Functions and features - Security Center - Alibaba Cloud Documentation Center

Pricing


Billable item		Basic	Anti-virus	Advanced	Enterprise	Ultimate	Value-added Plan
Basic fees		Free	USD 1 per core per month	USD 9.5 per server per month	USD 23.5 per server per month	USD 23.5 per server per month + USD 1 per core per month	Free
Fees of value-added features	Web Tamper Protection	Not supported	USD 142.6 per server per month	USD 142.6 per server per month	USD 142.6 per server per month	USD 142.6 per server per month	USD 142.6 per server per month
	Anti-ransomware	Not supported	USD 0.045 per GB per month	USD 0.045 per GB per month	USD 0.045 per GB per month	USD 0.045 per GB per month	USD 0.045 per GB per month
	Log Analysis	Not supported	Not supported	USD 72.9 per TB per month	USD 72.9 per TB per month	USD 72.9 per TB per month	Not supported
	Container image scan	Not supported	Not supported	USD 0.3 per image	USD 0.3 per image	USD 0.3 per image	USD 0.3 per image
	Cloud honeypot	Not supported	USD 333.33 per honeypot per month	USD 333.33 per honeypot per month	USD 333.33 per honeypot per month	USD 333.33 per honeypot per month	USD 333.33 per honeypot per month
Subscription period		Unlimited	Monthly subscription supported	Monthly subscription supported	Monthly subscription supported	Monthly subscription supported	Monthly subscription supported

Note The following symbols are used in the tables in this topic:

: indicates that the feature is not supported by the edition.
: indicates that the feature is supported by the edition.
Value-added: indicates a value-added feature. If you want to use a value-added feature, you must enable the feature when you purchase or upgrade Security Center.
Application required: indicates that the feature is available only after you apply for the feature and obtain the approval from Security Center.

Container security

Notice Security Center can perform security checks for the clusters or instances of the following Alibaba Cloud services. Security Center can also perform security checks for the clusters or instances of data centers and Tencent Kubernetes Engine (TKE).

Container Service for Kubernetes: Security Center performs security checks for all Kubernetes clusters that are created by using templates.
Container Registry: Security Center performs security checks for Container Registry Enterprise Edition instances and self-managed Harbor image repositories. Security Center cannot perform security checks for Container Registry Personal Edition instances.


Feature	Description	Advanced	Enterprise	Ultimate	References
Threat detection during container runtime	Security Center detects threats to Container Service for Kubernetes in real time. The threats include viruses and malicious programs in containers or on hosts, intrusion into containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations.				Use the runtime security feature to monitor ACK clusters and configure alerts
Threat detection during container runtime	Security Center detects the following threats for containers during container runtime and generates alerts for detected threats: Malicious image startups Security Center dynamically monitors open image sources, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server. Viruses and malicious programs Security Center detects viruses, trojans, mining programs, malicious scripts, and webshells in containers. Intrusion into containers Security Center detects intrusions into containers from attackers who exploit application-layer vulnerabilities, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers. Container escapes Security Center detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities. High-risk operations Security Center detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started based on suspicious privilege escalation. This minimizes the risk of attackers exploiting these vulnerabilities.				View and handle alerts
Threat detection on Kubernetes containers	Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity. Security Center detects the following items: Suspicious instruction execution on a Kubernetes API server Mounting of suspicious directories to a pod Transfer of Kubernetes service accounts from one application to another Startup of a pod based on a malicious image				Use threat detection on Kubernetes containers
Image signature	Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security. Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature.				Use the container signature feature
Container image scan	Security Center detects the following image baseline risks, image vulnerabilities, and malicious image samples: Image system vulnerabilities Security Center detects image system vulnerabilities to ensure that your images are secure and reliable. Image application vulnerabilities Security Center scans container-related middleware to detect image application vulnerabilities and provides suggestions on vulnerability fixes. This ensures that images run in a secure environment. Image baseline risks Security Center scans your containers to detect image baseline risks and provides suggestions on how to handle the risks. Malicious image samples Security Center detects malicious image samples in your containers. This allows you to view the container risks and reinforces the security of your containers. Note Only image system vulnerabilities can be fixed with a few clicks. Security Center detects image application vulnerabilities, image baseline risks, and malicious image samples. However, you are not allowed to fix the detected risks with a few clicks. If image application vulnerabilities, malicious image samples, or image baseline risks are detected in container images, we recommend that you follow the suggestions on vulnerability fixes provided by Security Center to reinforce image security. You can also use the paths of the malicious samples to manually reinforce image protection.	Value-added	Value-added	Value-added	Overview of the container image scan feature
Container configuration security	Security Center performs security checks on the baseline configurations of containers. It also generates alerts for the detected risks. Security Center detects the following items: Alibaba Cloud Standard - Docker security baseline check Security Center checks the baseline against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. If risks are detected, Security Center generates alerts at the earliest opportunity. Alibaba Cloud Standard - Kubernetes-Master security baseline check Security Center checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master. Alibaba Cloud Standard - Kubernetes-Node security baseline check Security Center checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Node.				Overview
Management of container-related assets	Security Center displays the statistics and risk status of all container-related assets.				View security information about containers
Container network topology	The feature of container network topology allows you to perform security-related operations on your assets such as clusters, containers, images, and applications, in a visualized manner. The feature also displays the network topology of your containers. This feature enables you to manage your containers in a more efficient manner. You can use container network topology to obtain the up-to-date security information and network connections of your assets.				Container network topology
Proactive defense for containers	Security Center provides the feature of proactive defense for containers. The feature allows you to detect risks on an image when you use the image to create resources in a cluster. The feature also allows you to create a container defense policy for a cluster. If an image hits the container defense policy, Security Center handles the image that is started in the cluster based on the action of the policy. The action can be Block, Alert, or Allow. This ensures that the image does not affect your business.				Overview of proactive defense for containers

