The agentless detection feature uses agentless technology to detect security risks on Elastic Compute Service (ECS) instances. You do not need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.
Scenarios
You can perform comprehensive security checks on the system disk and data disks of an ECS instance on which the Security Center agent is not installed.
End of public preview
On January 31, 2024, the agentless detection feature is officially released for commercial use.
If you did not apply for a trial of the feature before January 31, 2024, you can no longer apply for the trial. To use the feature, you must purchase the feature by using the pay-as-you-go billing method.
If you applied for a trial of the feature before January 31, 2024, you can continue using the feature until March 5, 2024. From March 5, 2024, if you want to continue using the feature, you must purchase the feature by using the pay-as-you-go billing method.
If your Alibaba Cloud account is used to enable the feature in public preview, you can skip Step 1 and go to Step 2. For more information, see Step 1: Purchase the agentless detection feature by using the pay-as-you-go billing method and Step 2: Create a detection task.
Billing
The agentless detection feature uses the pay-as-you-go billing method, and you are charged based on the amount of data that is scanned. The system generates a bill on the next day after you use the feature to scan data. For more information, see Billing overview.
If you create a detection task for an ECS instance, the system creates an image for the ECS instance. You are charged for the image based on the size and storage period of the image, and the fees are included in ECS bills. For more information, see Images.
Limits
Item | Description |
Server | The agentless detection feature supports only Alibaba Cloud ECS instances. |
Region | The agentless detection feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hong Kong), Singapore, and US (Virginia). |
Operating system | The agentless detection feature does not support the FreeBSD operating system. |
Encrypted disk | The agentless detection feature cannot check encrypted system disks or data disks. |
Disk |
|
File system |
|
Detection task |
|
Risk handling | The agentless detection feature can detect but cannot fix vulnerabilities, baseline risks, malicious files, and sensitive files. If risks are detected, you must manually handle the risks based on the information provided on the risk details page. |
Retention period of check results |
|
Step 1: Purchase the agentless detection feature by using the pay-as-you-go billing method
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Agentless Detection page, click Activate Now.
In the dialog box that appears, read and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service. Then, click Activate Now.
Step 2: Create a detection task
After you create a detection task for your ECS instance, the system creates a snapshot or an image of the ECS instance. Then, the system scans data in the snapshot or image to check whether risks such as vulnerabilities, alerts, baseline risks, and sensitive files exist on the ECS instance.
Create an immediate detection task
On the Agentless Detection page, click Create Detection Task.
In the Create Detection Task panel, select the ECS instance that you want to check and click Next.
Configure the Scan Scope and Snapshot/Image Storage Time parameters. Then, click Next.
We recommend that you set the Scan Scope parameter to Data Disk. A complete data source improves the performance of detection, such as the detection of vulnerabilities and alerts.
You are charged for snapshots or images that are created. A longer retention period of the snapshots or images leads to higher fees. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, a created snapshot or image is immediately released if no risks are detected. Only at-risk images or snapshots are retained. This reduces storage costs.
Click Go to Task List to view the progress of the task.
After you create the task, Security Center automatically creates a snapshot or an image and then scans data in the snapshot or image. The time that is required to complete the task increases with the number of ECS instances that need to be checked.
Create a periodic detection task
On the Agentless Detection page, click Scan Configuration.
In the Scan Configuration panel, configure the Scan Object, Scan cycle, Scan Assets, Scope, Baseline Check Scope, Vulnerability Detection Scope, and Snapshot/Image Storage Time parameters. You can also select or clear Retain Only At-risk Snapshots or Images.
Click Save.
Step 3: View the progress of the detection task
Before you can view the results of the detection task that you create, make sure that the task is complete. You can view the progress of a detection task to check whether the task is complete.
In the upper-right corner of the Agentless Detection page, click Task Management.
In the Task Management panel, view the progress of the task.
Find the task whose details you want to view and click Details in the Action column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.
If the task fails, you can view the cause of the failure in the Task Details panel and resolve the issue based on the following table.
Cause
Solution
Current region unsupported
None. View the regions in which the agentless detection feature is supported. For more information, see Limits. The error is returned only if you call an API operation to create the detection task.
Disk connection failed
Click Retry in the Action column to reconnect to the disk.
Image creation failed
Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas.
Step 4: View the detection results
The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.
View the details of a risk
On the Agentless Detection page, click the Vulnerability, Baseline Check, Security Alerts, or Sensitive File tab, find a risk whose details you want to view, and then click View or Details in the Actions column.
Handle the risk based on the risk description provided by Security Center.
Download the detection results
You can download a report of detection results by task or ECS instance.
In the upper-right corner of the Agentless Detection page, click Task Management.
Download a report of detection results for a task: In the Task Management panel, find a task and click Download Report.
Download a report of detection results for an ECS instance: In the Task Management panel, find a task that is performed on an ECS instance and click Details in the Actions column. In the Task Details panel, find the ECS instance and click Download Report in the Actions column.
