All Products
Search

This Product

    Security Center:Use the agentless detection feature

    Document Center

    Security Center:Use the agentless detection feature

    Last Updated:Apr 17, 2024

    The agentless detection feature uses agentless technology to detect security risks on Elastic Compute Service (ECS) instances. You do not need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.

    Scenarios

    You can perform comprehensive security checks on the system disk and data disks of an ECS instance on which the Security Center agent is not installed.

    Billing

    • The agentless detection feature uses the pay-as-you-go billing method, and you are charged based on the amount of data that is scanned. The system generates a bill on the next day after you use the feature to scan data. For more information, see Billing overview.

    • If you create a detection task for an ECS instance, the system creates an image for the ECS instance. You are charged for the image based on the size and storage period of the image, and the fees are included in ECS bills. For more information, see Images.

    Limits

    Item

    Description

    Server

    The agentless detection feature supports only Alibaba Cloud ECS instances.

    Region

    The agentless detection feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hong Kong), Singapore, and US (Virginia).

    Operating system

    The agentless detection feature does not support the FreeBSD operating system.

    Encrypted disk

    The agentless detection feature cannot check encrypted system disks or data disks.

    Disk

    • The agentless detection feature can check a system disk or data disk that is up to 1 TiB in size. If the size of a disk exceeds 1 TiB, the feature does not check the disk.

    • The agentless detection feature can check up to 20,000,000 files in a system disk or data disk. The feature does not check excess files.

    File system

    • The agentless detection feature can check compressed files, specifically JAR files. The feature decompresses only the top-level directory of a JAR file for checking.

    • The agentless detection feature supports the following file systems: ext2, ext3, ext4, XFS, and NTFS. The feature cannot check the items that are related to file permissions in the NTFS file system.

    • The agentless detection feature cannot check data disks that are managed by using Logical Volume Manager (LVM), Redundant Array of Independent Disks (RAID), or Resilient File System (ReFS).

    Detection task

    • The agentless detection feature can check up to 15 disks on an ECS instance. The disks are system disks and data disks. The feature does not check excess disks.

    • You can run only one detection task at a time.

    Risk handling

    The agentless detection feature can detect but cannot fix vulnerabilities, baseline risks, malicious files, and sensitive files. If risks are detected, you must manually handle the risks based on the information provided on the risk details page.

    Retention period of check results

    • If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

    • The check results of ECS instances are stored for up to 30 days. Data of risks that are detected 30 days earlier than the date of the most recent check is automatically deleted.

    Step 1: Purchase the agentless detection feature by using the pay-as-you-go billing method and complete authorization

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.

    2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Agentless Detection.

    3. On the Agentless Detection page, click Activate Now.

    4. In the dialog box that appears, read and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service. Then, click Activate Now.

    5. If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.

      After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.

    Step 2: Create a detection task

    After you create a detection task for your ECS instance, the system creates an image of the ECS instance. Then, the system scans data in the image to check whether risks such as vulnerabilities, alerts, baseline risks, and sensitive files exist on the ECS instance.

    Create an immediate detection task

    1. On the Agentless Detection page, click Create Detection Task.

    2. In the Create Detection Task panel, select the ECS instance that you want to check and click Next.

    3. Configure the Scan Scope and Snapshot/Image Storage Time parameters. Then, click Next.

      We recommend that you set the Scan Scope parameter to Data Disk. A complete data source improves the performance of detection, such as the detection of vulnerabilities and alerts.

      You are charged for images that are created. A longer retention period of the images leads to higher fees. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, a created image is immediately released if no risks are detected. Only at-risk images are retained. This reduces storage costs.

    4. Click Go to Task List to view the progress of the task.

      After you create the task, Security Center automatically creates an image and then scans data in the image. The time that is required to complete the task increases with the number of ECS instances that need to be checked.

