The agentless detection feature lets you assess security risks on Elastic Compute Service (ECS) instances without installing the Security Center agent. This feature scans server images in an isolated environment to detect vulnerabilities, malware, configuration baselines, and sensitive files. This process identifies potential security risks with almost no impact on server performance.
Scope
Supported asset types:
In regions in Chinese Mainland: You can scan only Alibaba Cloud ECS instances, disk snapshots, and custom images.
In regions Outside Chinese Mainland: You can scan Alibaba Cloud ECS instances, disk snapshots, custom images, and AWS EC2 instances.
Region restrictions: This feature is available only in the following regions:
China (Qingdao), China (Beijing), and China (Zhangjiakou)
China (Hangzhou) and China (Shanghai)
China (Shenzhen)
China (Chengdu)
China (Hong Kong), Singapore, US (Virginia), and Indonesia (Jakarta)
Storage and disk restrictions:
Encrypted system disks or data disks cannot be scanned.
Data disks that use Logical Volume Management (LVM), RAID arrays, or the ReFS file system cannot be scanned.
Operating system compatibility:
For the FreeBSD operating system, baseline checks, malware detection, and sensitive file detection are not supported.
For a detailed list of operating systems that support vulnerability scans, see Supported operating systems for vulnerability scans.
How it works
Agentless detection uses offline analysis of images. This process has a minimal impact on the performance of the target server.
Create image (for host detection tasks only): Based on the task configuration, the system creates a a full-machine image of the disks of the target ECS instance.
Share and mount: The system shares the created snapshot or image with a dedicated analysis cluster in Security Center.
Isolated scan: In an isolated and dedicated environment, the analysis engine mounts the snapshot or image file system and performs a security scan. This process does not consume computing resources of the target server.
Generate report and clean up: After the scan is complete, the system generates a risk report and automatically deletes the temporarily created image based on the configured policy to save storage costs.
Common use cases
Zero-impact risk assessment: Perform non-intrusive risk assessments on core production systems that cannot have agents installed or tolerate any performance impact, ensuring business continuity.
Unified security detection for all platform assets: Cover all asset types, including legacy and proprietary systems, to quickly gain a complete view of your security posture across your entire multi-platform environment from a unified view.
Comprehensive risk visibility: Detect multi-dimensional risks such as vulnerabilities, malicious files, configuration baselines, and sensitive information in a single scan to gain global security visibility.
Asset compliance and security review: Conduct security reviews on Custom Images and server snapshots before instance creation or service launch to ensure that the production environment meets security and compliance standards.
Procedure
Activate the service
Activate the service
Log on to the Security Center console. In the top navigation bar, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the navigation pane on the left, choose . On the page that appears, click Activate Now and agree to the terms of service.
ImportantAgentless detection uses a pay-as-you-go billing method.
Complete service authorization (first-time users only)
The first time you use this feature, the system prompts you to authorize a service-linked role. Follow the on-screen instructions and click Authorize Now.
NoteAfter the authorization is successful, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about AliyunServiceRoleForSas, see Service-linked role for Security Center.
Create and run a detection task
Create a detection task
Agentless detection supports two types of detection tasks: immediate and periodic.
Immediate detection task
This task is used for one-time security scans of specific assets.
Host detection
On the tab, in the Risk Detection section, click Detect Now.
In the Detect Now panel, configure the parameters as described below and click OK.
Scan Scope: We recommend that you select data disks. The more complete the data source, the more accurate the detection results for vulnerabilities and alerts.
Image Retention Duration:
The value can range from 1 to 365 days.
Creating images incurs charges. The longer the images are stored, the higher the charges.
ImportantIf you select Retain Only At-risk Image, the system automatically deletes risk-free images after the scan is complete.
After you create the task, Security Center automatically creates an image and performs the scan and subsequent operations. For more information, see Automatic creation of images.
NoteThe time required to complete the task is proportional to the amount of server data to be scanned. Please wait for the task to finish.
Custom image detection
On the tab, in the Risk Detection section, click Detect Now.
In the Detect Now panel, select the target image and click OK.
NoteIf you cannot find the image that you want to scan in the detection task panel, go to the page. Click Synchronize Assets. After the synchronization is complete, repeat this step.
