Processes and files of the Security Center agent - Security Center

After you install the Security Center agent on a server, the agent runs processes such as AliYunDun and AliYunDunMonitor on the server to deliver protection capabilities such as information collection and threat detection. You can view the process status to check whether the protection capabilities are in effect. This topic describes the processes and files of the Security Center agent.

Processes

On a Linux server, the root user is used to run the processes of the Security Center agent. On a Windows server, the SYSTEM user is used. The following table describes the files in the installation directory of the Security Center agent and the related processes.

Important

To prevent exceptions on the Security Center agent, we recommend that you do not delete the files or processes listed in the following table from your server.
A resident process is a process that is always running on a server after the Security Center agent is installed on the server. Security Center can protect the server only after all resident processes are started. A non-resident process is a process that is started only in specific scenarios or for a specific feature.
Before you can delete a file, you must disable the client protection feature. If the client protection feature is enabled, you cannot uninstall the Security Center agent or delete the files of the agent. For more information about how to disable the client protection feature, see Agent protection.

File	Related process	Resident process	Download time	Path to the file
`aegis_client`	`AliYunDun`: used to establish a connection with Security Center. `AliYunDunMonitor`: used to monitor and check the security of a server.	Yes	After you install the Security Center agent on your server, the `aegis_client` file is downloaded to the server. After you enable the client protection feature, the `AliSecGuard` file is downloaded to your server. For more information about the client protection feature, see Agent protection.	32-bit Windows: C:\Program Files\Alibaba\aegis 64-bit Windows: C:\Program Files (x86)\Alibaba\aegis Linux: /usr/local/aegis
`aegis_update`	`AliYunDunUpdate`: used to regularly check whether the Security Center agent needs to be updated.	Yes	After you install the Security Center agent on your server, the `aegis_update` file is downloaded to the server.
`AliSecCheck`	`AliSecCheck`: used to dynamically detect threats such as mining viruses, trojans, and webshells. It offers features like baseline checks, vulnerability scanning and fixing, and asset fingerprint collection. Note In version aegis_12_3x and later, Security Center consolidates the AliSecureCheckAdvanced and AliDetect processes into the AliSecCheck process. In versions prior to aegis_12_3x, AliSecureCheckAdvanced and AliDetect are separate processes.	No (Basic, Anti-virus, and Advanced)	The `AliSecCheck` file is downloaded to the server after the check is completed.
`AliSecCheckTmp`


`AliSecCheck` (Detect plug-in)		Yes (Enterprise and Ultimate)	If you use the Enterprise or Ultimate edition of Security Center, after you install the Security Center agent on your server, you can download the `Detect` plug-in to the `plugin` directory.
`AliWebGuard`	`AliWebGuard`: used to implement web tamper proofing and core file monitoring.	No	After you enable web tamper proofing or core file monitoring for your server, the `AliWebGuard` file is downloaded to your server.
`AliNet`	`AliNet`: used to protect against network attacks on your server.	No	After you enable Malicious Network Behavior Prevention, the `AliNet` file is downloaded to your server.
`AliHips`	`AliHips`: used to protect a server against viruses and trojans.	No	On the Feature Settings page, after enabling switches such as Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), or Webshell Prevention, the `AliHips` file is downloaded to the server.
`globalcfg`	None.	N/A	After you install the Security Center agent on your server, the `globalcfg` file is downloaded to your server.
`hbrclient`	`hbrclient`: used to perform tasks such as data backup, data recovery, fault monitoring, and task scheduling. `ids`: used to perform tasks such as generating security reports, detecting anomalies, and conducting real-time monitoring.	No	The anti-ransomware feature for servers will initiate `hbrclient` and `ids` processes.
`dbackup3-agent`	`dbackup3-agent`: the proxy process for database backup used to perform tasks such as initial backups, incremental backups, backup restoration, scheduling and management, logging, and monitoring.	No	The anti-ransomware feature for servers will initiate `dbackup3-agent` process.

View processes

Linux server: Run the ps -ef | grep aegis command to view the processes of the Security Center agent.
Windows server: Open Task Manager and view the processes of the Security Center agent.

Status of processes and files

Process status

Security Center checks the status of the AliYunDun process to determine whether the Security Center agent is online. In the following scenarios, Security Center determines that the Security Center agent is offline and changes the status of the agent from 已防护图标.png (online) to 未防护图标.png (offline). You can view the status of the Security Center agent that is installed on your server on the Host page.

Security Center detects that the communication with the Security Center agent is abnormal. For example, network exceptions occur, the AliYunDun process of the Security Center agent is unexpectedly terminated, or the Security Center agent is uninstalled.
Security Center does not receive information such as logon information and collected data from the Security Center agent within 10 hours.

Feature status

Specific features such as malicious network behavior prevention and malicious host behavior prevention can be enabled only after the required processes are started. For example, when you turn on the switch for Malicious Network Behavior Prevention for a server, the AliNet file is automatically downloaded to the server, and the AliNet process is started. This way, the malicious network behavior prevention feature is enabled. You can view the status of protection features on the details page of a server. The following table describes the mappings between features and processes.

Feature	Supported edition	Related process	Description
Client protection	All editions	`AliYunDun`	Intercepts all malicious behavior that attempts to uninstall the Security Center agent but is not performed in the Security Center console and the behavior that attempts to modify the files of the Security Center agent.
Webshell prevention	Enterprise and Ultimate	`AliHips`	Intercepts suspicious connection requests that are initiated by known webshells.
Malicious host behavior prevention	Anti-virus, Advanced, Enterprise, and Ultimate		Intercepts, detects, and removes common viruses.
Anti-ransomware	Anti-virus, Advanced, Enterprise, and Ultimate		Uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware. If risks are caused by the new types of ransomware, the system automatically blocks the ransomware.
Malicious network behavior prevention	Advanced, Enterprise, and Ultimate	`AliNet`	Intercepts the abnormal network behavior between your server and disclosed malicious access sources.