    Create a periodic detection task

    1. In the upper-right corner of the Agentless Detection page, click Scan Configuration.

    2. In the Scan Configuration panel, configure the Scan Object, Scan cycle, Scan Assets, Scope, Baseline Check Scope, Vulnerability Detection Scope, and Snapshot/Image Storage Time parameters. You can also select or clear Retain Only At-risk Snapshots or Images.

    3. Click Save.

    Automatically created image

    After you create a detection task, the system automatically creates an image for your ECS instance. The image name starts with SAS_Agentless_. After the image is created, the image is automatically shared with the Security Center service account whose ID is 182*********0517. In this way, Security Center can perform security scans on data from your ECS instance.

    The sharing process does not generate fees. Security Center uses the shared image only for security scanning. When the image is deleted or automatically released, the sharing is also canceled.

    Step 3: View the progress of the detection task

    Before you can view the results of the detection task that you create, make sure that the task is complete. You can view the progress of a detection task to check whether the task is complete.

    1. In the upper-right corner of the Agentless Detection page, click Task Management.

    2. In the Task Management panel, view the progress of the task.

    3. Find the task whose details you want to view and click Details in the Actions column. In the Task Details panel, check whether the name of the ECS instance that you specify in Step 2 is displayed, and view the status of the task on the ECS instance.

      If the task fails, you can view the cause of the failure in the Task Details panel and resolve the issue based on the following table.

      image.png

      Cause

      Solution

      Current region unsupported

      None. View the regions in which the agentless detection feature is supported. For more information, see Limits. The error is returned only if you call an API operation to create the detection task.

      Disk connection failed

      Click Retry in the Actions column to reconnect to the disk.

      Image creation failed

      Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas.

    Step 4: View the detection results

    The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

    View the details of a risk

    1. On the Agentless Detection page, click the Vulnerability, Baseline Check, Security Alerts, or Sensitive File tab, find a risk whose details you want to view, and then click View or Details in the Actions column.

    2. Handle the risk based on the risk description provided by Security Center.

    Download the detection results

    You can download a report of detection results by task or ECS instance.

    1. In the upper-right corner of the Agentless Detection page, click Task Management.

    2. Download a report of detection results for a task: In the Task Management panel, find a task and click Download Report.

    3. Download a report of detection results for an ECS instance: In the Task Management panel, find a task that is performed on an ECS instance and click Details in the Actions column. In the Task Details panel, find the ECS instance and click Download Report in the Actions column.

    Step 5: (Optional) Configure a whitelist

    Configure a vulnerability whitelist

    If you confirm that a vulnerability is allowed or can cause low risks, you can configure a vulnerability whitelist to ignore the vulnerability. If Security Center detects the vulnerability on assets in the effective scope of the whitelist rule that is created for the vulnerability in the next detection task, Security Center does not display the vulnerability on the Vulnerability tab. After you configure whitelist settings, the vulnerability remains on the Vulnerability tab until the next detection task is run.

    • Directly add a vulnerability to the whitelist

      On the Vulnerability tab of the Agentless Detection page, find the vulnerability that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

      Then, Security Center automatically creates a whitelist rule on the Scan Configuration > Vulnerability Whitelist tab.

    • Create a whitelist rule

      In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, click Create Rule. In the Add Vulnerability Whitelist Rule panel, configure the Vulnerability Type, Vulnerability Name, Rule Scope, and Remarks parameters. Then, click OK.

    Note

    If you directly add a vulnerability to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a vulnerability to the whitelist for specific assets, you must create a vulnerability whitelist rule.

    Configure a baseline whitelist

    If you confirm that risks detected by using specific baseline check items are at a low level, you can configure a baseline whitelist to ignore the baseline check items. If Security Center detects baseline risks by using the baseline check items on the assets in the effective scope of the whitelist rule that is created for the baseline check items in the next detection task, Security Center does not display the baseline check items on the Baseline Check tab. After you configure whitelist settings, the baseline check items remain on the Baseline Check tab until the next detection task is run.

