How to install the Security Center agent - Security Center

The Security Center agent is a lightweight security proxy you deploy on your servers. Once installed, it collects security data in real time, reports findings to the Security Center service over an encrypted channel, and executes security commands such as vulnerability scans and baseline checks. The agent is the foundation for centralized risk management and threat response across all your servers, whether they run in the cloud or on-premises.

How it works

The agent runs the following workflow after installation:

Registration — The agent downloads automatically and registers with the Security Center service using a unique installation key.
Data collection — The agent collects processes, network connections, and logon behaviors in real time.
Data reporting — Collected data is sent to the service over a Transport Layer Security (TLS) encrypted channel. The agent adapts to proxy environments automatically.
Command execution — The agent receives and runs security commands from the service, such as vulnerability scans and baseline checks, and reports results.
Heartbeat — The agent sends periodic heartbeat signals so the console can display your servers' real-time protection status.

Prerequisites

Before you begin, confirm the following:

Supported operating system — The target server runs a supported OS. See Supported operating systems.
Account ownership — The server belongs to your current Alibaba Cloud account. Cross-account installation is not supported.
Administrator or root permissions — You must run the installation command as an account with administrator (Windows) or root (Linux) permissions.
No previous agent installed — If an older agent is present, uninstall it first and delete any remaining files from the installation directory:
- Linux: /usr/local/aegis
- Windows (32-bit): C:\Program Files\Alibaba\aegis
- Windows (64-bit): C:\Program Files (x86)\Alibaba\aegis

To protect resources that belong to other Alibaba Cloud accounts, use the multi-account management feature.

Installation notes:

Each server takes about 5 minutes to install.
Installation does not require a server restart and does not interrupt running workloads.
During high-payload tasks such as scans, CPU and memory usage of the agent may temporarily increase.

Check which servers need the agent:

Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Agent > Agent Not Installed tab, view the list of servers without the agent.

Choose an installation method

Method	When to use	Key advantage
One-click installation	Running Alibaba Cloud ECS instances in a supported region, using VPC, with Cloud Assistant installed	No server login required
General installation	Any server with internet access, including ECS and non-Alibaba Cloud servers	Works with all major operating systems
Batch installation using an image	Creating multiple servers at scale with the agent pre-installed	Create the image once; reuse across deployments
Installation in restricted or complex network environments	Servers without direct internet access, or requiring a proxy or leased line	Adapts to proxy and leased-line network topologies

One-click installation

Use this method if your ECS instance meets all of the following conditions:

The instance is in the Running state and has the Cloud Assistant client installed.
If Cloud Assistant is not installed, install it first. See Cloud Assistant.
The network type is VPC.

The instance is in one of the following regions:

Category	Regions
Asia-Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo)
Europe and Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia)
Middle East and India	UAE (Dubai)

Third-party security software is disabled or uninstalled.
After the Security Center agent is installed, you can re-enable or reinstall third-party security software.

Steps:

Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select China or Outside China.
On the Agent > Agent Not Installed tab, find the target server and click Install Agent in the Actions column.
To install the agent on multiple servers at once, select them and click Install.

General installation

Use this method for any server with internet access.

Steps:

Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select Chinese Mainland or Outside Chinese Mainland.

On the Agent > Installation Command tab, copy the installation command for your server's operating system. Choose one of the following command types: To create a custom installation command, click Create Installation Command and configure the following parameters:

Default installation command — Requires no extra configuration. Servers are assigned to the Ungrouped group. Use this for a quick setup when you don't need to assign the server to a specific group immediately.
Custom installation command — Lets you set the server group, command expiration time, and access method at install time. Use this to automate asset categorization during deployment.

The command includes a unique installation key — the value after -k.

Parameter	Description
Expiration Time	The command expiration date. After this date, the command is invalid and the agent cannot be installed using it.
Service Provider	The service provider (SP) of the server.
Default Group	The server group to assign the server to. See Manage server groups.
OS	The operating system of the target server.
Create Image System	Select No for general installation.
Access Method	Select Public Endpoint to communicate directly through the server's public IP address.

