Security Center's anti-ransomware feature backs up your server data to Cloud Backup. If ransomware encrypts or steals your data, restore it from a backup to minimize downtime and data loss.
Prerequisites
Before you begin, make sure that you have:
Purchased anti-ransomware capacity and authorized your account — see Enable anti-ransomware
Installed the Security Center agent on the server — see Install the Security Center agent
How it works
When you create an anti-ransomware policy, Security Center installs the anti-ransomware agent on the protected servers and starts backing up data to Cloud Backup.
First backup: A full backup of all protected directories. This consumes significant CPU and memory resources, so schedule it during off-peak hours.
Subsequent backups: Incremental — only files that are newly created, modified, or deleted since the last backup. This reduces resource usage and anti-ransomware capacity consumption.
The number of backup jobs per policy depends on the policy version and the directories configured. See Version description of the anti-ransomware agent for details.
Create an anti-ransomware policy
Before creating a policy, verify that your server's operating system is supported. If the OS version is not supported, data cannot be backed up. See Operating systems and versions supported by anti-ransomware for servers.
Log on to the Security Center console. In the top navigation bar, select the region of the asset: China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
On the Anti-ransomware for Servers tab, click Create Anti-ransomware Policy.
In the Create Anti-ransomware Policy panel, configure the basic parameters.
Elastic Compute Service (ECS) instances can span different regions in a single policy. Servers not deployed on Alibaba Cloud must all be in the same region. A server can belong to only one anti-ransomware policy.
Parameter Description Policy name Name of the anti-ransomware policy Server type Type of server to protect Backup route Communication method for backup. Required only when Server type is Server Not Deployed on Alibaba Cloud. Internet: may incur bandwidth charges. Internal network: requires connectivity via virtual private clouds (VPCs), Express Connect circuits, or Cloud Enterprise Network (CEN) instances. Region The region where the server resides, or any region with an available anti-ransomware endpoint. Required only when Server type is Server Not Deployed on Alibaba Cloud. Make sure the server can reach the anti-ransomware endpoint in the selected region. See Anti-ransomware endpoints. Select asset Assets to protect. Select an asset, an asset group, or multiple assets across groups. In the Asset group section, select a group to include all assets in it, then clear assets that don't need protection in the Assets section. To find a specific asset, enter its name in the search box (fuzzy match is supported). Under Protection policies, select Recommended policy or Custom policy, then click OK.
Recommended policy
The recommended policy uses built-in defaults and cannot be modified:
| Setting | Default value |
|---|---|
| Directory to protect | All directories |
| Directory to exclude | Default excluded directories |
| Non-local mount path | Excluded (Object Storage Service (OSS) objects and NAS file systems) |
| File type to protect | All file types |
| First backup starts at | Between 00:00 and 03:00 |
| Periodic backup interval | One day |
| Backup data retention period | 7 days |
| Maximum backup bandwidth | 0 MB/s for Alibaba Cloud servers (no limit); 5 MB/s for servers not deployed on Alibaba Cloud |
Custom policy
Configure the following parameters to match your requirements:
| Parameter | Description |
|---|---|
| Directory to protect | Specific directory: back up only specified directories. Enter up to 20 directory paths (for example, C:\Program Files (x86)\ on Windows or /usr/bin/ on Linux). Backup jobs run in sequence per path, which limits peak resource usage. All directories: back up the entire server. |
| Directory to exclude | Directories to skip. Security Center pre-fills common exclusions; add or remove as needed. |
| Non-local mount path | Select whether to exclude non-local mount paths such as OSS or NAS mounts. |
| File type to protect | All file types: protect all files. Specific file types: protect only selected types (for example, Document, Picture). Multiple types can be selected. |
| First backup starts at | Time to start the first backup job. Schedule during off-peak hours to avoid impacting services during the initial full backup. |
| Periodic backup interval | Interval between backup jobs. Default: one day. |
| Backup data retention period | How long backup data is kept. Default: 7 days. Permanent: retained until Security Center expires, the policy is deleted, or the server is removed from the policy. Custom: 1 to 65,535 days. Set based on your recovery requirements — data outside the retention period is deleted automatically. |
| Maximum backup bandwidth | Maximum bandwidth for backup jobs, in MB/s (0 to unlimited). 0 MB/s means no limit for Alibaba Cloud servers. For servers not deployed on Alibaba Cloud, the default is 5 MB/s. Limit bandwidth if backup jobs affect service performance. |
After the policy is created, it is enabled immediately. Security Center installs the anti-ransomware agent on the protected servers and starts backing up data according to the policy schedule.
