Malicious behavior defense is a network security feature that identifies, blocks, and responds to various malicious activities. This topic describes how to use the malicious behavior defense feature to protect your hosts from attacks and threats.
Scenarios
The malicious behavior defense feature supports system defense rules and custom defense rules. The following table describes the scenarios for each type of rule.
Custom defense rules have a higher priority than system defense rules.
Rule type | Description |
System defense rule | There are two main types of protection rules: Network Threat Prevention and Process Protection.
|
Custom defense rule | To allow or specifically block certain behaviors, you can use the Custom Defense Rule feature to create custom, fine-grained rules for your business scenarios. For more examples of scenario-based configurations, see Best practices for custom malicious behavior defense rules. |
Manage system defense rules
The Pro edition supports process defense. Users of the Enterprise and Ultimate editions can enable all system defense rules.
Log on to the Security Center console. In the top-left corner of the console, select the region where your assets are located: China or Outside China.
In the navigation pane on the left, select .
On the Malicious Behavior Defense tab, on the System Defense Rule subtab, find and manage the system defense rule that you want to manage.
Enable or disable a rule
If a system defense rule is not suitable for your business scenario and affects the security score of your assets, you can disable the rule.
ImportantAfter you disable a system defense rule, Security Center no longer detects or reports the corresponding security risks. Alert events related to the rule are no longer displayed in the alert list on the Alerts page. Proceed with caution.
Select one or more rules.
Click Enable or Disable below the rule list.
Manage hosts
ImportantAfter you remove an asset from a rule, the asset is no longer protected by the system defense rule. Proceed with caution.
Select the system defense rule that you want to manage and click Manage Host in the Actions column.
In the Host Management panel, add or delete the assets that are protected by the rule, and then click OK.
Custom defense rules
If Security Center generates false positive alerts for your normal business operations, you can create a custom defense rule to add the behavior to a whitelist. For example, you can add behavior related to command lines and process hashes to a whitelist to prevent false positive alerts.
Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets that you want to protect are located: China or Outside China.
In the navigation pane on the left, select .
On the Malicious Behavior Defense tab, on the Custom Defense Rule subtab, click Create Rule.
In the New Rule panel, select a Rule Type, configure the relevant parameters, set an Action for the rule, and then click Next.
The parameters that you must configure vary based on the rule type that you select. You can add the following types of rules to a whitelist:
Process hash
Command line
Process network
File read/write
Registry operation
Dynamic-link library loading
File rename
For more information about configuration examples, see Best practices for custom defense rules for malicious behavior defense.
In the server list in the New Rule panel, select the assets to which you want to apply the rule, and then click Finish.
A new custom rule is enabled by default. You can edit the rule and manage the servers on which the rule takes effect.
View and handle security alert events
Security Center generates security alerts and blocks basic attacks based on the configured rules. The generated alerts and the methods to handle them vary based on the rule type.
Process defense
Security Center generates "Precise Defense" alerts based on Process Protection rules. You can perform the following steps to view and handle these alerts.
Log on to the Security Center console. In the upper-left corner of the console, select the region where your asset is located: China or Outside China.
In the navigation pane on the left, select .
NoteIf you have enabled CTDR, in the navigation pane on the left, select .
On the Alert page, select the CWPP tab, and click the number under Precise Defense.
In the list of alert events, view the events that are generated for automatically blocked risks. If an alert event is a false positive, click Details in the Actions column to handle the event as described in the following steps.
The following example shows how to handle a false positive alert event for Suspicious worm script behavior.
In the alert details panel, obtain and record the following information to handle the alert event:
Record the name of the system defense rule that detected and reported the alert event. In this example, the name is Malicious Damage To Client Processes.
The ATT&CK Phase of the alert event. In this case, the stage is Impact.
Record the names and IP addresses of the assets that are affected by the alert event.
In the navigation pane on the left, select .
In the list of system defense rules, find the rule that triggered the alert event.
You can enter Suspicious worm script behavior in the search box to find the system defense rule.
You can also click Impact in the Attack Stage menu on the left to find the system defense rule.
In the system defense rule list, locate the rule named Suspicious Worm Script Behavior and manage the rule.
If this system defense rule is not suitable for your business scenario and you no longer want Security Center to report the security alert events that it detects, you can click the
icon in the Switch column to disable the rule.ImportantIf you disable a system defense rule, Security Center will no longer detect or report security risks associated with the rule to the alert list on the Alerts page. Proceed with caution.
If you want to handle only this false positive security alert event, you can click Manage Host in the Actions column and remove the affected asset from the list of assets protected by the system rule.
You can also locate and handle the false positive security alert on the Alerts page. For more information, see Analyze and handle security alerts.
ImportantIf you want to handle only the current alert event but want the rule to continue protecting the asset, you can add the asset back to the rule's list of protected assets on the Malicious Behavior Defense page.
Network defense
Security Center uses Network Threat Prevention rules to automatically block and handle basic network attacks. Data about the attacks is displayed on the Security Alerts > Network Defense Alert page. For more information, see Network Threat Prevention Alerts (formerly Attack Analysis).
For newly purchased cloud products, attack analysis information is not available until Security Center synchronizes network attack data. This process takes about 3 hours.
Defensive alerts indicate that Security Center has automatically blocked an attack. You do not need to take any action.
Log on to the Security Center console. In the top-left corner of the console, select the region where the assets that you want to protect are located: China or Outside China.
In the navigation pane on the left, select .
NoteIf you have enabled CTDR, in the navigation pane on the left, select .
On the Alert page, select the CWPP tab, and click the number under Network Defense Alert to view the relevant information.
