This topic provides answers to some frequently asked questions about features of Security Center. The features include anti-ransomware, antivirus, web tamper proofing, and application whitelist.

How do I purchase the anti-ransomware capacity?

If you use the Basic edition of Security Center, you can go to the Security Center buy page to upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition, and purchase the anti-ransomware capacity. You can also purchase the Value-added Plan edition and purchase the anti-ransomware capacity. For more information, see Enable anti-ransomware.

If you use the Anti-virus, Advanced, Enterprise, or Ultimate edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade Security Center. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use your cloud resources, the anti-ransomware feature is automatically enabled.

What is the anti-ransomware feature? Why do I must pay for the anti-ransomware feature?

The anti-ransomware feature is a new feature of Security Center, which provides a general anti-ransomware solution. You must purchase the storage that is used to store backup data.

If you use the Anti-virus, Advanced, Enterprise, or Ultimate edition, you can change the specifications and purchase a specific amount of anti-ransomware capacity. For more information, see Upgrade and downgrade Security Center. After you purchase the anti-ransomware capacity and grant Security Center the permissions to use your cloud resources, the anti-ransomware feature is automatically enabled.

The general anti-ransomware solution allows you to restore the files that are encrypted by ransomware with a few clicks. The general anti-ransomware solution allows you to back up important directories and files on your servers with a few clicks. We recommend that you purchase 50 GB of anti-ransomware capacity for each server, which costs only USD 2.25 per month.

What is the relationship between the anti-ransomware feature and Alibaba Cloud HBR?

The anti-ransomware feature uses the storage capability provided by Alibaba Cloud Hybrid Backup Recovery (HBR). If you have not activated Alibaba Cloud HBR, it is automatically activated after you purchase the anti-ransomware capacity and grant Security Center the permissions to use Alibaba Cloud HBR. You are not charged when you activate Alibaba Cloud HBR.

Is the data backup feature automatically enabled after I purchase the anti-ransomware capacity?

No, the data backup feature is not automatically enabled.

After you purchase the anti-ransomware capacity, you must create and enable an anti-ransomware policy. After you enable the anti-ransomware policy, Security Center backs up server data to protect your servers against ransomware.

How do I view the anti-ransomware capacity that I purchased and the anti-ransomware capacity that is used?

After you enable the anti-ransomware feature, you can view the anti-ransomware capacity that you purchased and the anti-ransomware capacity that is used on the Anti-blackmail page. To go to the page, choose Defense > Anti-ransomware in the left-side navigation pane. View the anti-ransomware capacity

After I enable the anti-ransomware feature, the data backup cache occupies a large amount of disk space. How do I clear the cache?

To accelerate data backup, the anti-ransomware feature caches data during data backup. By default, the data backup cache occupies disk space on your server. If a large amount of disk space is occupied by the cache under the path of C:\Program Files (x86)\Alibaba\Aegis\hbr\cache on Windows servers or /usr/local/aegis/hbr/cache on Linux servers, you can clear the cache. For more information, see Clear backup caches.

After I enable the anti-ransomware feature, the data backup cache occupies a large amount of space of drive C on my server. Can I change the directory in which the data backup cache is stored?

Yes, you can change the directory in which the data backup cache is stored.

You can modify the configuration file of the anti-ransomware agent to change the directory in which the data backup cache is stored. For more information, see Modify backup cache configurations.

What do I do if the anti-ransomware agent consumes excessive server CPU or memory resources?

Earlier versions of the anti-ransomware agent may consume excessive server CPU or memory resources during data backup. This anti-ransomware agent was upgraded on August 19, 2020 to resolve this issue. If you installed the anti-ransomware agent after August 19, 2020, no actions are required. If you installed the anti-ransomware agent on or before August 19, 2020, you must uninstall and reinstall the anti-ransomware agent. To uninstall and reinstall the anti-ransomware agent, perform the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-ransomware.
  3. Find the server on which the issue occurs and click Uninstall in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware agent changes to Uninstalling. The anti-ransomware agent is uninstalled in about 5 minutes.

  4. After the agent is uninstalled, click Install in the Actions column. In the message that appears, click OK.

    Then, the status of the anti-ransomware agent changes to Installing. The anti-ransomware agent is installed in about 5 minutes.

Note If the issue persists after you perform the preceding steps, we recommend that you submit a ticket to contact Alibaba Cloud technical support.

What are the differences between the general anti-ransomware solution and the snapshot feature?

The following table describes the differences between the general anti-ransomware solution and the snapshot feature.

