Enable features on the Host Protection Settings tab - Security Center

Security Center provides various features, such as Malicious Behavior Defense, anti-ransomware, and webshell protection. You can enable the features to protect your server. This topic describes the features that you can enable on the Host Protection Settings tab. This topic also describes how to enable the features.

Proactive Defense

Overview

Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. Proactive defense also allows you to use bait to capture ransomware. The following table describes the features of proactive defense.


Feature	Supported edition	Description
Malicious Behavior Defense	Anti-virus, Advanced, Enterprise, and Ultimate	The Malicious Behavior Defense feature can help you automatically detect and remove common network viruses, such as ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms. After you purchase Security Center Anti-virus or higher, Security Center automatically enables the Malicious Behavior Defense feature for all your servers. The following list describes the differences between the features supported by different Security Center editions: Security Center Anti-virus can automatically block common viruses, such as trojans and mining programs. Security Center Advanced,Enterprise, and Ultimate provide more comprehensive defense capabilities. These editions of Security Center can effectively intercept common attacks in the ATT&CK framework, intercept large-scale intrusion events in common services and applications, block the encryption behavior of common ransomware, and support custom rules to protect hosts. For more information about custom defense rules, see Malicious behavior defense. Note A computer virus is a type of malicious program. The virus can write malicious code to normal program files for execution. This causes a large number of normal programs to be infected and detected as virus hosts. Computer viruses jeopardize system processes. If system processes are unexpectedly terminated, risks on system stability arise. Security Center does not automatically quarantine computer viruses. You must manually handle the viruses.
Anti-ransomware (Bait Capture)	Advanced, Enterprise, and Ultimate	This feature uses bait to capture new types of ransomware and analyzes the patterns of the new types of ransomware to protect your servers. The bait files that are configured on your servers by Security Center are used to only capture new types of ransomware. The files do not interrupt your services. On the Alerts page, you can select Precision defense for Alert Type to view quarantined ransomware.
Webshell Protection	Enterprise and Ultimate	After you enable this feature, Security Center automatically intercepts suspicious connections that are initiated by known webshells and quarantines related files. You can view the related alerts and quarantined files on the Alerts page. For more information, see View and handle alert events and Quarantine. Note After you purchase the Enterprise or Ultimate edition of Security Center, Security Center automatically enables the webshell protection feature for all your servers.
Behavior prevention	Enterprise and Ultimate	After you enable this feature, Security Center intercepts the abnormal network behavior between your servers and disclosed malicious access sources. This reinforces the security of your servers.
Active defense experience optimization	Enterprise and Ultimate	After you enable this feature, Security Center collects the kdump data of your servers for protection analysis when the servers unexpectedly shut down or the defense capability is unavailable. This continuously enhances the protection capability of Security Center.

Note If all features in the Proactive Defense section are disabled, Security Center sends alerts only when viruses are detected. You must log on to the Security Center console and manually handle the alerts. We recommend that you enable the features in the Proactive Defense section to reinforce the security of servers. For more information about how to handle alerts, see View and handle alert events.

Enable the features of proactive defense

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Host Protection Settings tab of the Settings tab, turn on Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention in the Proactive Defense section.
After you turn on all switches in the Proactive Defense section, Security Center enables the following features for your servers: Malicious Behavior Defense, anti-ransomware, webshell protection, and defense against access to malicious sources.
Click Manage for Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, or Behavior prevention to configure the scope of detection.
In the Proactive Defense - Malicious Behavior Defense, Proactive Defense - Anti-ransomware (Bait Capture), Proactive Defense - Webshell Protection, or Proactive Defense - Behavior prevention panel, specify the servers for which you want to enable detection.
Click Determine.
After you turn on Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention in the Proactive Defense section, Security Center automatically blocks the programs and processes that are related to the detected viruses and intercepts suspicious connections.
Optional:Select Active defense experience optimization.
After you select Active defense experience optimization, Security Center collects server data that reflects the security of the servers in the case of exceptions. We recommend that you select Active defense experience optimization to reinforce the security of your servers.

What to do next

On the Alerts page, filter alerts by Handled and click Precision defense below Alert Type to view the viruses quarantined by proactive defense.

Note False positives or quarantine failures may occur after you enable the Malicious Behavior Defense, Anti-ransomware (Bait Capture), and Webshell Protection features.

If some files are quarantined due to false positives, you can restore the quarantined files in the Quarantine panel. For more information, see Quarantine.
You can manually quarantine files that Security Center fails to quarantine on the Alerts page. For more information, see View and handle alert events.

Webshell Detection

The feature of webshell detection and removal uses engines developed by Alibaba Cloud to scan for common webshell files, supports scheduled scan tasks, provides real-time protection, and allows you to quarantine webshell files with a few clicks. The feature scans servers and web directories for webshells and trojans at regular intervals. Security Center runs webshell detection tasks and generates alerts only after webshell detection and removal is enabled.