Log on to the server and run the installation command:
- Windows — Run the command in Command Prompt (CMD) or PowerShell.
- Linux — Run the command in the server's command-line interface.

Batch installation using an image

Use this method when you need to create servers at scale with the agent pre-installed. The process installs agent files on a template server without activating them, captures an image, and then uses that image to create new instances.

Important

Do not restart the template server after running the image installation command. A restart activates the agent and generates a fixed agent ID that will conflict across all instances created from the image.

Step 1: Prepare the template server and generate the installation command

Prepare a clean server with no third-party security software installed.
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select Chinese Mainland or Outside Chinese Mainland.
On the Agent > Installation Command tab, click Create Installation Command and set the following parameters:
- Create Image System: Select Yes. This is the most critical step.
- OS: Select the OS that matches your template server.
- Other parameters (such as Default Group): Configure as needed.

Step 2: Run the installation command on the template server

Log on to the template server with administrator permissions.
Run the image installation command. The script downloads agent files to the installation directory but does not start any service processes.
After the script completes, immediately shut down the template server. Do not restart it.

Step 3: Create and use the image

Warning

Do not restart the template server when creating the image.
Before reusing the same template server to create additional images, uninstall the old agent, delete remaining files, and generate a new installation command. Reusing the same command causes agent ID conflicts across instances.

Create a custom OS image from the powered-off template server. See Create a custom image.
Use the image to create new server instances. See Create an ECS instance from a custom image.
When each new instance starts for the first time, the agent automatically initializes, generates a unique agent ID, and connects to Security Center.

Installation in restricted or complex network environments

Use this method for servers without direct internet access. Security Center supports two access options:

Access via proxy — For servers that cannot reach the internet directly.
Access from outside the Chinese mainland over a third-party leased line: For scenarios where you connect to an Alibaba Cloud region over a third-party leased line and need to specify the region-specific domain name for Security Center.
Access via a leased line (outside China) — For servers connecting to an Alibaba Cloud region over a non-Alibaba Cloud leased line.

Important

The server must be able to reach Security Center service endpoints through the specified method (internet, proxy, leased line, or VPN).
This installation method does not support 32-bit Linux operating systems.

Access via proxy

Deploy and configure a proxy cluster. See Access via proxy.
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select Chinese Mainland or Outside Chinese Mainland.
On the Agent > Installation Command tab, click Create Installation Command and configure the following parameters:
- Access Method: Select Self-managed Proxy Cluster and choose the proxy cluster you created.
- Create Image System: Select No (for proxy-only installation). If you also need image-based deployment, see Batch installation using an image.
- OS: Select the operating system of the target server.
- Other parameters (such as Default Group): Configure as needed.
Run the generated command on the target server. The agent communicates with Security Center through the specified proxy.

Access via a leased line (outside China)

This method applies to servers that are not hosted on Alibaba Cloud and are located outside China, connecting to an Alibaba Cloud region over a non-Alibaba Cloud leased line.

Step 1: Find your region's domain names

Important

Make sure the region-specific Security Center domain names are accessible from your server before running the installation command.

Region	Domain names
Malaysia (Kuala Lumpur)	`jsrv-ap-southeast-3.aegis.aliyuncs.com` / `update-ap-southeast-3.aegis.aliyuncs.com`
Philippines (Manila)	`jsrv-ap-southeast-6.aegis.aliyuncs.com` / `update-ap-southeast-6.aegis.aliyuncs.com`
South Korea (Seoul)	`jsrv-ap-northeast-2.aegis.aliyuncs.com` / `update-ap-northeast-2.aegis.aliyuncs.com`
Thailand (Bangkok)	`jsrv-ap-southeast-7.aegis.aliyuncs.com` / `update-ap-southeast-7.aegis.aliyuncs.com`
SAU (Riyadh - Partner Region)	`jsrv-me-central-1.aegis.aliyuncs.com` / `update-me-central-1.aegis.aliyuncs.com`
Indonesia (Jakarta)	`jsrv-ap-southeast-5.aegis.aliyuncs.com` / `update-ap-southeast-5.aegis.aliyuncs.com`
UK (London)	`jsrv-eu-west-1.aegis.aliyuncs.com` / `update-eu-west-1.aegis.aliyuncs.com`
Germany (Frankfurt)	`jsrv-eu-central-1.aegis.aliyuncs.com` / `update-eu-central-1.aegis.aliyuncs.com`
Japan (Tokyo)	`jsrv-ap-northeast-1.aegis.aliyuncs.com` / `update-ap-northeast-1.aegis.aliyuncs.com`
US (Silicon Valley)	`jsrv-us-west-1.aegis.aliyuncs.com` / `update-us-west-1.aegis.aliyuncs.com`
US (Virginia)	`jsrv-us-east-1.aegis.aliyuncs.com` / `update-us-east-1.aegis.aliyuncs.com`

