • 4.4.0-93-generic
Ubuntu 16.04
  • 4.4.0-62-generic
  • 4.4.0-63-generic
  • 4.4.0-93-generic
  • 4.4.0-117-generic
  • 4.4.0-142-generic
  • 4.4.0-151-generic
  • 4.4.0-154-generic
  • 4.4.0-157-generic
  • 4.4.0-174-generic
  • 4.4.0-178-generic
  • 4.4.0-179-generic
  • 4.4.0-184-generic
  • 4.4.0-194-generic
Ubuntu 18.04
  • 4.15.0-23-generic
  • 4.15.0-42-generic
  • 4.15.0-45-generic
  • 4.15.0-52-generic
  • 4.15.0-70-generic
  • 4.15.0-88-generic
  • 4.15.0-91-generic
  • 4.15.0-109-generic
  • 4.15.0-112-generic
  • 4.15.0-121-generic
  • 4.15.0-124-generic
AliyunOS 2.1903
  • 4.19.81-17.al7.x86_64
  • 4.19.81-17.2.al7.x86_64
  • 4.19.91-18.al7.x86_64
  • 4.19.91-19.1.al7.x86_64
  • 4.19.91-21.al7.x86_64
  • 4.19.91-22.2.al7.x86_64

Add blocked processes to a whitelist

  1. Log on to the Security center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Protection tab of the page that appears, view or search for the suspicious processes for which alerts are generated and that you want to add to the whitelist.
  4. Add the suspicious processes to the whitelist.
    Warning Attackers may exploit the processes in the whitelist to compromise your servers. We recommend that you add processes to the whitelist only if the processes are trusted.
    • Add a suspicious process for which an alert is generated to the whitelist
      1. In the alert event list on the Protection tab, find the suspicious process that you want to add to the whitelist.
      2. In the Actions column, click Process.
      3. In the dialog box that appears, select Add to Whitelist for Process Method.

        A process may run on multiple servers or run in multiple directories on the same server. If you want to add the process to the whitelist, select Process servers with the same process at the same time.

      4. Click Process Now.
    • Add multiple suspicious processes for which alerts are generated to the whitelist at a time
      1. In the alert event list on the Protection tab, find the suspicious processes that you want to add to the whitelist.
      2. Click Add to Whitelist below the list.
      3. Click OK.
      You can click the number below Whitelist to go to the Process Management panel. In the upper-right corner of the panel, click Enter the whitelist. In the dialog box that appears, configure Process Path and Server Name/IP to add multiple suspicious processes to the whitelist at a time. View a whitelist

View the processes in the whitelist or remove the processes from the whitelist

  1. Log on to the Security center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Protection tab, click the number below Whitelist. View a whitelist
  4. In the Process Management panel, view the processes in the whitelist or remove the processes from the whitelist.
    • View the processes in the whitelist

      In the Process Management panel, you can view the information about all suspicious processes that are added to the whitelist. The information includes the servers on which the processes run, the paths in which the processes are located, and the number of file writing attempts.

    • Remove the processes from the whitelist

      In the Process Management panel, you can find the suspicious process that you want to remove and click Cancel whitelist in the Actions column.

      You can also select multiple suspicious processes and click Cancel whitelist below the list to remove these processes from the whitelist at a time.