All Products
Search
Document Center

Security Center:Processes of the Security Center agent

Last Updated:Sep 06, 2024

After you install the Security Center agent on a server, the agent runs processes such as AliYunDun and AliYunDunMonitor on the server to deliver protection capabilities such as information collection and threat detection. You can view the process status to check whether the protection capabilities are in effect. This topic describes the processes and files of the Security Center agent.

Processes

On a Linux server, the root user is used to run the processes of the Security Center agent. On a Windows server, the SYSTEM user is used. The following table describes the files in the installation directory of the Security Center agent and the related processes.

Important
  • To prevent exceptions on the Security Center agent, we recommend that you do not delete the files or processes listed in the following table from your server.

  • Before you can delete a file, you must disable the client protection feature. If the client protection feature is enabled, you cannot uninstall the Security Center agent or delete the files of the agent. For more information about how to disable the client protection feature, see Client Protection.

  • A resident process is a process that is always running on a server after the Security Center agent is installed on the server. Security Center can protect the server only after all resident processes are started. A non-resident process is a process that is started only in specific scenarios or for a specific feature.

File

Related process

Resident process

Download time of the file

Path to the file

aegis_client

AliYunDun: used to establish a connection with Security Center.

Yes

After you install the Security Center agent on your server, the aegis_client file is downloaded to the server.

After you enable the client protection feature, the AliSecGuard file is downloaded to your server. For more information about the client protection feature, see Client Protection.

  • 32-bit Windows: C:\Program Files\Alibaba\aegis

  • 64-bit Windows: C:\Program Files (x86)\Alibaba\aegis

  • Linux: /usr/local/aegis

AliYunDunMonitor: used to monitor and check the security of a server.

Yes

aegis_update

AliYunDunUpdate: used to regularly check whether the Security Center agent needs to be updated.

Yes

After you install the Security Center agent on your server, the aegis_update file is downloaded to the server.

AliDetect

AliDetect: used to dynamically detect threats such as mining viruses, trojans, and webshells.

Yes (You can view the process only if you use Security Center Enterprise or Ultimate.)

After you purchase Security Center Enterprise or Ultimate and install the Security Center agent on your server, the AliDetect file is downloaded to the server.

AliNet

AliNet: used to protect a server against network attacks.

No

After you turn on Malicious Network Behavior Prevention, the AliNet file is downloaded to your server. For more information about malicious network behavior prevention, see Proactive Defense.

AliWebGuard

AliWebGuard: used to implement web tamper proofing and core file monitoring.

No

After you enable web tamper proofing or core file monitoring for your server, the AliWebGuard file is downloaded to your server.

AliHips

AliHips: used to protect a server against viruses and trojans.

No

After you turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), or Webshell Prevention on the Feature Settings page, the AliHips file is downloaded to your server.

PythonLoader

AliSecureCheckAdvanced: used to implement features such as baseline check, vulnerability detection, vulnerability fixing, and asset fingerprint collection.

No (This process is started only after specific checks are performed.)

After you perform baseline checks or vulnerability detection on your server, the PythonLoader file is downloaded to your server.

PythonLoaderTem

globalcfg

None.

N/A

After you install the Security Center agent on your server, the globalcfg file is downloaded to your server.

View processes

  • Linux server: Run the ps -ef | grep aegis command to view the processes of the Security Center agent.

    image.png

  • Windows server: Open Task Manager and view the processes of the Security Center agent.

    image.png

Status of processes and files

Process status

Security Center checks the status of the AliYunDun process to determine whether the Security Center agent is online. In the following scenarios, Security Center determines that the Security Center agent is offline and changes the status of the agent from 已防护图标.png (online) to 未防护图标.png (offline). You can view the status of the Security Center agent that is installed on your server on the Host page.

  • Security Center detects that the communication with the Security Center agent is abnormal. For example, network exceptions occur, the AliYunDun process of the Security Center agent is unexpectedly terminated, or the Security Center agent is uninstalled.

  • Security Center does not receive information such as logon information and collected data from the Security Center agent within 10 hours.

Feature status

Specific features such as malicious network behavior prevention and malicious host behavior prevention can be enabled only after the required processes are started. For example, when you turn on the switch for Malicious Network Behavior Prevention for a server, the AliNet file is automatically downloaded to the server, and the AliNet process is started. This way, the malicious network behavior prevention feature is enabled. You can view the status of protection features on the details page of a server. The following table describes the mappings between features and processes.

image.png

Feature

Supported edition

Related process

Description

Client protection

All editions

AliYunDun

Intercepts all malicious behavior that attempts to uninstall the Security Center agent but is not performed in the Security Center console and the behavior that attempts to modify the files of the Security Center agent.

Webshell prevention

Enterprise and Ultimate

AliHips

Intercepts suspicious connection requests that are initiated by known webshells.

Malicious host behavior prevention

Anti-virus, Advanced, Enterprise, and Ultimate

Intercepts, detects, and removes common viruses.

Anti-ransomware

Anti-virus, Advanced, Enterprise, and Ultimate

Uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware. If risks are caused by the new types of ransomware, the system automatically blocks the ransomware.

Malicious network behavior prevention

Enterprise and Ultimate

AliNet

Intercepts the abnormal network behavior between your server and disclosed malicious access sources.