    • Directly add a baseline check item to the whitelist

      On the Baseline tab of the Agentless Detection page, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

      Then, Security Center automatically creates a whitelist rule on the Scan Configuration > Baseline Whitelist tab.

    • Create a whitelist rule

      In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Baseline Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Baseline Whitelist Rule panel, configure the Check Item Type, Check Item, Rule Scope, and Remarks parameters. Then, click OK.

    Note

    If you directly add a baseline check item to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a baseline check item to the whitelist for specific assets, you must create a whitelist rule.

    Configure an alert whitelist

    If you confirm that a false positive is generated for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects the file on the assets on which the whitelist takes effect in the next detection task, no alerts are generated.

    • Directly add a file to the whitelist

      On the Alert tab of the Agentless Detection page, find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click OK.

    • Create a whitelist rule

      In the upper-right corner of the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, click Create Rule. In the Create Rule panel, configure the parameters and click OK.

      Parameter

      Description

      Alert Name

      The default value is All Alerts, which indicates that the whitelist rule takes effect on all types of alerts. You cannot change the value.

      Whitelist Field

      The default value is fileMd5, which indicates that the MD5 hash value of a file is added to the whitelist. You cannot change the value.

      Wildcard Character

      You can select only Equal To.

      Rule Content

      The MD5 hash value of a file.

      Rule Scope

      The assets on which you want to apply the rule.

    Note

    If you directly add an alert to the whitelist, the whitelist rule automatically takes effect on all assets. If you create a whitelist rule, you can configure whether the whitelist rule takes effect on all assets or specific assets. If you want to add a file to the whitelist for specific assets, you must create a whitelist rule.

    Risks that can be detected

    Vulnerabilities

    The agentless detection feature can detect Linux software vulnerabilities, Windows system vulnerabilities, and application vulnerabilities.