Security Center scans an entire web directory early in the morning on a daily basis. If a file in the web directory changes, Security Center immediately scans for webshells.
You can specify the assets on which Security Center scans for webshells.
You can quarantine, restore, or ignore the detected trojan files.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Enable webshell detection and removal for servers

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Host Protection Settings tab of the Settings tab, click Manage in the Webshell Detection section.
In the Configure Servers for Webshell Detection panel, select the servers for which you want to enable webshell detection and removal and click Determine.

What to do next

After you enable webshell detection and removal for your servers, you can view the alerts whose type is WebShell on the Alerts page. If you do not handle the alerts, the alerts may pose threats to your servers. We recommend that you handle the alerts at the earliest opportunity. For more information, see View and handle alert events.

Dynamic adaptive threat detection capability

If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. This mode enables all protection rules and security engines, which helps detect intrusions in a more comprehensive manner.

The adaptive threat detection feature is disabled by default. You must manually enable the feature. If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. In this mode, Security Center protects your server at a high level for seven days and generates alerts for all suspicious intrusions and potential threats. For more information about this mode, see Protection Mode.

Note During the 7-day protection period, if you manually configure a protection mode for the Security Center agent on your server, the agent runs in the configured mode. After the 7-day protection period, the adaptive threat detection feature does not change the protection mode that you configured.

Limits

Enable adaptive threat detection

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
If you have not authorized Security Center to access your cloud resources, click Authorize Now in the Dynamic adaptive threat detection capability section of the Host Protection Settings tab on the General tab.
This way, Security Center is authorized to access your cloud resources. After the authorization is successful, Resource Access Management (RAM) automatically creates a RAM role named AliyunServiceRoleForSas. Security Center uses this RAM role to access cloud resources of your services and protect the resources. For more information, see Service-linked roles for Security Center.
Turn on Dynamic and adaptive threat detection.

Protection Mode

The Security Center agent is a local plug-in provided by Security Center. Before you can use Security Center to protect your servers, you must install the Security Center agent on your servers. Security Center provides multiple protection modes. This allows the Security Center agent to run in different modes to meet security requirements in different scenarios. For more information about the Security Center agent, see Overview of the Security Center agent.

Supported protection modes

The Security Center agent consumes a small number of resources on your server when the agent is running. You can modify the protection mode of the Security Center agent to limit the number of resources the agent can consume. You can select a protection mode that is suitable for a server to enhance security. The following table describes the protection modes supported by the Security Center agent.


Protection mode	Maximum resource consumption	Supported edition	Scenario
Basic Protection Mode	Maximum memory usage: 200 MB Maximum CPU utilization: 10% per core	All editions	This mode is suitable for all service scenarios. In this mode, the Security Center agent consumes a small number of resources, which does not affect your workloads. Note By default, the basic protection mode is enabled for newly purchased Elastic Compute Service (ECS) instances.
High-security Prevention Mode	Maximum memory usage: 300 MB Maximum CPU utilization: 30% per core	Anti-virus, Advanced, Enterprise, and Ultimate	This mode is suitable for scenarios in which important workloads need to be protected. In this mode, the Security Center agent can identify more types of potential attacks and threats by using the big data analytics engine, machine learning engine, and deep learning engine.
Safeguard Mode For Major Activities	Maximum memory usage: 500 MB Maximum CPU utilization: 60% for all cores	Enterprise and Ultimate	This mode is suitable for major events. In this mode, the Security Center agent enables all protection rules and security engines and enhances the capability to detect potential threats based on intelligent rules. Security Center generates alerts for all potential attacks and threats.

Note If the consumed resources exceed the upper limit in the mode that you select, the Security Center agent stops running. After the consumed resources drop below the upper limit, the agent automatically restarts. The upper limit on resources that the Security Center agent can consume in each mode is described in the Maximum resource consumption column of the preceding table.

Configure a protection mode

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Host Protection Settings tab of the Settings tab, click Manage for High-security Prevention Mode or Safeguard Mode For Major Activities in the Protection Mode section.
In the High-security Prevention Mode or Safeguard Mode For Major Activities panel, select the servers for which you want to enable the High-security Prevention Mode or Safeguard Mode For Major Activities mode and click Determine.
Note You can enable only one of the High-security Prevention Mode and Safeguard Mode For Major Activities modes for a server. For example, the protection mode of a server is High-security Prevention Mode. If you enable the Safeguard Mode For Major Activities mode for the server, the protection mode of the server changes to Safeguard Mode For Major Activities.
Optional:In the Safeguard Mode For Major Activities section, select a percentage from the CPU Threshold drop-down list to specify the CPU utilization threshold.
The Safeguard Mode For Major Activities mode allows you to specify the CPU utilization threshold. A higher threshold value supports more precise protection. You can set CPU Threshold to a value that ranges from 5% to 60%. The default value is 5%.
Note In the Safeguard Mode For Major Activities mode, more types of threats can be detected, and more alerts are triggered. As a result, the false positive rate may increase. We recommend that you pay attention to alerts and handle the alerts at the earliest opportunity.