After you install the Security Center agent on a server, the agent runs processes such as AliYunDun and AliYunDunMonitor on the server to deliver protection capabilities such as information collection and threat detection. You can view the process status to check whether the protection capabilities are in effect. This topic describes the processes and files of the Security Center agent.
Processes
On a Linux server, the root
user is used to run the processes of the Security Center agent. On a Windows server, the SYSTEM
user is used. The following table describes the files in the installation directory of the Security Center agent and the related processes.
To prevent exceptions on the Security Center agent, we recommend that you do not delete the files or processes listed in the following table from your server.
Before you can delete a file, you must disable the client protection feature. If the client protection feature is enabled, you cannot uninstall the Security Center agent or delete the files of the agent. For more information about how to disable the client protection feature, see Client Protection.
A resident process is a process that is always running on a server after the Security Center agent is installed on the server. Security Center can protect the server only after all resident processes are started. A non-resident process is a process that is started only in specific scenarios or for a specific feature.
File | Related process | Resident process | Download time of the file | Path to the file |
|
| Yes | After you install the Security Center agent on your server, the After you enable the client protection feature, the |
|
| Yes | |||
|
| Yes | After you install the Security Center agent on your server, the | |
|
| Yes (You can view the process only if you use Security Center Enterprise or Ultimate.) | After you purchase Security Center Enterprise or Ultimate and install the Security Center agent on your server, the | |
|
| No | After you turn on Malicious Network Behavior Prevention, the | |
|
| No | After you enable web tamper proofing or core file monitoring for your server, the | |
|
| No | After you turn on Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), or Webshell Prevention on the Feature Settings page, the | |
|
| No (This process is started only after specific checks are performed.) | After you perform baseline checks or vulnerability detection on your server, the | |
| ||||
| None. | N/A | After you install the Security Center agent on your server, the |
View processes
Linux server: Run the
ps -ef | grep aegis
command to view the processes of the Security Center agent.Windows server: Open Task Manager and view the processes of the Security Center agent.
Status of processes and files
Process status
Security Center checks the status of the AliYunDun
process to determine whether the Security Center agent is online. In the following scenarios, Security Center determines that the Security Center agent is offline and changes the status of the agent from (online) to (offline). You can view the status of the Security Center agent that is installed on your server on the Host page.
Security Center detects that the communication with the Security Center agent is abnormal. For example, network exceptions occur, the
AliYunDun
process of the Security Center agent is unexpectedly terminated, or the Security Center agent is uninstalled.Security Center does not receive information such as logon information and collected data from the Security Center agent within 10 hours.
Feature status
Specific features such as malicious network behavior prevention and malicious host behavior prevention can be enabled only after the required processes are started. For example, when you turn on the switch for Malicious Network Behavior Prevention for a server, the AliNet
file is automatically downloaded to the server, and the AliNet
process is started. This way, the malicious network behavior prevention feature is enabled. You can view the status of protection features on the details page of a server. The following table describes the mappings between features and processes.
Feature | Supported edition | Related process | Description |
Client protection | All editions |
| Intercepts all malicious behavior that attempts to uninstall the Security Center agent but is not performed in the Security Center console and the behavior that attempts to modify the files of the Security Center agent. |
Webshell prevention | Enterprise and Ultimate |
| Intercepts suspicious connection requests that are initiated by known webshells. |
Malicious host behavior prevention | Anti-virus, Advanced, Enterprise, and Ultimate | Intercepts, detects, and removes common viruses. | |
Anti-ransomware | Anti-virus, Advanced, Enterprise, and Ultimate | Uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware. If risks are caused by the new types of ransomware, the system automatically blocks the ransomware. | |
Malicious network behavior prevention | Enterprise and Ultimate |
| Intercepts the abnormal network behavior between your server and disclosed malicious access sources. |