Security Center generates security alerts when it detects asset intrusions, malware, or abnormal behavior. Responding to these alerts promptly and effectively is vital to service continuity and data security. This topic explains how to use the incident response process to quickly evaluate risks, remediate threats, and harden your systems.
Assess security alerts
Before you respond to a security incident, you must assess the alert to understand its potential impact, analyze the attack, and identify false positives to avoid disrupting normal system operations. The details page of each security alert provides the necessary information for this assessment.
View alert details
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select your asset's region: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have enabled Agentic SOC, the navigation path in the left-side navigation pane changes to .
On the CWPP tab, find the alert and click Details in the Actions column.
ImportantYou can enable alert notifications on the page. You can then use information from the notifications, such as the alert name, to quickly locate the alert.
The Ultimate Edition lets you filter alerts by asset type. Above the alert list, click All, host, container, K8s, or cloud service to view alerts for the corresponding asset type.
Security Center uses a new large model detection engine to intelligently identify malicious files. To view alerts detected by AI, set the AI Detected filter to Yes. For more information, see View alerts for AI-detected malicious files.
Analyze alert details
You can use features such as the attack tracing, and the Description to learn the alert's basis, frequency, and potential causes. This information helps you determine if the alert is a false positive and decide on a response plan.
Alert description
The alert description highlights the detected abnormal activity, explains potential risks, describes the activity's characteristics and associated threats, and recommends response actions.
Assessment example:
As shown in the preceding figure:
Potential risk: A relevant configuration file was modified to create a logon backdoor.
Recommended response: Confirm with the appropriate business team if this process is normal. If not, terminate the process immediately. Then, investigate the system for other potential threats.
Attack tracing
Security Center offers an automated attack tracing feature. It integrates logs from multiple cloud services, uses big data analytics to generate a visualized attack path, and supports raw log previews. This feature helps you quickly identify the root cause of an intrusion and develop an incident response strategy.
This feature is available only on servers running the Enterprise or Ultimate of Security Center, or that have the Host Protection or Hosts and Container Protection feature enabled.
Security Center generates the attack path within 10 minutes after a threat is detected. We recommend that you wait at least 10 minutes after an alert is generated before you view the attack tracing information.
The automated attack tracing information for an alert is automatically deleted 3 months after the alert is generated. Review the attack tracing information promptly.
Use cases:
Attack tracing is ideal for incident response and tracing in scenarios such as web intrusions, worm events, ransomware, and active connections to malicious download sources in a cloud environment.
Assessment example:
In the traceability section of the details page, check whether the attack chain is complete and valid. The more complete the attack chain, the more urgently you need to handle the alert.
Click a node in the graph and check the details on the left to determine if the attack objective was achieved. For example:
Check endpoint activity: The attacker executed commands on the server, such as
whoamiornet user.Check for data exfiltration: Look for abnormal outbound connections (to mining pools or C2 servers) or sensitive file read/upload activities.
Check for persistence artifacts: Look for newly created backdoor accounts, scheduled tasks, or malicious services.
Click a node in the tracing graph and, in the node details section on the left, see if the raw logs are verifiable (for example, WAF interception records, host process creation logs, or network connection logs).
Verifiable: There are supporting underlying logs, such as WAF interception records or host process logs for malicious command execution. This proves the attack occurred. If the attack was intercepted, you can mark the alert as "Processed" and no further action is required. If it was not intercepted, you must respond immediately.
Not verifiable: No supporting logs are available. This could be due to log deletion or detection evasion. In this scenario, you must be highly vigilant as it may indicate an advanced attack.
Sandbox detection
Security Center provides a sandbox detection feature. It analyzes static and dynamic file behavior by running files in a secure, isolated environment. This helps you safely execute suspicious applications and detect malicious behavior. When an alert is generated, you can use the sandbox detection results to help you remediate the malicious program.
The sandbox detection feature is available only for some malware alerts. Its availability is indicated on the alert details page.
In the security alert list, find the target security alert and click Details in the Actions column.
In the Sandbox section, view the sandbox detection results.
Assessment example:
Behavior Tag: These tags label the file's characteristics and highlight its high-risk operations. Red tags indicate the most critical intrusive behaviors.
ATT&CK Matrix: Displays the process flow during the sandbox detection run and highlights high-risk operations performed by the file. Red highlighting indicates the most critical intrusive behaviors.
Security alert remediation
If you determine that an alert is for legitimate activity or requires no action, you can Ignore the alert or Add to Whitelist.
For persistent virus threats or recurring security alerts, handle the alert in the console and then perform security hardening. For more information, see Security Hardening and Attack Prevention.