Monitor the anti-ransomware agent status and address any exceptions promptly. An abnormal agent status causes backup and recovery jobs to fail. See View the status of the anti-ransomware agent.
Reconfigure policies after replacing a server's operating system
After replacing the operating system on a protected server, the configured protected directories remain unchanged. This can cause high resource usage or backup failures because the directories may not match the new OS.
After an OS replacement:
If the existing policy still meets the protection requirements: remove the server from the policy and re-add it.
If the existing policy no longer meets the requirements: modify the policy, or remove the server and create a new policy for it.
Manage the anti-ransomware agent
Version description of the anti-ransomware agent
New policies are created as V2.0. Existing V1.0 policies cannot be modified, but can be upgraded.
| Item | V1.0 anti-ransomware policy | V2.0 anti-ransomware policy |
|---|---|---|
| Custom directories to exclude | Not supported | Supported |
| Classic network | — | — |
| Compatibility with Cloud Backup | — | — |
| Backup method | Multiple backup jobs run simultaneously — may cause high CPU utilization | Multiple backup jobs run in sequence — lower resource usage |
How backup jobs are scheduled by version and directory type:
| Directory to back up | V1.0 policy | V2.0 policy |
|---|---|---|
| All directories | Linux: one backup job. Windows: one backup job per data disk — two disks run simultaneously, consuming more CPU and memory. Schedule carefully based on CPU utilization and memory usage. | One backup job per server; multiple servers run in sequence. Lower resource usage with no service impact. |
| Specific directories | One backup job per directory path; jobs run simultaneously and may consume significant CPU and memory. Specify only the directories your business requires. | (same as V1.0 for specific directories) |
Upgrade V1.0 policies to V2.0
Upgrade a V1.0 policy by clicking Upgrade in the Actions column of the policy list. The anti-ransomware agent is automatically upgraded to V2.X.X during the policy upgrade.
The upgrade does not affect existing backup data — backup jobs continue running after the upgrade. If the upgrade fails, the agent automatically rolls back to V1.X.X and backup jobs are not interrupted. If a specific server's agent cannot be upgraded automatically: remove that server from the policy, click Upgrade for the policy, then re-add the server. The V2.X.X agent is installed automatically when the server is re-added.
View the status of the anti-ransomware agent
After creating a policy, check that the agent status for each protected server is Online. Security Center can only back up data when the agent is online.
To check agent status: on the Anti-ransomware for Servers tab, find the policy and click the 
icon next to the policy name. The expanded server list shows the status in the Agent status column.
To verify that backups are running: find a server and click the number in the Recoverable versions column. In the Recoverable data versions panel, the Version name column lists available backup versions. The Version column shows when each backup started.
If the status is Exception, backup jobs are failing. Exceptions may also affect data restoration, but restoration errors do not impact backup jobs. Identify and resolve the cause — see Troubleshoot the issues that cause the abnormal status of the anti-ransomware agent and backup tasks.
Agent status and recommended actions
Use this table to determine the right action based on current agent status:
| Agent status | Meaning | Recommended action |
|---|---|---|
| Online | Agent is running normally; backups proceed on schedule | No action required. Verify backups by checking the Recoverable versions column. |
| Exception | Agent has encountered an error; backup jobs are failing | Identify and resolve the root cause. See Troubleshoot abnormal agent status. If the agent cannot recover, uninstall and reinstall it. |
Manually install the anti-ransomware agent
After you create a policy, Security Center installs the anti-ransomware agent automatically. If the server is offline or has restrictive firewall rules, the installation may fail.
If automatic installation fails, diagnose the cause, resolve it, then install the agent manually. See Manage servers that are added to an anti-ransomware policy.
Uninstall the anti-ransomware agent
If the agent on a protected server is abnormal, uninstall it and then reinstall it.
To uninstall: click Uninstall in the Actions column for the server.
If you uninstall within the configured retention period, backup data is preserved.
If you uninstall after the retention period has passed, backup data is deleted.
Delete the anti-ransomware agent
Delete the agent to remove a server from anti-ransomware protection entirely.
Deleting the agent permanently deletes all backup data for that server. Deleted backup data cannot be restored. Proceed with caution.
After deletion, the server is removed from the policy's protected server list, and the occupied anti-ransomware capacity is released. Capacity is updated within 24 to 72 hours after release.
If anti-ransomware capacity runs out, backup jobs stop and Security Center performs a full backup when capacity is restored — significantly increasing server resource usage. Avoid letting capacity run out.