Secure Score


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Secure score	Security Center displays a security score on the Overview tab. The security score is calculated based on the security status of your assets. A higher score indicates fewer risks in your assets.						Improve the security score of your assets Security score FAQ

Assets page


Feature	Description	References
Servers	Security Center displays security information about each protected server. The information includes the risk status, group, region, and virtual private cloud (VPC).	View server information
Containers	Security Center displays security information about each protected pod, container, and image. The information includes the risk status.	View security information about containers
Websites	Security Center displays security information about each protected website. The information includes the root domain, subdomains, risk status, and alerts.	View website information
Cloud services	Security Center displays security information about each protected cloud service, such as Server Load Balancer (SLB), NAT Gateway, ApsaraDB RDS, and ApsaraDB for MongoDB. The information includes at-risk services and the type of each service.	View information about cloud services

Asset exposure analysis


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Asset exposure analysis	Security Center automatically analyzes the exposures of your Elastic Compute Service (ECS) instances on the Internet and visualizes the communication links between ECS instances and the Internet. Security Center also displays details about the vulnerabilities in the exposed ECS instances. The asset exposure analysis feature helps you identify abnormal exposures of your assets on the Internet and provides suggestions on vulnerability fixing.						Asset exposure analysis

Virus defense


Feature	Description	Anti-virus	Advanced	Enterprise	Ultimate	References
Virus detection and removal	The security experts of Security Center conduct automated analysis on attack methods based on a large number of persistent virus samples. Then, the security experts release an engine that can detect and remove viruses based on machine learning results. You can use the engine to detect and remove viruses with a few clicks.					Use the antivirus feature
Antivirus	Security Center quarantines common ransomware, DDoS trojans, mining programs and trojans, malicious programs, backdoor programs, and worms.					Use the antivirus feature
Anti-ransomware	Security Center traps ransomware and supports data backup and restoration.	Value-added	Value-added	Value-added	Value-added	Overview

Container firewall


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Container firewall	Security Center provides the container firewall feature. The feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks.						Overview of the container firewall feature

Malicious behavior defense


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Malicious behavior defense	Security Center provides the malicious behavior defense feature. You can enable or disable system defense rules, and manage the assets to which each system defense rule is applied based on your business requirements.						Use malicious behavior defense