Periodic detection task
This task is used for regular and automated security inspections of asset groups.
Navigate to the configuration page
On the Agentless Detection page, click Scan Configuration in the upper-right corner.
Configure the detection scope
On the Security Check Scope tab, configure the parameters as described below and click Save.
Baseline Check Scope: You can click Manage to view and configure the supported baseline detection scope on the Baseline Check Configuration page.
Sensitive File: You can click Manage to view and configure check items on the Sensitive File Scan Settings page.
ImportantIf you select Default Scan for New Check Items, the system automatically scans for new check items when they are updated.
Configure the detection policy
On the Automatic Detection Policy tab, configure the parameters as described below and click Save.
Check Host: Configure the scan object, scan cycle, scan assets, scan scope, and image retention period. For more information about the configuration, see Host detection.
Custom Image Check: If you enable Incremental Check, the system performs automated incremental scans on unscanned custom images.
ImportantIncremental detection requires you to enable Data Delivery of ActionTrail. On the tab, turn on the Data Delivery of ActionTrail switch. For more information, see Feature settings.
Automatic creation of images
When a Server Check task is run, the system uses the AliyunServiceRoleForSas service-linked role to complete the following automated operations:
Create an image: The system automatically creates a temporary server snapshot with a name that starts with
SAS_Agentless.Secure sharing: The system shares the image with the official Security Center service account for scanning and analysis.
Automatic cleanup: After the scan is complete, the system automatically deletes the image and revokes the sharing relationship.
The image is used only for security scans. No fees are charged for the sharing process.
You can find a record of AliyunServiceRoleForSas creating an image in the Event Query of the ActionTrail console.
Manage detection tasks
View task progress
The time required for a scan task is proportional to the amount of server data. You can view the task progress in the console.
On the Agentless Detection page, click Task Management in the upper-right corner.
In the Task Management panel that appears, select the appropriate tab based on the detection type.
You can view the Progress and Status of the task in the list.
To view task details, such as to confirm whether a server has been scanned, click Details in the Actions column of the target task.
Troubleshoot failed tasks
If a task has an abnormal status, you can view the failure reason on the Task Details page and refer to the following table for solutions.
Failure message | Reason | Solution |
The current region is not supported | The specified region is not supported. | Refer to Scope to confirm whether the region of the ECS instance is supported. |
Failed to connect to the disk | A temporary error occurred when the system was mounting the snapshot disk. | Click Retry in the Actions column of the task. The system will try again. |
Failed to create the image | The number of ECS images has reached the quota limit. | You can increase the image quota in the ECS console or delete historical images that are no longer in use. |
Task processing timed out | The task did not complete within the specified time because the amount of data to be scanned was too large or the system was busy. | You can split the task into multiple subtasks based on the detection scope and run them again. |
Download detection reports (optional)
In the Task Management panel, select the appropriate tab based on the detection type.
Download the report for the entire task:
Click Download Report in the Actions column of the target task.
Download the report for a single server:
Click Details or View in the Actions column of the target task.
In the Task Details panel, click Download Report in the Actions column.
Analyze and handle risks
After a task is successfully completed, you can view and handle the detected security risks on the Agentless Detection page.
If the same server is scanned multiple times, the page displays only the results of the most recent scan. Previous results are overwritten.
View risk details
On the Agentless Detection page, go to the tab for the relevant detection policy, such as Server Check. Then, go to the tab for the target risk type, such as Vul Risk. In the list, find the target risk item and click View or Details in its Actions column to view specific information.
Handle risk alerts
Vulnerability risks
How to handle: Find the vulnerability that you want to handle and click Add to Whitelist in the Actions column.
WarningAgentless detection does not support vulnerability fixing.
Supported action: Add to whitelist.
ImportantThis action adds the specified vulnerability to the whitelist. You will no longer receive alerts for the vulnerability. Proceed with caution.
After you add a vulnerability to the whitelist, the system automatically synchronizes this setting to the tab. You can view the added whitelist rules on the corresponding tab.
Baseline checks
How to handle: In the list of check items, find the item that you want to handle and click Add to Whitelist in the Actions column.
Supported action: Add to whitelist.
ImportantAfter you add a check item to the whitelist, this check is no longer performed on new servers. Proceed with caution.
