The antivirus feature uses the machine learning-based antivirus engine that is provided by Alibaba Cloud and a virus library that is updated in real time. You can use the feature to scan the items in your system that are vulnerable to attacks. The items include persistent startup items, active processes, kernel modules, sensitive directories, and SSH public keys. You can also use the feature to clean up malicious threats on servers in an efficient manner. This topic describes how to use the antivirus feature.

Background information

Before you use the antivirus feature, we recommend that you enable the virus blocking feature. After you enable the virus blocking feature, Security Center automatically blocks malicious behavior to intercepts threats such as common trojans, ransomware, mining viruses, and DDoS trojans. For more information about how to enable the virus blocking feature, see Use proactive defense.
The following list describes the types of viruses that can be detected and removed by the antivirus feature and the scan items that are supported:
  • Virus types: ransomware, mining programs, DDoS trojans, trojans, backdoor programs, malicious programs, high-risk programs, worms, suspicious programs, and self-mutating trojans.
  • Scan items: active processes, hidden processes, Docker processes, kernel modules, installed programs, preloading items of dynamic-link libraries, services, scheduled tasks, startup items, and sensitive directories.
Note Full scan is not supported. This helps reduce the consumption of server resources.

Limits

The antivirus feature is supported only in the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Scan for viruses

The antivirus feature thoroughly scans all servers that are protected by Security Center to detect persistent viruses, such as ransomware and mining programs. You can perform immediate scan tasks or configure periodic scan tasks.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Defense.
  2. On the Virus Defense page, perform a virus scan task.
    • Perform an immediate scan task
      1. On the Virus Defense page, click Scan or Scan Again.
      2. In the Select the assets to scan. dialog box, select the assets that you want to scan and click Scan.
        Note The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.
    • Configure a periodic scan task
      1. In the upper-right corner of the Virus Defense page, click Scan Settings.
      2. In the Defense Configuration panel, configure the Scan Cycle, Scanning mode, and Scan Assets parameters, and click Determine.

        Security Center automatically scans the assets that you specify based on the specified scan cycle and scan mode.

After the scan task is complete, we recommend that you view the scan results and handle the viruses that are detected at the earliest opportunity to ensure that your servers are not affected. For more information, see Handle alerts.

Handle alerts

Security Center provides complete capabilities to handle the threats that are detected. Security Center allows you to perform in-depth virus detection and removal with a few clicks. The following methods are used for in-depth virus detection and removal of persistent viruses: detect and remove malicious virus processes, quarantine malicious files, and remove persistence of viruses and trojans.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Defense.
  2. On the Virus Defense page, click Process Now.
  3. In the list of check results, find the server for which you want to handle alerts and click Process in the Actions column.
    If you want to handle alerts for multiple servers at a time, select the servers and click Batch handled. You can also click Process above the list of check results to handle all alerts.
  4. In the Alert Process dialog box, select a processing method and click Process Now.
    Processing method Description
    Deep cleanup Performs in-depth virus detection on the server and removes detected viruses.

    Security Center conducted tests and analysis on persistent viruses and developed the Deep cleanup method to remove persistent viruses.

    If you use the Deep cleanup method, you can enable auto-snapshot to back up your system disks before you remove the viruses. This helps prevent data loss when you remove viruses.

    Whitelist Adds an alert to the whitelist. If the alert event reoccurs after the alert is added to the whitelist, Security Center no longer generates alerts.
    Ignore Ignores an alert. After the alert is ignored, the status of the alert changes to Ignored. If the alert event reoccurs, Security Center generates alerts.
    Handled manually If you manually handled an alert, select Handled manually. The status of the alert changes to Handled.