Vulnerability fixing


Feature	Description	Basic	Anti-virus	Advanced	References
Linux software vulnerabilities	Security Center compares software versions by using the matching engine of Open Vulnerability and Assessment Language (OVAL). If the vulnerabilities that are recorded in the Common Vulnerabilities and Exposures (CVE) database are detected in the current version, Security Center generates alerts. Note The Basic edition supports automatic vulnerability scans. However, this edition does not support vulnerability fixing or quick scan tasks. If you want to manually run quick scan tasks, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition. If you want Security Center to automatically fix detected vulnerabilities, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition.				View and handle Linux software vulnerabilities
Linux software vulnerabilities	Vulnerability fixing: Security Center supports the automatic fixing of system vulnerabilities and automatic creation of snapshots. This allows you to undo fixes by using snapshots.				View and handle Linux software vulnerabilities
Windows system vulnerabilities	Security Center obtains Microsoft updates for Windows operating systems, detects high-risk vulnerabilities, and generates alerts for these vulnerabilities. Note The Basic edition supports automatic vulnerability scans. However, this edition does not support vulnerability fixing or quick scan tasks. If you want to manually run quick scan tasks, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition. If you want Security Center to automatically fix detected vulnerabilities, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition.				View and handle Windows system vulnerabilities
Windows system vulnerabilities	Vulnerability fixing: Security Center automatically identifies pre-patches that are used to fix vulnerabilities to prevent failures caused by the lack of the required pre-patches. This allows you to fix Windows vulnerabilities with a few clicks. Security Center also generates alerts for vulnerabilities that require a system restart after the vulnerabilities are fixed. This allows you to fix Windows system vulnerabilities in an efficient manner.				View and handle Windows system vulnerabilities
Web-CMS vulnerabilities	Security Center monitors web directories, recognizes common website builders, and checks the vulnerability database to identify vulnerabilities in website builders. Note The Basic edition supports automatic vulnerability scans. However, this edition does not support vulnerability fixing or quick scan tasks. If you want to manually run quick scan tasks, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition. If you want Security Center to automatically fix detected vulnerabilities, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition.				View and handle Web-CMS vulnerabilities
Web-CMS vulnerabilities	Vulnerability fixing: Security Center uses patches developed by Alibaba Cloud to replace and modify source code. This allows you to fix vulnerabilities with a few clicks.				View and handle Web-CMS vulnerabilities
Urgent vulnerabilities	Security Center detects urgent vulnerabilities that are unexpectedly released to the public. Security Center does not support automatic fixing of urgent vulnerabilities. You must follow the instructions provided by Security Center to manually fix the vulnerabilities.				View and handle urgent vulnerabilities
Application vulnerabilities	Security Center detects weak passwords for system services and vulnerabilities in system services and applications. Note Only the Enterprise and Ultimate editions support application vulnerability detection.Basic Anti-virus Advanced If you want to detect application vulnerabilities in your assets, you must upgrade Security Center to the Enterprise or Ultimate edition.				View and handle application vulnerabilities
Quick scan	Security Center allows you to manually run quick scan tasks on your assets to detect vulnerabilities in real time. Note Only the Enterprise and Ultimate editions support application vulnerability detection. If you want to run quick scan tasks to detect application vulnerabilities, make sure that you use the Enterprise or Ultimate edition.Basic Anti-virus Advanced For more information about the types of vulnerabilities that can be detected by quick scan tasks in each edition, see Quick scan.	(Only the detection of urgent vulnerabilities is supported by the Basic edition.)	(The detection of application vulnerabilities is not supported by the Anti-virus edition.)	(The detection of application vulnerabilities is not supported by the Advanced edition.)	Scan for vulnerabilities
Display of vulnerabilities that require immediate fixing	Security Center fixes urgent vulnerabilities and lists the vulnerabilities that require immediate fixing. This allows you to identify and fix vulnerabilities that have high priorities.				Overview
YUM and APT source configuration	Turn on or turn off the switch to specify whether to preferentially use YUM or APT sources of Alibaba Cloud to fix vulnerabilities. Note Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability may fail to be fixed. After you turn on the switch, Security Center automatically selects a YUM or APT source of Alibaba Cloud. This improves the success rate of vulnerability fixing. We recommend that you turn on the switch for YUM/APT Source Configuration.				Configure vulnerability settings

Baseline checks


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Baseline checks on servers	Security Center dispatches tasks to check server configurations. If configuration risks are detected, Security Center generates alerts. Security Center allows you to specify check items, detection intervals, and servers to customize check policies. Custom check scripts are not supported. Security Center allows you to customize weak password rules. Security Center checks the configurations of your cloud services by using a custom check policy. If weak passwords are detected, Security Center generates alerts. Security Center performs baseline checks on the following items: High-risk exploits Security Center detects vulnerabilities in unauthorized operations in CouchDB or Docker. Containers Security Center detects risks on Docker, Kubernetes Master, and Kubernetes Node. Classified protection compliance Security Center performs security checks against Multi-Level Protection Scheme (MLPS) level 3, MLPS level 2, and Center for Internet Security (CIS) standards. Best security practices Security Center performs security checks on Linux, Windows, and Redis. Weak passwords Security Center detects weak passwords during logons, such as ApsaraDB for MongoDB, FTP, and Linux logons.			(Only the detection of weak passwords is supported by the edition.)			Overview
Baseline risk fixing	Security Center mitigates risks that are detected from the baseline checks of Alibaba Cloud security and classified protection compliance.						View baseline check results and handle baseline risks