After you add a check item to the whitelist, the system automatically synchronizes this setting to the tab. You can view the added whitelist rules on the corresponding tab.
Malicious samples
How to handle: In the alert list, find the alert that you want to handle and click Change Status or Handle in the Actions column.
Supported actions:
Add to Whitelist: If you confirm that the file is not malicious, you can add the alert to the whitelist based on the whitelist rules and their scope.
ImportantIf you add an alert to the whitelist, any future occurrences of the same alert are automatically moved to the processed list, and you no longer receive notifications. Proceed with caution.
You can handle identical alerts in batches. The supported actions vary based on the alert type. For more information, see the console.
After you add an alert to the whitelist, the system automatically synchronizes this setting to the tab. You can view the added whitelist rules on the corresponding tab.
Manually Handled: After you manually resolve the risk that caused the alert, you can mark the alert as Manually Handled.
Mark as False Positive: You can mark this alert as a false positive. Security Center uses your feedback to continuously optimize its scanning capabilities.
Ignore: This action ignores only the current alert. If the same issue is detected again, a new alert is generated.
Sensitive files
How to handle:
In the sensitive file alert list, find the alert that you want to handle and click Details in the Actions column to view a detailed description and hardening suggestions.
In the risk list of the details panel, click Handle in the Actions column. In the dialog box that appears, select how to handle the alert and click OK.
Supported actions:
Add to Whitelist: If you confirm that the file is not malicious, you can add the alert to the whitelist based on the following rules:
ImportantIf you add an alert to the whitelist, any future occurrences of the same alert are automatically moved to the processed list, and you no longer receive notifications. Proceed with caution.
You can configure multiple rules. All rules have an AND relationship. This means that all conditions must be met for the alert to be whitelisted.
After you add an alert to the whitelist, the system automatically synchronizes this setting to the tab. You can view the added whitelist rules on the corresponding tab.
MD5: For the wildcard character, you can select only equals and then enter the MD5 hash of the file.
Path: For the wildcard character, you can select contains, prefix, or suffix and then enter the specific path.
Manually Handled: After you manually resolve the risk that caused the alert, you can mark the alert as Manually Handled.
Mark as False Positive: You can mark this alert as a false positive. Security Center uses your feedback to continuously optimize its scanning capabilities.
Ignore: This action ignores only the current alert. If the same issue is detected again, a new alert is generated.
Advanced configuration
Set detection whitelists
Whitelist rules that you set when you analyze and handle risks are also automatically synchronized to whitelist management, where you can modify or delete them.
On the Agentless Detection page, click Scan Settings and go to the Manage Whitelist tab.
Based on the risk type, click Create Rule on the corresponding tab.
Configure the whitelist rule as described below.
ImportantThe following whitelist configurations apply to all assets.
Vulnerability whitelist
Vulnerability Type: Only Linux Software Vulnerability, Windows System Vulnerability, and Application Vulnerability are supported.
Vulnerability Name: The system retrieves the latest vulnerability data based on the selected Vulnerability Type.
Malicious sample whitelist
Alert Name: The default value is ALL, which means the whitelist rule applies to all types of alerts. This cannot be modified.
Whitelist Field: The default value is fileMd5, which means the MD5 hash of the file is whitelisted. This cannot be modified.
Wildcard Character: You can select only equals.
Rule Content: Enter the MD5 hash of the file.
Baseline whitelist
Check Item Type: Specify the baseline check items that you do not want to scan.
Check Item: The check items that are pulled depend on the selected Check Item Type.
Sensitive file whitelist
Check Item for Sensitive Files: Specify the items that you do not want to scan.
Configure Whitelist Conditions:
NoteYou can configure multiple rules. All rules have an AND relationship. This means that all conditions must be met for the alert to be whitelisted.
MD5: For the wildcard character, you can select only equals and then enter the MD5 hash of the file.
Path: For the wildcard character, you can select contains, prefix, or suffix and then enter the specific path.
Connect and detect multicloud assets
Agentless detection supports connecting to Amazon Web Services (AWS) in regions Outside Chinese Mainland. To connect, perform the following steps:
Prepare AWS access credentials In your AWS account, create an IAM user with programmatic access and obtain the Access Key ID and Secret Access Key. Ensure that this user has permissions to access and create EC2 snapshots.
