Security Center:Use the agentless detection feature

Scenarios

• You want to perform comprehensive security checks on the system disk and data disks of an ECS instance.

• You want to perform security checks on an ECS instance that does not have the Security Center agent installed.

Apply for public preview

The agentless detection feature is in public review. If you use the Advanced, Enterprise, or Ultimate edition of Security Center, you can use the feature free of charge. If you use the Basic or Anti-virus edition of Security Center, you must upgrade your Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the feature.

If your Security Center edition supports the feature, you can click Apply now on the Agentless Detection page to use the feature.

Billing

You are not charged for the agentless detection feature. However, you are charged for the custom images that you create when you use the agentless detection feature. For more information, see Images.

Limits

• The feature is supported only for ECS instances that reside in the China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), and Singapore regions. The feature is not supported for ECS instances that reside in other regions or servers that are not deployed on Alibaba Cloud.

• The feature is not supported for ECS instances that run a FreeBSD operating system.

• The feature can check the system disk and data disks of ECS instances but cannot check the data disks that are managed by using Logical Volume Manager (LVM), Redundant Array of Independent Disks (RAID), or Resilient File System (ReFS).

• The feature can only detect vulnerabilities, baseline configuration risks, and malicious files on ECS instances. The feature cannot fix the detected results. For more information about the check items that are supported, see Supported check items.

Step 1: Create a detection task

The agentless detection feature supports immediate detection and periodic detection methods. Immediate detection supports detection of vulnerabilities, baseline risks, and alerts. Periodic detection supports detection of vulnerabilities. You can select a detection method based on your business requirements.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Agentless Detection.

3. On the Agentless Detection page, create an immediate detection task or a periodic detection task.

   • Create an immediate detection task

     1. Click Create Detection Task.

     2. In the Create Detection Task panel, select the servers that you want to detect and click Next.

     3. Configure the Scan Scope and Image Saved At parameters. Then, click Next.

        We recommend that you set the Scan Scope parameter to Data Disk. A more complete data source indicates better detection of vulnerabilities and alerts.

        You are charged for images that you create. A longer retention period indicates higher fees for images. For more information, see Images. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, an image is immediately released if no risks are detected on the image. This reduces the cost on image storage.

     4. Click Go to Task List to view the progress of the task.

        After you create the task, Security Center automatically creates an image and scans the image. The period of time that is required to complete the scan task varies based on the number of servers on which the scan task is performed.

   • Configure a periodic detection task.

     1. Click Scan Configuration.

     2. In the Scan Configuration panel, specify the scan cycle, asset scope, scan scope, vulnerability check scope, and image retention period.

Step 2: View detection results

The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

On the Agentless Detection page, you can view the detected vulnerabilities, baseline risks, and alerts. Find the required risk item and click View in the Actions column to view the details.

What to do next

View the scan task status

After you create a detection task, click Task management on the Agentless Detection page. In the Task management panel, you can view the status of the task. You can find the required task and click Details in the Operate column to view the details of the task.

If a task fails, you can view the cause of the failure on the task details page and resolve the issue based on the following table.

Configure an alert whitelist

If you confirm that a false positive is reported for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects a file that is added to the whitelist within the asset scope of the whitelist, no alerts are generated.

• The following list describes the methods that can be used to add alerts to a whitelist:

  • Method 1: Add an alert to the whitelist

    On the Alerts tab of the Agentless Detection page, find the required alert and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click Determine.

  • Method 2: Add a whitelist rule

    On the Agentless Detection page, click Scan Configuration. In the Scan Configuration panel, click the Alert Whitelist tab.On the tab that appears, click Add rules, configure the following parameters, and then click Determine.

    Parameter	Description
    Event	The default value is All Alerts, which indicates that the whitelist takes effect for all types of alerts and cannot be modified.
    Whitelist Field	The default value is fileMd5, which indicates that the MD5 hash value of the file is added to the whitelist and cannot be modified.
    Wildcard	The value that you can select is Equal To.
    Rule Content	Enter the MD5 hash value of the file.
    Rule Scope	Select the servers on which you want to apply the rule.

  Note

  If you use Method 1, the whitelist takes effect on all assets. If you use Method 2, a whitelist rule takes effect on all or some assets. If you want to add specific files to a whitelist for some assets, you can use only Method 2.

• Edit an alert whitelist rule

  After you add a whitelist rule, you can view and edit the rule in the Scan Configuration panel.

  On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Edit in the Actions column.

• Delete a whitelist rule

  On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Delete in the Actions column.

Supported check items

Vulnerabilities

Application vulnerabilities and system vulnerabilities can be detected. The vulnerabilities that can be detected on servers vary based on the operating systems of the servers.

• System vulnerabilities: Linux operating system

• Application vulnerabilities: Linux and Windows operating systems

Baseline risks

Alerts