Configuration assessment


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Configuration assessment	Security Center detects risks in the configurations of Alibaba Cloud services, such as ECS and ApsaraDB RDS. Security Center detects the following items: ECS Security Center checks whether the port access policies of security groups are excessively loose. SLB Security Center detects unnecessary ports that are accessible over the Internet. This type of port increases attack risks. RDS Security Center checks whether databases are accessible over the Internet and whether an access whitelist is configured. ActionTrail Security Center checks whether auditing of operations logs is enabled. This type of audit facilitates event tracing. MFA Security Center checks whether two-factor authentication is enabled. This type of authentication protects Alibaba Cloud accounts. Other risks Security Center checks whether an SLB whitelist is configured and whether encrypted communications are enabled for ApsaraDB RDS.						Overview

Alerting


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Suspicious processes	Security Center traces intrusion sources based on real attack-defense scenarios in the cloud and creates a process whitelist. If unauthorized processes or intrusion attacks are detected, Security Center generates alerts. Security Center builds approximately 1,000 process patterns for hundreds of processes and compares the processes against these patterns to detect suspicious processes. Security Center detects the following items: Reverse shells Security Center detects suspicious command execution by Bash processes, and arbitrary command execution on servers under remote control. Suspicious command execution in databases Security Center detects suspicious command execution in databases, such as MySQL, PostgreSQL, SQL Server, Redis, and Oracle. Unauthorized operations in application processes Security Center detects unauthorized operations in application processes, such as Java, FTP, Tomcat, Docker container, and Lsass.exe processes. Unauthorized system processes Security Center detects unauthorized system processes, such as PowerShell, SSH, Remote Desktop Protocol (RDP), Server Message Block Daemon (SMBD), and Secure Copy Protocol (SCP) processes. Other suspicious processes Security Center detects activities of other suspicious processes, such as unusual access to Visual Basic Script (VBScript), unusual access to hosts, writing of crontab files, and webshell injection.						Alerts
Webshells	Security Center supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks. Security Center performs the following detection: Server-based detection Security Center monitors network directory changes on servers in real time. Network-based detection Security Center captures webshell files and identifies network protocols to detect webshells.	(The detection of some webshells is supported by the Basic edition.)
Webshells	Security Center also provides webshell removal to quarantine detected webshell files. You can restore files that are quarantined within the last 30 days.
Unusual logons	Security Center provides basic detection services. Security Center detects the following items: Logons from unapproved locations Security Center detects logons from unapproved locations. Security Center automatically records locations where logons to ECS instances are allowed. These locations can also be manually added. If Security Center detects logons from unapproved locations, Security Center generates alerts. Brute-force attacks Security Center detects logons to ECS instances after multiple failed attempts. In this case, the ECS instances may be compromised due to brute-force attacks.
Unusual logons	Security Center provides advanced detection services. Security Center detects the following items: Logons from unapproved IP addresses Security Center detects logons from unapproved IP addresses. Security Center allows you to specify approved IP addresses, such as the IP addresses of bastion hosts and the private networks of companies, from which users are allowed to log on to ECS instances. If Security Center detects logons from unapproved IP addresses, Security Center generates alerts. Logons from unapproved accounts Security Center detects logons from unapproved accounts. Security Center allows you to specify approved accounts, with which users are allowed to log on to ECS instances. If Security Center detects logons from unapproved accounts, Security Center generates alerts. Logons within unapproved time ranges Security Center detects logons within unapproved time ranges. Security Center allows you to specify approved time ranges, such as business hours, during which users are allowed to log on. If Security Center detects logons within unapproved time ranges, Security Center generates alerts.
Tampering of sensitive files	Security Center monitors sensitive directories and files, and generates alerts if suspicious read, write, or delete operations are detected. Security Center detects the following items: Tampering of system files Security Center checks whether Bash and ps commands are replaced or whether hidden and unauthorized processes are running. Removal of core website files Security Center detects malicious removal of core website files after servers are attacked. Trojan insertion Security Center checks whether malicious code is inserted into a website. If malicious code is inserted into a website, trojans are automatically downloaded when users visit the website. Other suspicious activities Security Center checks whether ransomware tampers with the logon pages of Linux and MySQL and inserts emails or Bitcoin wallet addresses.
Malicious processes	Security Center scans processes on a regular basis, monitors process startups, and detects viruses and trojans by using the cloud antivirus mechanism. You can terminate malicious processes and quarantine malicious files with a few clicks in the Security Center console. The virus library that is used for cloud antivirus has the following characteristics: Up-to-date virus data The virus library is deployed, maintained, and updated by Alibaba Cloud in real time. This minimizes the risk of potential losses caused by outdated virus data. Diverse virus samples All types of viruses are covered. Worldwide major antivirus engines are integrated. Sandboxes and machine learning engines developed by Alibaba Cloud are used. Security Center detects the following items: Ransomware Security Center detects file-encrypting ransomware, such as WannaCry and CryptoLocker. Attacks Security Center detects DDoS trojans, malicious scanning trojans, and spam trojans. Mining software Security Center detects software that consumes resources and uses servers for cryptocurrency mining. Zombies Security Center detects command and control (C&C) trojans, malicious C&C connections, and attack tools. Other viruses Security Center detects worms, Mirai, and infectious viruses.
Suspicious network connections	Security Center monitors connections on servers and networks. If suspicious connections are detected, Security Center generates alerts. Security Center detects the following items: Suspicious connections to external IP addresses Security Center detects reverse shells and the Bash shell that establishes suspicious connections to external IP addresses. Attacks Security Center detects maliciously inserted software that is used to launch attacks, such as SYN floods, UDP floods, and ICMP floods. Suspicious communications Security Center detects suspicious webshell communications. Suspicious TCP packets Security Center detects scan activities that are initiated on your server and targets other devices.
Others	Security Center detects the following items: Unusual disconnections of the Security Center agent DDoS attacks
Suspicious accounts	Security Center detects suspicious accounts that attempt to log on to your system based on user behavior analysis.
Intrusion into applications	Security Center detects intrusion into applications, such as SQL Server.
Threats to cloud services	Security Center detects unusual use of cloud services based on user behavior analysis. For example, an attacker uses your AccessKey pair to purchase a large number of ECS instances to mine data.
Precise defense	Security Center automatically quarantines common Internet viruses, such as ransomware, DDoS trojans, mining and trojan programs, malicious programs, webshells, and computer worms. Alibaba Cloud security experts test and verify all the automatically quarantined viruses to minimize false positive rates.
Persistent webshells	Security Center detects persistent webshells on servers. After an attacker gains control over a server, the attacker typically places webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include crontab jobs, automatic tasks, and system replacement files.
Threats to web applications	Security Center detects intrusion activities that use web applications.
Malicious scripts	Security Center detects malicious scripts on servers. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.
Threat intelligence	Security Center provides third-party threat intelligence sources.		Value-added	Value-added	Value-added	Value-added
Malicious network behavior	Security Center identifies unusual network behavior based on logs, such as communication content and host behavior logs. Malicious network behavior includes intrusion into hosts over open network services and unusual behavior of cracked hosts.
Archived alerts	Security Center archives alerts 30 days after data is generated and allows you to download the archived alerts. This facilitates event tracing and audit.						None