Feature Data backup Antivirus capability Fee
Snapshot Provides a one-time backup for the system disk. If you want to restore data, you must restart the system. The antivirus capability is not provided. High. The snapshot feature backs up the entire disk. You cannot back up only a specific file. The snapshot feature is charged USD 0.02 per GB per month. For more information, see Snapshots.
General anti-ransomware solution Flexibly backs up files. You can restore a file that is backed up. If you want to restore data, you do not need to restart the system. The general anti-ransomware solution blocks known ransomware and generates alerts in real time. This solution captures unknown ransomware and allows you to restore data that is encrypted by ransomware with a few clicks. Low. The general anti-ransomware solution supports file-level protection. You are charged data backup fees based on your actual usage. You do not need to back up the entire disk. For more information, see Billing.

What do I do if the anti-ransomware capacity that I purchased is insufficient?

If the anti-ransomware capacity that you purchased is insufficient, data backup may fail. You can purchase additional anti-ransomware capacity or release the anti-ransomware capacity.
  • Purchase additional anti-ransomware capacity
    Insufficient anti-ransomware capacity causes backup failures. We recommend that you purchase sufficient anti-ransomware capacity to prevent backup failures. To purchase sufficient anti-ransomware capacity, perform the following operations: Log on to the Security Center console and choose Defense > Anti-ransomware in the left-side navigation pane. On the Anti-blackmail page, click Upgrade below Used Capacity/Total.
    Note We recommend that you purchase 50 GB of anti-ransomware capacity for each server.
  • Release the anti-ransomware capacity
    • Remove servers

      You can release anti-ransomware capacity by removing servers such as test servers and idle servers from an anti-ransomware policy. For more information, see Manage servers that are added to an anti-ransomware policy.

    • Add directories that you want to protect based on your business requirements

      You can create custom anti-ransomware policies and back up only the directories that you want to protect. This helps reduce the amount of anti-ransomware capacity that is used.

    • Delete backup data

      If you no longer require backup data of a server, you can delete all backup data of the server to release the anti-ransomware capacity. For more information, see the "Delete backup data" section of the Create a restoration task topic.

What do I do if the status of an anti-ransomware policy is abnormal?

If the status of an anti-ransomware policy is abnormal, you cannot back up server data based on the anti-ransomware policy. We recommend that you handle the exception based on the causes that are provided on the Anti-blackmail page. Possible causes and solutions:
  • Insufficient anti-ransomware capacity

    If the capacity used for data backup exceeds the capacity that you purchased, the current backup tasks are suspended and you cannot create restoration tasks. You must purchase sufficient anti-ransomware capacity to continue to use the anti-ransomware feature. For more information, see Upgrade and downgrade Security Center.

  • The Security Center agent is offline

    If the Security Center agent is offline, the status of anti-ransomware policies is abnormal. You must handle the exception based on the causes. For more information, see Troubleshoot why the Security Center agent is offline.

  • Data backup errors

    An invalid directory in a restoration task or insufficient server disk capacity causes data backup failures. In this case, the status of anti-ransomware policies is abnormal. You must recreate a restoration task, specify a valid backup directory, and make sure that the server disk capacity is sufficient. After the new restoration task is completed, the status of anti-ransomware policies changes to normal.

After I purchase the antivirus feature, can the existing features properly run?

Yes, after you purchase the antivirus feature, all existing features properly run.

Security Center provides the antivirus feature to scan for viruses, generate alerts, and perform deep cleaning against persistent viruses, such as ransomware and mining programs. The antivirus feature does not affect the existing features.

If the remaining validity period of Security Center is three years, can I purchase web tamper proofing for one year?

No, the validity period of web tamper proofing must be the same as the validity period of Security Center.

Can web tamper proofing protect files of all sizes?

Yes, web tamper proofing can protect files of all sizes.

If my server stores more than 3 MB of files, can web tamper proofing protect the excessive files that exceed 3 MB? Can web tamper proofing protect files whose total size is not larger than 3 MB?

Yes, web tamper proofing can protect files of all sizes. Web tamper proofing can protect the files on your servers regardless of whether the total file size is larger than 3 MB.

The message "The protection module initialization failed. Check whether other software has blocked the creation of the service" appears when I enable web tamper proofing. Why?

If the web tamper proofing feature fails to be enabled and the message "The protection module initialization failed. Check whether other software has blocked the creation of the service" appears, the web tamper proofing program is blocked by third-party security software on your server. Fails to enable the web tamper proofing because the web tamper proofing program is blocked by third-party security software

We recommend that you add the process of the Security Center agent to the whitelists of the third-party security software on your server. You can also disable the blocking feature of the third-party security software.

What are the requirements for the local backup directory of web tamper proofing?