Step 5: (Optional) Configure a whitelist
Configure a vulnerability whitelist
If you confirm that a vulnerability is allowed or can cause low risks, you can configure a vulnerability whitelist to ignore the vulnerability. If Security Center detects the vulnerability on assets in the effective scope of the whitelist rule that is created for the vulnerability in the next detection task, Security Center does not display the vulnerability on the Vulnerability tab. After you configure whitelist settings, the vulnerability remains on the Vulnerability tab until the next detection task is run.
Directly add a vulnerability to the whitelist
On the Vulnerability tab of the Agentless Detection page, find the vulnerability that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Then, Security Center automatically creates a whitelist rule on the
tab.Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, click Add rules. In the Add Vulnerability Whitelist Rule panel, configure the Vulnerability Type, Vulnerability Name, Rule Scope, and Remarks parameters. Then, click OK.
If you directly add a vulnerability to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a vulnerability to the whitelist for specific assets, you must create a vulnerability whitelist rule.
Configure a baseline whitelist
If you confirm that risks detected by using specific baseline check items are at a low level, you can configure a baseline whitelist to ignore the baseline check items. If Security Center detects baseline risks by using the baseline check items on the assets in the effective scope of the whitelist rule that is created for the baseline check items in the next detection task, Security Center does not display the baseline check items on the Baseline Check tab. After you configure whitelist settings, the baseline check items remain on the Baseline Check tab until the next detection task is run.
Directly add a baseline check item to the whitelist
On the Baseline tab of the Agentless Detection page, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Then, Security Center automatically creates a whitelist rule on the
tab.Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Baseline Whitelist tab of the Scan Configuration panel, click Add rules. In the Create Baseline Whitelist Rule panel, configure the Check Item Type, Check Item, Rule Scope, and Remarks parameters. Then, click OK.
If you directly add a baseline check item to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a baseline check item to the whitelist for specific assets, you must create a whitelist rule.
Configure an alert whitelist
If you confirm that a false positive is generated for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects the file on the assets on which the whitelist takes effect in the next detection task, no alerts are generated.
Directly add a file to the whitelist
On the Alerts tab of the Agentless Detection page, find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.
Create a whitelist rule
In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, click Add rules. In the Add rules panel, configure the parameters and click OK.
Parameter
Description
Alert Name
The default value is All Alerts, which indicates that the whitelist rule takes effect on all types of alerts. You cannot change the value.
Whitelist Field
The default value is fileMd5, which indicates that the MD5 hash value of a file is added to the whitelist. You cannot change the value.
Wildcard Character
You can select only Equal To.
Rule Content
The MD5 hash value of a file.
Rule Scope
The assets on which you want to apply the rule.
If you directly add an alert to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a file to the whitelist for specific assets, you must create a whitelist rule.
Risks that can be detected
Vulnerabilities
The agentless detection feature can detect Linux software vulnerabilities, Windows system vulnerabilities, and application vulnerabilities.
Baseline risks
Baseline category | Baseline check item |
CIS Compliance checks |
|
MLPS Compliance |
|
Best security practices |
|
Alerts
Alert type | Description | Supported check item |
Malicious script | Security Center checks whether the system services of your assets are attacked or modified by malicious scripts. The behavior of potential attacks that are based on malicious scripts is included in the detection results. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to the system of the server. | Supported programming languages for detection include Shell, Python, Perl, PowerShell, VBScript, and BAT. |
Webshell | Security Center checks whether the script files in your assets are malicious and whether webshell communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and use scripts for additional attacks. | Supported programming languages for detection include PHP, JSP, ASP, and ASPX. |
Malware | Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damage to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms. | Tainted basic software |
Suspicious program | ||
Spyware | ||
Trojan | ||
Infectious virus | ||
Worm | ||
Exploit | ||
Self-mutating trojan | ||
Attacker tool | ||
DDoS trojan | ||
Reverse shell | ||
Malicious program | ||
Rootkit | ||
Trojan downloader | ||
Scanner | ||
Riskware | ||
Proxy | ||
Ransomware | ||
Webshells | ||
Mining program |
FAQ
What are the differences between the agentless detection feature and the feature of virus detection and removal?
The following table describes the differences between the features.
Item | Agentless detection | Virus detection and removal |
Detection scope | The agentless detection feature can detect vulnerabilities, baseline risks, alerts, and sensitive files. The feature cannot handle the detected risks. | The feature of virus detection and removal can detect and remove viruses, and quarantine source files that are related to the detected viruses in an efficient manner. |
Detection method | The agentless detection feature scans data in the snapshot or image that is created for a server to check whether risks exist on the server. This does not affect the running performance of the server. | The feature of virus detection and removal scans data in the system of a server to check whether persistent viruses exist on the server during the runtime of the server. |
Enabling method | You must purchase the agentless detection feature by using the pay-as-you-go billing method. | You must purchase Security Center Anti-Virus or higher, and install the Security Center agent on your server. |