Step 2: Get your installation key

In the default installation command generated in the console, the value after -k is your installation key.

Step 3: Run the installation command

The commands below use the following placeholders. Replace each one before running:

Placeholder	Description
`<JSRV_DOMAIN>`	The `jsrv-*` domain name for your region (from the table above)
`<UPDATE_DOMAIN>`	The `update-*` domain name for your region (from the table above)
`<YOUR_INSTALL_KEY>`	Your installation key (the value after `-k` in the console command)

Malaysia (Kuala Lumpur)

Linux:

wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh  "-j=jsrv-ap-southeast-3.aegis.aliyuncs.com|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com" "-u=update-ap-southeast-3.aegis.aliyuncs.com|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com" -k=<YOUR_INSTALL_KEY>

Windows:

powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe '-j=jsrv-ap-southeast-3.aegis.aliyuncs.com|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com' '-u=update-ap-southeast-3.aegis.aliyuncs.com|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com' -k=<YOUR_INSTALL_KEY>"

Other regions

Replace <JSRV_DOMAIN> with the domain name starting with jsrv for your region, and <UPDATE_DOMAIN> with the domain name starting with update.

Linux:

wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh  "-j=<JSRV_DOMAIN>|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com" "-u=<UPDATE_DOMAIN>|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com" -k=<YOUR_INSTALL_KEY>

Windows:

powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe '-j=<JSRV_DOMAIN>|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com' '-u=<UPDATE_DOMAIN>|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com' -k=<YOUR_INSTALL_KEY>"

Verify the installation

After installation, the system downloads the agent files and starts the required processes. Use one of the following methods to confirm the installation succeeded.

Method	Best for
Verify in the console	Quick overview across all servers without logging in to each one. Has a ~5-minute latency.
Verify on the server	Immediate, real-time confirmation. Run commands directly on the server.

Verify in the console

On the Host page of the Security Center console, check the Agent column:Log on to the Security Center console.Log on to the Security Center console.

For an Alibaba Cloud server: the icon changes from to .
For a non-Alibaba Cloud server: the server appears in the list and the icon changes from to .

Important

The console syncs asset information every minute. For non-Alibaba Cloud servers, the sync may take longer after installation. If the server does not appear on the Host page, click Synchronize Assets to trigger a manual sync. See Synchronize asset information.

Verify on the server

Step 1: Check agent processes

Confirm that the three core processes — AliYunDun, AliYunDunMonitor, and AliYunDunUpdate — are running. See Security Center agent processes for details.

Linux

# Check core processes. All three must appear.
ps -ef | grep -E 'AliYunDun|YunDunMonitor|YunDunUpdate'

# Check service status. The status should be active (running).
systemctl status aegis

Expected output:

root        5472       1  0 Sep10 ?        00:00:18 /usr/local/aegis/aegis_update/AliYunDunUpdate
root        5524       1  0 Sep10 ?        00:01:34 /usr/local/aegis/aegis_client/aegis_12_61/AliYunDun
root        5546       1  0 Sep10 ?        00:03:13 /usr/local/aegis/aegis_client/aegis_12_61/AliYunDunMonitor

● aegis.service - LSB: Aegis service
   Loaded: loaded (/etc/rc.d/init.d/aegis; generated)
   Active: active (running) since Mon 2023-10-30 10:00:00 CST; 1 day 2h ago

Windows

Method 1: Open Task Manager and look for AliYunDun, AliYunDunMonitor, and AliYunDunUpdate in the process list.