The local backup directory of web tamper proofing stores the backups of a protected directory. The local backup directory can be empty. You can specify a protected directory that contains the files of your website.

If you want to protect multiple directories of a server, you can restore the backup files in different directories or in the same directory.

What do I do if I receive a message that indicates that a protected directory is invalid?

When you specify a protected directory in Windows, use a backslash (\) instead of a forward slash (/). Example: C:\Program Files\Common Files.

Configuration errors of a protected directory
Note A protected directory cannot contain the following characters:

/;*?""<>|

Why does web tamper proofing remain disabled after I specify a protected directory?

After you specify a protected directory, you must turn on the switch for web tamper proofing and make sure that the Security Center agent runs as expected to enable web tamper proofing.

We recommend that you perform the following steps:
  • Check whether the files that you want to protect are added to the protected directory.
  • After you specify the protected directory, check whether the switch for web tamper proofing is turned on.

    You must turn on the switch for the protected directory before web tamper proofing can take effect.

  • Check whether the Security Center agent runs as excepted.
    You can log on to the Security Center console, choose Defense > Tamper Protection, and click the Management tab to view the status of the Security Center agent on a server. If the status is Exception, we recommend that you turn on the switch in the Protection column for the server again. If the status is Offline, we recommend that you reinstall the Security Center agent for the server. For more information, see Install the Security Center agent.
  • Check whether the server has sufficient disk capacity. If the server does not have sufficient disk capacity, clean up the disk at the earliest opportunity.

Can I write files to a protected directory on a server for which web tamper proofing is configured?

No, you cannot write files to a protected directory on a server for which web tamper proofing is configured. After you configure web tamper proofing for a server to specify a protected directory, you cannot write files to the directory.

For more information about how to write files to the protected directory, see After I enable web tamper proofing, what do I do if the website content and images cannot be modified or updated?.

After I specify a protected directory, what do I do if web tamper proofing does not immediately take effect?

After you specify a protected directory, web tamper proofing does not immediately take effect and you can still write files to the directory. To enable web tamper proofing, you must go to the Management tab, turn off Protection for the server where the directory is located, and then turn on Protection again.

Turn on the switch for web tamper proofing for a server

I do not receive alert notifications after I log on to my server over SSH and modify the files that are protected by web tamper proofing. Why?

If you log on to your server for which web tamper proofing is enabled by using Secure Shell (SSH) and modify a file in the protected directory of the server, alerts are not generated on the Tamper Protection page to remind you of the modification. The following list describes the possible causes:
  • Protection is turned off.
  • You have modified the settings of the protected directory on a server for which Protection is turned on. After the modification, you do not turn on Protection again to enable web tamper proofing.
  • The protected file is added to the whitelist of web tamper proofing.

    Files in the whitelist are trusted. Therefore, web tamper proofing does not block or generate alerts for modifications on the files. For more information, see Add blocked processes to a whitelist.

  • The kernel version of your server is not supported by web tamper proofing.

    If an attempt is made to modify the files in the protected directory, web tamper proofing blocks the modification and does not generate alerts.

    Note After you modify a file in your server and save the modification, you can view that the modification was blocked by web tamper proofing in the handled alert list of the Tamper Protection page. You can log on to your server and view that the modification on the file does not take effect.

After I enable web tamper proofing, what do I do if the website content and images cannot be modified or updated?

You can use one of the following two methods to resolve this issue:
  • Disable web tamper proofing and update the website content. After the update is complete, enable web tamper proofing. For more information about how to enable web tamper proofing, see Enable the web tamper proofing feature.
  • Exclude website paths that you want to modify from the protected directory.
Note Web tamper proofing allows you to add Linux and Windows processes to a whitelist. This ensures that protected files are updated in real time. For more information, see Add blocked processes to a whitelist.

What do I do if I receive an email or text message that notifies me of a webshell detected on my server?

If you receive an email or text message that notifies you of a webshell detected on your server, your server is attacked. A webshell file is also implanted into the server. The attacker may manipulate the data on your website or database. You can quarantine the webshell file in Security Center. We recommend that you locate and fix the vulnerability. Otherwise, the attacker may exploit the vulnerability.

My Security Center runs the Enterprise edition. Can I use the container firewall feature?

No, you cannot use the container firewall feature. Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Do I need to pay for the container firewall feature?

No, you do not need to pay for the container firewall feature. After you purchase the Ultimate edition of Security Center, you can use the container firewall feature free of charge.

After I upgrade my Security Center to the Ultimate edition, does Security Center protect only containers?

No, the Ultimate edition of Security Center can protect both containers and ECS instances.