Attack awareness


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Attack analysis	Security Center displays the details of web attacks and brute-force attacks on your server. Security Center traces the attacker IP addresses and finds the flaws of the attacks.						Attack awareness

Detection of AccessKey pair leaks


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Detection of AccessKey pair leaks	Security Center monitors code hosting platforms such as GitHub to detect AccessKey pair leaks in source code that may be accidentally uploaded by company employees.						Detection of AccessKey pair leaks

Log analysis


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Log analysis	Security Center allows you to retrieve and analyze raw log data. The data includes data related to process startup events, external network connections, system logon events, five tuples, DNS queries, security logs, and alert logs. Note Only users of the Security Center Enterprise and Ultimate editions can view network logs. Users of the Security Center Anti-virus or Advanced edition cannot view network logs. On the Log Analysis page of the Security Center console, users of the Anti-virus or Advanced edition can view only security and host logs.			Value-added	Value-added	Value-added	Log analysis

Investigation of asset fingerprints


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Asset fingerprints	Security Center collects the following server information in real time: Ports Security Center collects and displays port listening information to check open ports. Accounts Security Center collects information about server accounts and granted permissions, and checks privileged accounts to detect privilege escalation activities. Processes Security Center collects and displays process snapshots to check trusted processes and detect untrusted processes. Software Security Center checks software installation information and finds affected assets when high-risk vulnerabilities occur. Scheduled tasks Security Center collects information about scheduled tasks of your assets. Middleware Security Center collects information about middleware of your assets.						Overview