ImportantTo use the Agentless Detection feature, you must create a custom IAM policy with specific permissions for Security Center in your AWS account. For more information, see Create a custom policy for agentless detection.
Configure the connection solution
In the upper-left corner of the console, select the Outside Chinese Mainland region. On the Server Check tab, in the Add Multi-cloud Asset section, click Access below the
icon.On the Add Assets Outside Cloud page, on the Create Sub-account tab, configure the parameters as described below and click Next.
Solution: Manual Configuration.
Permission Description: Select Agentless Detection.
Submit credential information
On the Submit AccessKey Pair tab, accurately enter the credential information that you created in your AWS account and click Next.
RAM User SecretID and RAM User SecretKey: Enter the AWS RAM user API key information that you obtained in Step 1.
Provisioning Region: Select an available region. The system uses the selected region to verify asset accessibility and retrieve the corresponding cloud resource data.
Domain: Configure this parameter based on the selected provisioning region. For AWS China regions, select China. For all other regions, select International.
Policy configuration
On the Policy Configuration tab, configure the parameters as described below.
Select region: Select the regions of the AWS assets that you want to provision.
NoteThe asset data is automatically stored in the data center that corresponds to the region selected in the upper-left corner of the Security Center console.
Chinese Mainland: Data centers located in the Chinese mainland.
Outside Chinese Mainland: The data center is in Singapore.
Region Management: Select this option. When selected, assets in new regions for this AWS account are automatically synchronized and do not need to be added manually.
AK Service Status Check: You can set the interval at which Security Center automatically checks the validity of the API key for the AWS account, or select "Shutdown" to disable the check.
Click OK.
After you complete the permission verification and policy configuration, you can create agentless detection tasks for your AWS EC2 instances.
Apply in production
Performance impact: The agentless detection scanning process does not consume resources of the target server.
Cost control: The fees for agentless detection consist of a scan fee and an image storage fee. To control costs, we recommend that you select Retain Only At-risk Image when you set the Image Retention Duration for a task. You should also periodically clean up snapshots that are no longer needed.
Quotas and limitations
Disk specifications: A single disk can be up to 1 TiB. A maximum of 20,000,000 files can be scanned per disk. Files that exceed this limit are not scanned.
Server limits: A maximum of 15 disks can be scanned per server. Disks that exceed this limit are not scanned.
Result retention: Detection task results are retained for only 30 days and are automatically cleared after this period. If the same asset is scanned multiple times, the system retains only the results of the most recent scan.
Repair capability: This feature supports only detection and alerting. It does not provide automatic repair capabilities. You must handle risk items based on the instructions on the risk details page.
Compressed file limits: Only JAR files are supported for compressed file scans. Only the first layer is decompressed for scanning.
File system limits: ext2, ext3, ext4, XFS, and NTFS are supported. For NTFS, check items that rely on file permission information are not supported.
Billing
The fees for using the agentless detection feature are as follows:
Agentless detection scan fee
Billing method: Pay-as-you-go.
Billing cycle: Daily.
Unit price: USD 0.03/GB.
Billable amount: The billable amount is calculated based on the actual data size of the scanned image, not the total disk capacity.
ECS resource usage fee
ImportantWhen you configure a host detection task, we recommend that you select Retain Only At-risk Image. The system automatically deletes risk-free images after the scan to save storage costs. For more information, see Retention period configuration.
Image fees: The detection task creates an image for the server. Fees are charged based on the image usage and duration. These fees are charged by ECS. For more information, see Images.
FAQ
What is the difference between agentless detection and the virus removal feature?
Comparison item
Agentless detection
Virus removal
Working mode
Scans offline snapshots, static analysis
Online real-time monitoring and scanning, dynamic + static analysis
Server status
Can scan servers that are running or stopped
Can only scan servers that are running and have the agent online
Detection scope
Vulnerabilities, baselines, malicious samples, sensitive files.
Viruses, webshells, intrusions, vulnerabilities, etc.
Response capability
Supports detection, alerting, and whitelisting. Does not provide repair.
Provides one-click isolation, removal, and repair capabilities.
