Persistent viruses, such as ransomware and mining programs, have become major threats to network security. To prevent persistent viruses from intruding into your servers, Security Center provides the antivirus feature to scan for persistent viruses and generates alerts when persistent viruses are detected. This feature also supports virus deep cleaning and data backup.


Only the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center support this feature. If you use the Basic edition, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Background information

Before you use the antivirus feature, we recommend that you turn on Virus Blocking on the Settings page. After you turn on Virus Blocking, Security Center automatically detects and removes common trojans, ransomware, mining viruses, and DDoS trojans. For more information, see Use proactive defense.

Note The antivirus feature supports a limited number of operating system versions. Servers that use unsupported operating system versions cannot use the data backup feature. For more information about supported operating system versions, see Supported operating system versions.


The antivirus feature provides a general anti-ransomware solution. For more information, see How it works. The antivirus feature also provides the following capabilities:
  • Virus scan

    The security experts of Security Center conduct automatic analysis on attack methods based on a large number of persistent virus samples. Alibaba Cloud develops a machine learning antivirus engine based on the attack analysis results. Virus scan uses the machine learning antivirus engine and a virus library that is updated in real time. Virus scan allows you to detect viruses at the earliest opportunities. You can create virus scan tasks to check whether your servers are intruded by viruses. For more information, see Scan for viruses.

  • Alert management

    The antivirus feature allows you to manage virus alerts. You can perform deep cleaning tasks on persistent viruses, such as ransomware and mining programs. Virus deep cleaning can remove persistent viruses by terminating virus processes, quarantining malicious files, and removing inserted viruses. For more information, see Handle virus alerts.

  • Data backup

    The antivirus feature provides the capability of anti-ransomware data backup. If your servers are intruded by ransomware, you can use data backup to restore data and reduce loss. You can create protection policies to back up the data of core servers. For more information, see Create an anti-ransomware policy. If you want to restore server data, you can create restoration tasks. For more information, see Create a restoration task.

How it works

Ransomware has been a major threat to enterprises and individuals. If the core data or files stored on the servers are encrypted by attackers, paying the ransom is the only solution. Ransomware has caused tremendous loss to numerous enterprises and individuals. To help enterprises and individuals handle ransomware, Alibaba Cloud releases a general anti-ransomware solution. This solution provides layer-by-layer protection against ransomware.

The general anti-ransomware solution provides a layer-by-layer protection system against ransomware.
  • Block recognized ransomware in real time

    Security Center has blocked a large amount of ransomware recognized by the Alibaba Cloud intelligence library. Security Center blocks ransomware at the earliest opportunity to prevent potential loss.

  • Trap and block new ransomware
    Security Center sets trap directories to block potential ransomware activities. To block new ransomware, Security Center immediately blocks unusual encryption activities when they are detected. In addition, Security Center generates alerts to notify you of the potential threats.
    Note On the Settings page of the Security Center console, turn on Anti-ransomware (Bait Capture) in the Proactive Defense section of the General tab. For more information, see Use proactive defense. After you turn on Anti-ransomware (Bait Capture), Security Center sets trap directories on your servers to block potential ransomware activities. If you find a suspicious directory on your server, contact after-sales services or submit a ticket to check whether the directory is a trap directory set by Security Center. Trap directories do not affect your workloads and are not malicious. Trap directories cannot be manually deleted.
  • Restore infected files

    In addition to anti-ransomware, Security Center supports data backup. This feature periodically backs up data and allows you to restore server data based on the specified time or file version. In scenarios in which files on your servers are encrypted, you can restore the data to ensure the security of your servers.

Supported operating system versions

Operating system Supported version
Windows 7, 8, and 10
Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019
Red Hat Enterprise Linux (RHEL) 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 7.8, 8, 8.1, and 8.2
CentOS 6.5, 6.9, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.2, and 8.3
Ubuntu 14.04, 16.04, 18.40, and 20.04
SUSE Linux Enterprise Server 11, 12, and 15

Antivirus suggestions

When you use Security Center to block ransomware, perform the following steps:
  1. Before the process: Enable the antivirus feature and create protection polices

    The antivirus feature provides the data backup capability. You must enable the antivirus feature and create protection polices to back up the core data of your servers. For more information, see Enable anti-ransomware and Create an anti-ransomware policy.

  2. During the process: Handle ransomware alerts and create restoration tasks
    Security Center generates alerts when ransomware activities are detected. If you receive ransomware alerts, we recommend that you troubleshoot the causes and handle the alerts at the earliest opportunity. For more information, see View and handle alerts. If the data on your servers is encrypted by ransomware, you can create restoration tasks to restore the encrypted data. For more information, see Create a restoration task. Ransomware alerts
  3. After the process: Scan for server vulnerabilities and reinforce security
    To further reduce the risk of ransomware attacks, we recommend that you perform the following steps:
    • Regularly fix system vulnerabilities to prevent vulnerabilities from being exploited by attackers. You can use the vulnerability fixing feature provided by Security Center. For more information, see Overview.
    • Enable two-factor authentication for servers that are important. Do not use weak passwords on your servers.
    • Make sure that only necessary ports are accessible over the Internet.