Security Center provides the malicious behavior defense feature to protect servers. You can create custom defense rules based on your business requirements. This topic describes how to create custom defense rules to add false positive alerts to the whitelist.
Limits
Only the Advanced, Enterprise, and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Procedure
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Malicious Behavior Defense tab, click the Custom defense rules tab. Then, click New rule.
In the New rule panel, configure the parameters in the Add rule step and click Next.
NoteYou can specify string equations for parameters. Example: 'a' = 'a'. You can also use an asterisk (*) to match a string or an empty string. We recommend that you configure parameters in one of the following formats:
*Characteristic string*,*Characteristic string, orCharacteristic string*.You can use the following logical operators to configure parameters:
|, &, !. Example:&!*Characteristic string*. A vertical bar (|) indicates the OR operator, an ampersand (&) indicates the AND operator, and an exclamation point (!) indicates the NOT operator.|!*Characteristic string*is not supported.You can leave the Parent Process Path and Parent Command Line parameters empty.
Process hash: If you receive a false positive alert shown in the following figure and the alert is triggered by an MD5 hash value of a malicious file, you can create a custom defense rule of the Process hash type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the malicious file based on the value of the Malicious File MD5 field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: mining program.
Rule type
Select Process hash.
Process MD5
Enter the value of the Malicious File MD5 field that is displayed in the details panel of the false positive alert. Example: d2f295a89555579c39a0507e96XXXXXX.
Action
Select Allow.
Command line: If you receive a false positive alert shown in the following figure and the alert is triggered by a process startup or a command line, you can create a custom defense rule of the Command line type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the process startup or command line based on the value of the Process of executing command or Command in execution field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: process startup.
Rule type
Select Command line.
OS Type
Select the type of your operating system. In this example, linux is used.
Process Path
Enter the value of the Process of executing command field that is displayed in the details panel of the false positive alert. Example:
*/pkill.Command Line
Enter the value of the Command in execution field that is displayed in the details panel of the false positive alert. Example:
*AliYunDun*.Action
Select Allow.
Process Network: If you receive a false positive alert shown in the following figure and the alert is triggered by a network process, you can create a custom defense rule of the Process Network type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the network process based on the value of the IP, Port, or Process Path Of Network Communication field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: network process.
Rule type
Select Process Network.
OS Type
Select the type of your operating system. In this example, windows is used.
Process Path
Enter the value of the Process Path Of Network Communication field that is displayed in the details panel of the false positive alert. Example:
*/powershell.exe.Command Line
Enter the value of the Process Commands For Network Communication field that is displayed in the details panel of the false positive alert. Example:
*dAByAhADQAKAHsADQAkACXXXXXX*.IP Address
Enter the value of the IP field that is displayed in the details panel of the false positive alert. Example: 45.117.XX.XX.
Port
Enter the value of the Port field that is displayed in the details panel of the false positive alert. Example: 14XX.
Action
Select Allow.
File Read and Write: If you receive a false positive alert shown in the following figure and the alert is triggered by file reads or writes, you can create a custom defense rule of the File Read and Write type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the file based on the value of the target document field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: file read and write.
Rule type
Select File Read and Write.
OS Type
Select the type of your operating system. In this example, linux is used.
Process Path
Enter the value of the Process of executing command field that is displayed in the details panel of the false positive alert. Example:
*/java.Command Line
Enter the value of the Command in execution field that is displayed in the details panel of the false positive alert. Example:
*weaver*.File Path
Enter the value of the target document field that is displayed in the details panel of the false positive alert. Example:
*/console_login.jsp.Action
Select Allow.
You can create a custom defense rule for registry protection.
Scenario 1: If you receive a false positive alert shown in the following figure and the alert is triggered by a registry, you can create a custom defense rule of the Operation on Registry type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the registry based on the value of the Registry Path or Registry Value field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: registry protection.
Rule type
Select Operation on Registry.
OS Type
The value is fixed to windows and cannot be changed.
Process Path
Enter the value of the Process of executing command field that is displayed in the details panel of the false positive alert. Example:
*/iexplore.exe.Command Line
Enter the value of the Command in execution field that is displayed in the details panel of the false positive alert. Example:
*iexplore.exe*.Registry Key
Enter the value of the Registry Path field that is displayed in the details panel of the false positive alert. Example:
*currentversion*.Registry Value
Enter the value of the Registry Value field that is displayed in the details panel of the false positive alert. Example:
*svch0st.exe*.Action
Select Allow.
Scenario 2: If you receive a false positive alert shown in the following figure and the alert is triggered by a registry, you can create a custom defense rule of the Operation on Registry type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the registry based on the value of the Hijacked process path or Malicious so file path field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: registry protection.
Rule type
Select Dynamic-link Library Loading.
OS Type
Select the type of your operating system. In this example, linux is used.
Process Path
Enter the value of the Hijacked process path field that is displayed in the details panel of the false positive alert. Example:
*/python*.Command Line
Enter the value of the hijacked process command field that is displayed in the details panel of the false positive alert. Example:
*python*.File Path
Enter the value of the Malicious so file path field that is displayed in the details panel of the false positive alert. Example:
/usr/local/lib/kswapd0.so.Action
Select Allow.
File Renaming: If you receive a false positive alert shown in the following figure and the alert is triggered by a file rename operation, you can create a custom defense rule of the File Renaming type to add the false positive alert to the whitelist. To create the rule, configure the parameters based on the following table.
NoteThe system blocks the file based on the value of the target document field.
Parameter
Description
Rule name
Enter a name for the rule. We recommend that you enter a name based on the type of the false positive alert. Example: file renaming.
Rule type
Select File Renaming.
OS Type
The value is fixed to windows and cannot be changed.
Process Path
Enter the value of the Process of executing command field that is displayed in the details panel of the false positive alert. Example:
*/cdgregedit.exe.Command Line
Enter the value of the Command in execution field that is displayed in the details panel of the false positive alert. Example:
*CDGRegedit.exe*.File Path
Enter the value of the target document field that is displayed in the details panel of the false positive alert. Example:
c:/programdata/hipsdata/private/*.New File Path
Enter the value of the target document field that is displayed in the details panel of the false positive alert. Example:
c:/programdata/hipsdata/private/*.Action
Select Allow.
In the Change host step, select the assets to which you want to apply the rule and click Finish.
By default, a newly created custom defense rule is enabled. You can modify and manage the servers to which the rule is applied.