Method 2: Run the following commands in PowerShell:

# Check core processes.
Get-Process | Where-Object {$_.Name -match '^(AliYunDun|AliYunDunMonitor|AliYunDunUpdate)$'}

# Check service status. The status should be Running.
Get-Service | Where-Object {$_.Name -match 'Aegis|AliYunDun'}

Expected output:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    380      26    15948      19656     615.75   6072   0 AliYunDun
    599      31    47576      37356     968.73   2488   0 AliYunDunMonitor
    257      14     8072      11336     232.03   2904   0 AliYunDunUpdate

Status   Name               DisplayName
------   ----               -----------
Running  Alibaba Securit... Alibaba Security Aegis Detect Service
Running  Alibaba Securit... Alibaba Security Aegis Update Service

Step 2: Check network connectivity

Run the following telnet commands to confirm the server can reach Security Center service endpoints on port 443 or 80.

The server must reach both a jsrv and an update domain. The jsrv domain delivers instructions (vulnerability scans, virus detection). The update domain downloads and updates agent plugins.

telnet jsrv.aegis.aliyun.com 443
telnet jsrv2.aegis.aliyun.com 443
telnet jsrv3.aegis.aliyun.com 443
telnet update.aegis.aliyun.com 443
telnet update2.aegis.aliyun.com 443
telnet update3.aegis.aliyun.com 443

A successful connection displays output similar to:

Trying 106.11.x.x...
Connected to jsrv.aegis.aliyun.com.
Escape character is '^]'.

A failed connection displays Connection refused or Connection timed out. If any connection fails, see Check network connectivity in the troubleshooting section.

Troubleshooting

Installation command fails

Permission denied when running the script

Run the installation command as an account with administrator or root permissions.

Self-protection is running

Symptom: Reinstalling the Security Center client fails after a virus is removed. The error indicates the self-protection feature must be disabled first.

Solution: Restart the server to disable the self-protection process, then reinstall the client.

Important

Restarting a production server carries risk. Evaluate the impact before proceeding.

Symptom: Reinstalling the Security Center agent fails after a virus is removed. An error message indicates that self-protection is running and prompts you to uninstall or disable it on the Security Center console first.

Resolution: Restart the server. This action disables the self-protection process, which allows you to install the agent.

Important

Assess the potential risks before you proceed.

Agent is offline

If the agent status shows Offline in the console, the agent cannot communicate with the Security Center service. Work through the following checks in order.

Check agent processes

Confirm that AliYunDun and AliYunDunUpdate are running.

Linux: ps -ef | grep AliYunDun
Windows: Open Task Manager and check the Details or Services tab.

If processes are not running, restart them manually:

Linux:

# Stop the processes.
killall AliYunDun
killall AliYunDunUpdate

# Start the latest version. In /usr/local/aegis/aegis_client, find the aegis_10_xx folder
# with the highest version number (for example, aegis_10_75 over aegis_10_73).
/usr/local/aegis/aegis_client/aegis_10_xx/AliYunDun

Windows:

In the Services panel, right-click Alibaba Security Aegis Detect Service and Alibaba Security Aegis Update Service and select Restart.

Check network connectivity

Confirm your firewall or security group allows outbound traffic to jsrv.aegis.aliyun.com and update.aegis.aliyun.com. If the server cannot reach these endpoints, the agent goes offline.

Fix DNS issues:

If DNS is not resolving correctly, restart the server or check whether the DNS service is healthy.

Fix firewall rules (iptables example):

# Allow access to the control service.
iptables -A OUTPUT -p tcp -d jsrv.aegis.aliyun.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d jsrv.aegis.aliyun.com --dport 80 -j ACCEPT

# Allow access to the update service.
iptables -A OUTPUT -p tcp -d update.aegis.aliyun.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d update.aegis.aliyun.com --dport 80 -j ACCEPT

If you use Alibaba Cloud Firewall, see Create an outbound access control policy.

