Create an anti-ransomware policy

Background information

You can use the anti-ransomware feature of Security Center to create anti-ransomware policies for your server. The server can be an Elastic Compute Service (ECS) instance, a server that is not deployed on Alibaba Cloud, a server that is deployed in the classic network, or a server that is deployed in a virtual private cloud (VPC). After you create an anti-ransomware policy, Security Center automatically backs up data in protected directories on your server. If your server is attacked by ransomware, you can restore data based on the backups. This prevents negative impacts on your business.

The anti-ransomware agent that is installed on your server is used to back up data. You can back up data only if the agent is running properly. After you create an anti-ransomware policy, we recommend that you monitor the status of the anti-ransomware agent and handle the exceptions on the agent in a timely manner. For more information, see View the status of the anti-ransomware agent.

Limits

Limits on anti-ransomware for servers:

You must use the Anti-virus, Advanced, Enterprise, Ultimate, or Value-added Plan edition of Security Center and purchase a specific amount of anti-ransomware capacity before you can create anti-ransomware policies. If you want to create anti-ransomware policies but Security Center runs the Basic edition, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, Ultimate, or Value-added Plan edition and purchase a specific amount of anti-ransomware capacity.
The operating system version of your server must be supported by anti-ransomware for servers. If the operating system version is not supported, the data of your server cannot be backed up. For more information about supported operating system versions, see Operating systems and versions supported by anti-ransomware for servers.

Version description

The version of the anti-ransomware agent is upgraded to V2.0 or later. You can no longer modify the existing V1.0 anti-ransomware policies based on which the V1.X.X anti-ransomware agent is installed. After the agent upgrade, you can create only V2.0 anti-ransomware policies.

The following table describes the differences between a V1.0 anti-ransomware policy and a V2.0 anti-ransomware policy.


Item	V1.0 anti-ransomware policy	V2.0 anti-ransomware policy
Custom directories to be excluded	Not supported.	Supported.
VSS
Classic network
Compatibility with Hybrid Backup Recovery (HBR)
Backup method	Multiple data backup tasks can be run at a time, which may cause high CPU utilization.	Multiple data backup tasks can be run in sequence.

Upgrade V1.0 anti-ransomware policies with a few clicks

You can upgrade a V1.0 anti-ransomware policy to a V2.0 anti-ransomware policy with a few clicks. To upgrade a V1.0 anti-ransomware policy, you can click Upgrade in the Actions column on the Server extortion virus protection tab of the General Anti-ransomware Solutions page. During the policy upgrade, the version of the anti-ransomware agent that is installed based on the anti-ransomware policy is automatically upgraded to V2.X.X. Upgrade the anti-ransomware agent

Note

The upgrade of the anti-ransomware agent does not affect backup data. After the upgrade, your data backup tasks run as expected. If the upgrade fails, the version of the anti-ransomware agent is automatically rolled back to V1.X.X, and data backup tasks are not affected.
For some servers, the installed anti-ransomware agent cannot be upgraded with a few clicks. In this case, we recommend that you remove the server on which the anti-ransomware agent fails to be upgraded from the anti-ransomware policy, and click Upgrade in the Actions column for the anti-ransomware policy to upgrade the policy. After the anti-ransomware policy is upgraded, reapply the anti-ransomware policy to the server that you remove. Then, the V2.X.X anti-ransomware agent is automatically installed on the server.

Data backup

You can incrementally back up data to protect your server against ransomware. If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up data during off-peak hours. In subsequent backups, Security Center backs up only files that are newly added, modified, or deleted. This reduces server resource consumption and prevents excessive consumption of the anti-ransomware capacity.

Security Center starts a specific number of data backup tasks based on the versions of anti-ransomware policies and the directories that you want to back up.


Directory to back up	V1.0 anti-ransomware policy	V2.0 anti-ransomware policy
All directories	For a Linux server, Security Center generates only one data backup task. For a Windows server, Security Center generates one data backup task for each data disk. If your Windows server has two data disks, Security Center generates two data backup tasks. The two tasks start at the same time. Compared with a Linux server, the Windows server consumes more CPU and memory resources during backup. Notice We recommend that you schedule the data backup tasks based on the CPU utilization and memory usage of your Windows server.	For a server, Security Center generates only one data backup task. For multiple servers, Security Center generates multiple data backup tasks and starts the tasks in sequence. This consumes less CPU and memory resources and does not affect your services.
Specific directories	Security Center starts one data backup task for each directory that is specified in an anti-ransomware policy. Security Center allows multiple data backup tasks to run at the same time. The tasks may consume a large number of CPU and memory resources. Notice We recommend that you specify an appropriate number of directories in the anti-ransomware policy based on your business requirements.

You can select Recommendation Policy to use the recommended anti-ransomware policy. You can also select Custom policy to create a custom anti-ransomware policy. To create an anti-ransomware policy based on which the V2.X.X anti-ransomware agent is installed, perform the following steps:

Log on to the Security Center console.
In the left-side navigation pane, choose Defense > Anti-ransomware.
On the General Anti-ransomware Solutions page, click the Server extortion virus protection tab.
On the Server extortion virus protection tab, click Create Policies.

In the Create Policies panel, configure the parameters.

The following table describes the parameters.


