After you install the Security Center agent on a server, the agent runs processes such as AliYunDun and AliYunDunMonitor on the server to deliver protection capabilities such as information collection and threat detection. You can view the process status to check whether the protection capabilities are in effect. This topic describes the processes and files of the Security Center agent.
Processes
On a Linux server, the root user is used to run the processes of the Security Center agent. On a Windows server, the SYSTEM user is used. The following table describes the files in the installation directory of the Security Center agent and the related processes.
To prevent exceptions on the Security Center agent, we recommend that you do not delete the files or processes listed in the following table from your server.
Before you can delete a file, you must disable the client protection feature. If the client protection feature is enabled, you cannot uninstall the Security Center agent or delete the files of the agent. For more information about how to disable the client protection feature, see Client Protection.
A resident process is a process that is always running on a server after the Security Center agent is installed on the server. Security Center can protect the server only after all resident processes are started. A non-resident process is a process that is started only in specific scenarios or for a specific feature.
File | Related process | Resident process | Download time of the file | Path to the file |
|
| Yes | After you install the Security Center agent on your server, the |
|
| Yes | |||
|
| Yes | After you install the Security Center agent on your server, the | |
|
| Yes (You can view the process only if you use Security Center Enterprise or Ultimate.) | After you purchase Security Center Enterprise or Ultimate and install the Security Center agent on your server, the | |
| None. | N/A | After you enable the client protection feature, the | |
|
| No | After you turn on Malicious Network Behavior Prevention, the | |
|
| No | After you enable web tamper proofing for your server, the | |
|
| No | After you turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), or Webshell Protection on the Feature Settings page, the | |
|
| No (This process is started only after specific checks are performed.) | After you perform baseline checks or vulnerability detection on your server, the | |
| ||||
| None. | N/A | After you install the Security Center agent on your server, the |
View processes
Linux server: Run the
ps -ef | grep aegiscommand to view the processes of the Security Center agent.
Windows server: Open Task Manager and view the processes of the Security Center agent.
Status of processes and files
Process status
Security Center checks the status of the AliYunDun process to determine whether the Security Center agent is online. In the following scenarios, Security Center determines that the Security Center agent is offline and changes the status of the agent from 
(online) to 
(offline). You can view the status of the Security Center agent that is installed on your server on the Host page.
Security Center detects that the communication with the Security Center agent is abnormal. For example, network exceptions occur, the
AliYunDunprocess of the Security Center agent is unexpectedly terminated, or the Security Center agent is uninstalled.Security Center does not receive information such as logon information and collected data from the Security Center agent within 10 hours.
Feature status
Specific features such as malicious network behavior prevention and malicious host behavior prevention can be enabled only after the required processes are started. For example, when you turn on the switch for Malicious Network Behavior Prevention for a server, the AliNet file is automatically downloaded to the server, and the AliNet process is started. This way, the malicious network behavior prevention feature is enabled. You can view the status of protection features on the details page of a server. The following table describes the mappings between features and processes.
Feature | Related process | Description |
Client protection |
| Intercepts all malicious behavior that attempts to uninstall the Security Center agent but is not performed in the Security Center console and the behavior that attempts to modify the files of the Security Center agent. |
Webshell prevention |
| Intercepts suspicious connection requests that are initiated by known webshells. Only the Enterprise and Ultimate editions of Security Center support this feature. |
Malicious host behavior prevention | Intercepts, detects, and removes common viruses. Only the Anti-virus edition or higher supports this feature. | |
Anti-ransomware | Uses bait to capture new types of ransomware and analyzes patterns for the new types of ransomware. Only the Advanced edition or higher supports this feature. Note This feature is supported only on Windows servers. | |
Malicious network behavior prevention |
| Intercepts the abnormal network behavior between your server and disclosed malicious access sources. Only the Enterprise and Ultimate editions of Security Center support this feature. |