Fix Alibaba Cloud security group rules:

Add outbound rules to allow traffic to the following CIDR blocks on ports 80 and 443. See Manage security groups for steps.

Allow outbound traffic for 100.100.0.0/16, 106.11.0.0/16, and 100.103.0.0/16. Example configuration for 100.100.0.0/16:

Direction: Outbound

Authorization policy: Allow

Protocol type: TCP

Port range: 80/443

Authorization object: 100.100.0.0/16

Check system resources

If the server has insufficient CPU, memory, or disk space, the agent cannot start.

CPU/Memory: Use top (Linux) or Task Manager (Windows).
Disk space: Use df -h (Linux) or check This PC (Windows).

If the AliYunDun process itself is consuming excessive resources, contact technical support and provide the relevant logs. If other business processes are the cause, optimize those applications or upgrade the server.

To free disk space, delete unnecessary files.

Check for duplicate agent IDs

This issue typically occurs when multiple server instances are created from the same image without generating a new installation command. The uuid field in the following configuration file will be identical across affected servers:

Linux: /usr/local/aegis/aegis_client.conf
Windows (32-bit): C:\Program Files\Alibaba\aegis\aegis_client.conf
Windows (64-bit): C:\Program Files (x86)\Alibaba\aegis\aegis_client.conf

To fix this, uninstall the agent on the template server, delete remaining files, and generate a new installation command before creating additional images.

Check for software conflicts

Other HIDS, EDR, or antivirus software may conflict with the Security Center agent. Disable or uninstall conflicting software, then reinstall the agent.

Analyze agent logs

Check the agent logs for specific error messages:

Linux: /usr/local/aegis/log/aegis.log
Windows (32-bit): C:\Program Files\Alibaba\aegis\log\aegis.log
Windows (64-bit): C:\Program Files (x86)\Alibaba\aegis\log\aegis.log

If you cannot resolve the error from the logs, contact technical support with the complete log files.

Run the agent troubleshooting feature

For persistent or unidentified issues, use the built-in Agent Troubleshooting feature to run a comprehensive check.

In the left navigation pane, choose Assets > Host.
On the Server tab, select the server to diagnose. In the More Operations menu, click Agent Troubleshooting.
Configure the check and click Start Check:
- Issue Type: Overall Check (Unknown Issues)
- Mode: Enhancement Mode
Enhancement Mode collects network, process, and log data and reports it to Security Center for analysis. The check takes about 5 minutes.
After the check completes, view results in the Agent Task Management panel in the upper-right corner of the Host page.
Follow the solution provided in the Result column.
Important
If no solution is shown, click Download Diagnostic Logs and submit the exported logs along with your Alibaba Cloud account ID to Security Center technical support.

FAQ

How do I uninstall the agent?

Security Center supports one-click uninstallation from the console and manual uninstallation. See Uninstall the Security Center agent.

Can I restart the template server when creating an image?

No. After running the image installation command, shut down the server immediately before creating the image. Restarting activates the agent and generates a fixed agent ID on the template. All instances created from that image will have the same agent ID and fail to report data due to conflicts.

Which group is the server added to after installation?

Servers installed with the default command are assigned to Ungrouped. To assign a server to a specific group at install time, use a custom installation command and set the Default Group parameter. You can also change a server's group on the Host Assets page after installation. See Manage server groups.

Why doesn't my server appear in the "Not Installed" list?

The most likely reasons:

The agent is already installed on the server.
The server was recently created and its asset information hasn't synced yet. Wait a few minutes or click Sync Now.
The server belongs to a different Alibaba Cloud account or a region not currently selected.

What's next

Manage server groups
Security Center agent processes
Uninstall the Security Center agentLog on to the Security Center console.Log on to the Security Center console.Log on to the Security Center console.
Use the Agent Troubleshooting feature