Parameter	Description
Policy Name	The name of the anti-ransomware policy.
Server Type	The type of the server to which you want to apply the anti-ransomware policy.
Select Assets	The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations: In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section. In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported. Note If you want to apply the anti-ransomware policy to ECS instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region. To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.
Protection Policies	The anti-ransomware policy that you want to configure. Valid values: Recommendation Policy If you select Recommendation Policy, the default values of the following parameters are used: Protected Directories: All directories Directory to Exclude: Excluded Exclude specified directories: directories that are excluded from the policy Protected File Types: All File Types Start Time: a point in time within the range of 00:00 to 03:00 Backup policy execution interval: One Day Backup data retention period: 7 Days The bandwidth limit of the backup network: 0 MByte/s Note The value 0 indicates that no limits are imposed on the bandwidth. VSS (Windows): Yes Note The VSS feature is available only if you create the anti-ransomware policy for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. We recommend that you enable the VSS feature. After you enable the feature, the data of disks that are in the exFAT and FAT32 formats cannot be backed up. Custom policy If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.
Protected Directories	The directories that you want to back up. Valid values: Specified directory: Security Center backs up only specified directories of the specified servers. Enter the addresses of the specified directories for Protect directory address. You can enter up to 20 addresses. All directories: Security Center backs up all directories of the specified servers. You must set Directory to Exclude to Not Exclude. Note If you set Protected Directories to All directories, we recommend that you set Directory to Exclude to Not Excluded. This prevents system conflicts.
Directory to Exclude	Specifies whether to exclude system directories. If you set this parameter to Excluded, the system directories that are automatically specified for Exclude specified directories are excluded. You can also add or remove system directories based on your business requirements. Note System directories that are automatically excluded from the anti-ransomware policy for Windows and Linux servers are in update. You can view the system directories that are automatically excluded to the right of the Exclude specified directories parameter.
Protected File Types	The type of the files that you want to protect. Valid values: All File Types: Security Center protects all files. Specify file type: Security Center protects files only of the selected file type. Valid values: Document Compressed Database Audio and video Script code Notice If you set Protected File Types to Specify file type, you must select a file type from the drop-down list that appears. You can select multiple file types. Security Center protects only the files of the selected file types.
Start Time	The time at which you want to start a data backup task. Notice If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up data during off-peak hours.
Backup policy execution interval	The time interval between two data backup tasks. Default value: One Day. Valid values: Half a day One Day 3 days Seven Days
Backup data retention period	The retention period of backup data. Default value: 7 Days. Notice The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements. Valid values: Permanent Custom Note You can specify a retention period. Valid values: 1 to 65535. Unit: days.
The bandwidth limit of the backup network	The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s. Notice If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. We recommend that you specify an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures service stability.

Click Ok.
After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.

What to do next

View the status of the anti-ransomware agent
After the anti-ransomware policy is created, you must check the status of the anti-ransomware agent that is installed on the servers protected by the anti-ransomware policy and make sure that the anti-ransomware agent is in the Client online state. To check the status of the anti-ransomware agent, go to the Server extortion virus protection tab of the Anti-blackmail page, find the anti-ransomware policy, and then click the icon next to the policy name. In the list of servers that are protected by the anti-ransomware policy, view the agent status in the Status column. Security Center can back up data for the servers only if the anti-ransomware agent is in the Client online state.

If the status of the anti-ransomware agent is Not Installed, failed, or Exception, data backup fails. You must identify the cause of the exception to the anti-ransomware agent and handle the exception.

Note If the status of the anti-ransomware agent is Exception, errors may occur during data backup or data restoration. If errors occur during data restoration, data backup tasks are not affected. You can handle the exception as prompted.
You can use one of the following methods to handle the exception:
- Follow the instructions on the Anti-blackmail page.
- To contact Alibaba Cloud security engineers, submit a ticket.
Manually install the anti-ransomware agent
After the anti-ransomware policy is created, Security Center automatically installs the anti-ransomware agent on your server. If your server is not started or is configured with specific firewall policies, Security Center may fail to install the anti-ransomware agent on the server. If the anti-ransomware agent fails to be installed, you must identify the cause and resolve the issue. Then, install the anti-ransomware agent on the server. For more information about how to manually install the anti-ransomware agent, see Manage servers that are added to an anti-ransomware policy.
Uninstall the anti-ransomware agent
If the status of the anti-ransomware agent that is installed on the server in the anti-ransomware policy is Exception or failed, you can click Uninstall in the Actions column for the server to uninstall the anti-ransomware agent. Then, reinstall the anti-ransomware agent on the server.

Note If you uninstall the anti-ransomware agent within the period specified by the Backup data retention period parameter, Security Center does not delete the data that the anti-ransomware agent backs up. If you uninstall the anti-ransomware agent in the time that is not within the period specified by the Backup data retention period parameter, Security Center deletes the backup data of the server.
Delete the anti-ransomware agent
If a server no longer requires the anti-ransomware policy, you can delete the anti-ransomware agent from the server. If you delete the anti-ransomware agent from the server, the server is deleted from the list of servers that use the anti-ransomware policy, and the backup data of the server is deleted. After the backup data on the server is deleted, Security Center releases the anti-ransomware capacity. The anti-ransomware capacity is updated within 24 to 72 hours after the release. We recommend that you do not run out of the anti-ransomware capacity. If the anti-ransomware capacity is used up, data backup tasks stop, and a full backup is performed. This significantly increases the resource usage of the server.

Notice If the anti-ransomware agent is deleted from your server, the backup data on your server is also deleted. Deleted backup data cannot be recovered. Proceed with caution.

Security Center:Create an anti-ransomware policy

Prerequisites