Performance impact
None.
Slight (agent consumes a small amount of system resources).
Billing model
Pay-as-you-go (per GB scanned)
Subscription (Anti-virus Edition or higher) or pay-as-you-go.
Scan mode
Supports full disk scans.
Supports quick scans and custom directory scans.
Can agentless detection automatically fix all risks?
No. It supports only operations such as detection, alerting, whitelisting, and ignoring. It does not provide automatic repair capabilities. You must handle risk items based on the instructions on the risk details page.
NoteWe recommend that you prioritize handling high-risk vulnerabilities and malware. You can optimize baselines as needed.
How can I use the advanced detection feature for non-Alibaba Cloud servers?
Currently, agentless detection supports connecting to only Alibaba Cloud ECS and AWS EC2 (only in regions Outside Chinese Mainland). For more information, see Connect and detect multicloud assets.
ImportantFor servers from other cloud providers or in on-premises data centers, we recommend that you install the Security Center agent and purchase the Anti-virus Edition or a higher edition to obtain comprehensive security protection. For more information, see Purchase Security Center and Install the agent.
Why is the asset IP address not displayed for some agentless detection alerts?
The asset IP may be empty during agentless detection for the following reasons:
The instance has been released
When the asset instance that corresponds to an alert is released, Security Center can no longer obtain the IP address of that instance because the instance no longer exists. Therefore, the IP address of the instance cannot be tracked or displayed.
Data cleanup mechanism
Security Center may clean up records of released instances. This makes the related information unavailable.
Appendix
Detection capabilities
The following table lists the main detection items that are supported by agentless detection.
Detection category | Detection scope | Details |
Vulnerability risks | Linux software vulnerabilities, Windows system vulnerabilities, application vulnerabilities | For supported operating system versions, see Supported operating systems for vulnerability scans. |
Baseline checks | Configuration compliance for operating systems, applications, and databases | Supports scanning hundreds of configuration items, including but not limited to:
For more information, go to Scan Configuration in the console. For more information, see Baseline Detection Scope. |
Malicious samples | Malicious scripts, webshells, malware |
For more information, see Malicious Samples. |
Sensitive files | Credential information, key files, configuration files | Supports scanning for common sensitive files, including but not limited to:
For more information, go to the Scan Configuration page in the console. For more information about the operations, see Sensitive File Check Items. |
Supported operating systems for vulnerability scans
Operating system type | Version |
Windows Server |
|
Red Hat |
|
CentOS |
|
Ubuntu |
|
Debian |
|
Alpine |
|
Amazon Linux |
|
Oracle Linux |
|
SUSE Linux Enterprise Server |
|
Fedora Linux |
|
openSUSE |
|
Malicious samples
Malicious sample classification | Description | Supported detection items |
Malicious script | Detects whether the system functions of an asset have been attacked or tampered with by malicious scripts and displays possible malicious script attacks in the detection results. Malicious scripts are divided into file-based and fileless scripts. After gaining server permissions, attackers use scripts as a vehicle for further attacks. Methods include implanting mining programs, adding system back doors, and adding system accounts. | Supported languages include Shell, Python, Perl, PowerShell, VBScript, BAT, etc. |
Webshell | Checks whether web script files in an asset are malicious and whether they have back door communication or management functions. After implanting a webshell, an attacker can control the server and use it as a back door for further attacks. | Supported languages include PHP, JSP, ASP, ASPX, etc. |
Malware | Checks whether binary files in an asset are malicious and whether they have the ability to damage the asset or maintain persistent control. After implanting malicious binary files, an attacker can control the server for mining, DDoS attacks, or encrypting asset files. Malicious binaries are mainly classified by function, including mining programs, Trojan horses, back door programs, hacking tools, ransomware, and worms. | Contaminated basic software |
Suspicious program | ||
Spyware | ||
Trojan horse | ||
Infectious virus | ||
Worm | ||
Exploit | ||
Metamorphic Trojan | ||
Hacking tool | ||
DDoS Trojan | ||
Reverse shell back door | ||
Malicious program | ||
Rootkit | ||
Downloader Trojan | ||
Scanner | ||
Riskware | ||
Proxy tool | ||
Ransomware | ||
Back door program | ||
Mining program |