Operation


Feature	Description	References
Security reports	Security Center allows you to customize security reports. After you enable this feature, Security Center sends daily emails that have security statistics to the specified recipients.	Create a security report
Playbook	Security Center allows you to manage tasks. You can run tasks to enable automatic fixing of vulnerabilities in multiple assets at a time.	None
Multi-account control	Security Center allows you to manage multiple Alibaba Cloud accounts and resource accounts in an enterprise. You can monitor the security status of accounts in a resource directory.	Use the multi-account control feature

Application marketplace


Feature	Description	Basic	Anti-virus	Advanced	Enterprise	Ultimate	References
Web tamper proofing	Security Center monitors website directories and restores maliciously modified files or directories by using backups. Security Center protects websites from malicious modification, trojans, hidden links, and insertion of violence or pornography content. Security Center allows you to add trusted Windows and Linux processes to whitelists. After a process is added to a whitelist, Security Center no longer blocks the process.		Value-added	Value-added	Value-added	Value-added	Web tamper proofing
Configuration check of security groups	Security Center detects weak rules in ECS security groups and provides solutions. This allows you to use the security group feature in a more secure and efficient manner.						Security group checks

Settings page


Feature	Description	References
Settings page	Proactive Defense - Anti-Virus This feature automatically quarantines common network viruses, such as common ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms.	Use proactive defense
	Proactive Defense - Anti-ransomware (Bait Capture) This feature uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware to protect your assets.
	Proactive Defense - Webshell Protection This feature automatically intercepts abnormal connections that are initiated by attackers based on known webshells and quarantines related files.
	Proactive Defense - Behavior prevention This feature intercepts the abnormal network behavior between your servers and disclosed malicious access sources, which reinforces the security of your servers.
	Proactive Defense - Active defense experience optimization If your server unexpectedly shuts down or the defense capability is unavailable, Security Center collects server data by using the kdump service for protection analysis. This enhances the protection capability of Security Center on an ongoing basis.
	Webshell detection Security Center periodically scans web directories to detect webshells and trojans on your servers.	Use the webshell detection feature
	Kubernetes threat detection Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity.	Use threat detection on Kubernetes containers
	Adaptive threat detection If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. This mode helps detect intrusions in a faster and more comprehensive manner.	Use adaptive threat detection
	Automatic alert correlation analysis After you enable this feature, Security Center automatically aggregates multiple alerts that are generated for the same IP address, the same service, or the same user into one alert. This makes alert handling more efficient.	Enable automatic alert correlation analysis
	Security control Security control allows you to configure the IP address whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to destination servers. This prevents normal network traffic from being blocked.	Use the security control feature
	Access control Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, system administrators, and application administrators. You can manage RAM user permissions to control access to Alibaba Cloud resources.	Use RAM
	Protection modes Security Center provides multiple modes to protect your server in different scenarios. You can configure the following protection modes to protect your server: Basic Protection Mode. All editions support this mode. High-security Prevention Mode. Only the Anti-virus, Advanced, Enterprise, and Ultimate editions support this mode. Safeguard Mode for Major Activities. Only the Enterprise and Ultimate editions support this mode.	Manage protection modes
	Client protection After you enable the client protection feature, Security Center automatically intercepts unauthorized agent uninstallation. This feature prevents the agent from being uninstalled by attackers or terminated by other software.	Use the client protection feature
Notifications	Security Center allows you to customize alert notifications. For example, you can specify notification methods and alert severities. Security Center sends the alert notifications by using text messages, emails, internal messages, and DingTalk chatbots. You can configure notifications for the following items: Vulnerabilities Baseline risks Alerts Information about AccessKey pair leaks Configuration risks of Alibaba Cloud services Intelligence of urgent vulnerabilities Tampered web pages Note If you want to use DingTalk chatbots to send alert notifications, make sure that Security Center runs the Enterprise edition.	Notifications
Installation and uninstallation of the Security Center agent	Security Center allows you to install and uninstall the Security Center agent.	Install and uninstall the Security Center agent

Threat detection limits

When Security Center detects risks, it sends security alerts to you without delay. You can manage security alerts, scan for vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can also analyze alerts and automatically trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services along with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).

Note Due to the evolution of attacks and viruses, and the variation of workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to protect your assets against attacks.