    Baseline risks

    Baseline category

    Baseline check item

    CIS Compliance checks

    • CIS CentOS Linux 6 LTS Benchmark

    • CIS CentOS Linux 7 LTS Benchmark

    • CIS Ubuntu Linux 16/18/20 LTS Benchmark

    • CIS Ubuntu Linux 14 LTS Benchmark

    • CIS Debian Linux 8 Benchmark

    • CIS Microsoft Windows Server 2008 R2 Benchmark

    • CIS Microsoft Windows Server 2012 R2 Benchmark

    • CIS Microsoft Windows Server 2016/2019 R2 Benchmark

    • Alibaba Cloud Linux 2/3 CIS Benchmark

    • CIS CentOS Linux 8 LTS Benchmark

    • CIS Microsoft Windows Server 2022 R2 Benchmark

    • CIS Ubuntu Linux 22 LTS Benchmark

    • CIS Ubuntu Rocky 8 Benchmark

    MLPS Compliance

    • MLPS Level 3 Compliance Baseline for SUSE 15

    • MLPS Level 3 Compliance Baseline for Windows 2008 R2

    • MLPS Level 3 Compliance Baseline for CentOS Linux 7

    • MLPS Level 3 Compliance Baseline for CentOS Linux 6

    • MLPS Level 3 Compliance Baseline for Windows 2012 R2

    • MLPS Level 3 Compliance Baseline for Ubuntu 16/18/20

    • MLPS Level 3 Compliance Baseline for Debian Linux 8/9/10

    • MLPS Level 3 Compliance Baseline for Windows Server 2016/2019

    • MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 2

    • MLPS Level 3 Compliance Baseline for Red Hat Linux 7

    • MLPS Level 3 Compliance Baseline for Ubuntu 14

    • MLPS Level 3 Compliance Baseline for SUSE 12

    • MLPS Level 3 Compliance Baseline for SUSE 11

    • MLPS Level 3 Compliance Baseline for SUSE 10

    • MLPS Level 3 Compliance Baseline for Red Hat Linux 6

    • MLPS Level 3 Compliance Baseline for CentOS Linux 8

    • MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 3

    • MLPS Level 3 Compliance Baseline for Anolis 8

    • MLPS Level 3 Compliance Baseline for Ubuntu 22

    • MLPS Level 2 Compliance Baseline for Windows 2008 R2

    • MLPS Level 2 Compliance Baseline for CentOS Linux 7

    • MLPS Level 2 Compliance Baseline for CentOS Linux 6

    • MLPS Level 2 Compliance Baseline for Windows 2012 R2

    • MLPS Level 2 Compliance Baseline for Ubuntu 16/18

    • MLPS Level 2 Compliance Baseline for Debian Linux 8

    • MLPS Level 2 Compliance Baseline for Windows Server 2016/2019

    • MLPS Level 2 Compliance Baseline for Alibaba Cloud Linux 2

    • MLPS Level 2 Compliance Baseline for Red Hat Linux 7

    • MLPS Level 2 Compliance Baseline for Ubuntu 14

    • MLPS Level 3 Compliance Baseline for UOS

    • MLPS Level 3 Compliance Baseline for Kylin

    Best security practices

    • Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check

    • Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check

    • Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check

    • Alibaba Cloud Standard - Windows 2012 R2 Security Baseline

    • Alibaba Cloud Standard - Ubuntu Security Baseline

    • Alibaba Cloud Standard - Debian Linux 8/9/10/11 Security Baseline

    • Alibaba Cloud Standard - Windows 2016/2019 Security Baseline

    • Alibaba Cloud Standard - Alibaba Cloud Linux 2/3 Benchmark

    • Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check

    • Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check

    • Alibaba Cloud Standard - Windows 2022 Security Baseline

    • Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check

    • Alibaba Cloud Standard - Uos Security Baseline Check

    • Alibaba Cloud Standard - Kylin Security Baseline Check

    • Alibaba Cloud Standard - Anolis 7/8 Security Baseline Check

    • Alibaba Cloud Standard - Alma Linux 8 Security Baseline Check

    • Alibaba Cloud Standard - Rocky Linux 8 Security Baseline Check

    Alerts

    Alert type

    Description

    Supported check item

    Malicious script

    Security Center checks whether the system services of your assets are attacked or modified by malicious scripts. The behavior of potential attacks that are based on malicious scripts is included in the detection results.

    Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to the system of the server.

    Supported programming languages for detection include Shell, Python, Perl, PowerShell, VBScript, and BAT.

    WebShell

    Security Center checks whether the script files in your assets are malicious and whether webshell communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and use scripts for additional attacks.

    Supported programming languages for detection include PHP, JSP, ASP, and ASPX.

    Malware

    Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damage to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms.

    Tainted basic software

    Suspicious program

    Spyware

    Trojan

    Infectious virus

    Worm

    Exploit

    Self-mutating trojan

    Attacker tool

    DDoS trojan

    Reverse shell

    Malicious program

    Rootkit

    Trojan downloader

    Scanner

    Riskware

    Proxy

    Ransomware

    Webshells

    Mining program

    FAQ

    What are the differences between the agentless detection feature and the feature of virus detection and removal?

    The following table describes the differences between the features.

    Item

    Agentless detection

    Virus detection and removal

    Detection scope

    The agentless detection feature can detect vulnerabilities, baseline risks, alerts, and sensitive files. The feature cannot handle the detected risks.

    The feature of virus detection and removal can detect and remove viruses, and quarantine source files that are related to the detected viruses in an efficient manner.

    Detection method

    The agentless detection feature scans data in the image that is created for a server and shared with the Security Center service account to check whether risks exist on the server. This does not affect the performance of the server.

    The feature of virus detection and removal scans data in the system of a server to check whether persistent viruses exist on the server during the runtime of the server.

    Enabling method

    You must purchase the agentless detection feature by using the pay-as-you-go billing method.

    You must purchase Security Center Anti-Virus or higher, and install the Security Center agent on your server.

    References