Type | Parameter | Action |
malware | mining program | |
DDoS trojan | ||
trojan program | ||
malicious program | ||
exploit program | ||
suspicious PowerShell command | ||
backdoor program | ||
reverse shell backdoor | ||
file-infecting virus | ||
unusual logon | logon from a malicious IP address | |
successful brute-force cracking on ECS | ||
logon to ECS with an unusual account | ||
logon to ECS from an unusual location | ||
logon with a backdoor account | ||
website backdoor | backdoor (webshell) file detected | |
log/image file containing webshell code | ||
backdoor file for web trojan or hotlinking detected | ||
arbitrary file write backdoor detected | ||
abnormal process behavior | Java application executes abnormal commands | |
suspicious process path | ||
network proxy forwarding behavior | ||
suspicious PowerShell command | ||
persistent backdoor creation behavior | ||
SSH backdoor | ||
suspicious encoded command | ||
suspicious command execution | ||
malicious script | malicious script execution | |
precision defense | evasion of security software | |
cloud product threat detection | RAM sub-account logon from an unusual location |
|
hacking tool exploits AccessKey |
| |
abnormal role permission enumeration |
| |
RAM user performs sensitive operations after logging on to the console | ||
other | Security Center agent unexpectedly goes offline |
Manually handle alerts
If you use the Security Event Response feature to handle an event aggregated from Security Center alerts, Security Center automatically updates the status of the related alerts on the CWPP tab. You do not need to manually update the alert status.
Procedure
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region of the asset: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have enabled Agentic SOC, the navigation path in the left-side navigation pane changes to .
On the Alert page, on the CWPP tab, locate the target alert. In the Actions column, click Handle. Select a handling method and click Handle Now.
NoteHandling methods vary by alert type. The options available in the console are definitive.
You can add remarks to specify the handling reason and the operator. This practice improves the traceability of handled alerts.
Handling methods
Handling methods are categorized as follows:
Threat Removal: Removes and blocks known security threats, remediates infections, prevents new attacks, and blocks threat sources to protect your assets.
Alert Suppression: Handles false positives and known or acceptable risks. You can mark an alert as invalid or as not requiring action by whitelisting or ignoring it. You can also control whether to receive notifications for subsequent similar alerts.
Troubleshooting: Troubleshoot and diagnose issues with the Security Center agent.
Threat removal
Virus Detection and Removal
Use cases
Confirmed malicious activity: Use this method when Security Center detects a running malicious process, such as a virus, trojan, or ransomware, and you need to immediately stop it from harming the system.
Incident response: Use this method when you need to quickly contain the spread of a virus or a data leak to prevent the threat from spreading to other instances.
Before you begin
Virus Scan may cause service interruptions. To avoid business disruptions, inspect the source file before proceeding. Key inspection points include:
Verify file properties: Confirm that the file is a virus by checking its path, signature, and hash value. This helps prevent the accidental deletion of system or business files.
Assess business dependencies: Check if the file is used by critical services, such as components related to
nginxormysql.
How it works
Immediately terminate the virus process and move the virus file to the quarantine area. Quarantined files cannot be executed, accessed, or spread.
WarningTerminating a process can disrupt dependent services, especially if a virus is disguised as a legitimate process.
If the quarantined file is a business file infected with malicious code, such as a core application component, quarantining it may lead to service interruptions.
You can restore a successfully quarantined file within 30 days. After restoration, the file reappears in the security alert list, and Security Center continues to monitor it. For more information, see View and restore quarantined files.
NoteFiles not restored within 30 days are permanently deleted.
Next steps
Regularly review the quarantine area to confirm the nature of quarantined files within 30 days. This helps prevent accidental deletion and permanent data loss. For more information, see View and restore quarantined files.
Deep Cleanup
The Deep Cleanup feature is a specialized tool from Security Center experts designed to handle persistent and stubborn viruses.
Use cases
Deep Scan is a specialized solution for stubborn and file-infecting viruses. These viruses typically exhibit the following characteristics:
Infects host files: The virus injects itself into system files, application files, or your personal documents, making them part of the virus.
Difficult to eradicate: A standard virus scan may only remove the parent virus but cannot repair the infected files, causing the issue to recur.
NoteIf a virus does not fit this description, use the standard Virus Scan feature.
Before you begin
A Deep Cleanup carries risks of accidental file deletion, service interruption, and data integrity issues. To avoid impacting your business, we recommend that you inspect the source file before you proceed. Key inspection points include:
Verify file properties: Confirm that the file is a virus by checking its path, signature, and hash value. This helps prevent the accidental deletion of system or business files.
Assess business dependencies: Check if the file is used by critical services, such as components related to
nginxormysql.
How it works
It cleans up persistent viruses by terminating malicious processes, quarantining malicious files, and removing persistence mechanisms used by viruses and trojans.
The feature can also create a snapshot to back up your data. If the deep scan accidentally removes useful data, you can use the snapshot to restore it.
ImportantCreating and retaining snapshots incurs fees from the snapshot service. By default, the billing method is pay-as-you-go. You can consult pre-sales support for fee details.
Next steps
Regularly review the quarantine area to confirm the nature of quarantined files within 30 days. This helps prevent accidental deletion and permanent data loss. For more information, see View and restore quarantined files.
Quarantine
Use cases
Use this method when you have confirmed that a file is malicious, such as a backdoor program or a virus, and you need to immediately stop it from running.
How it works
The system moves the suspicious file to a quarantine area. Quarantined files cannot be executed, accessed, or spread.
WarningIf the quarantined file is a business file infected with malicious code, such as a core application component, quarantining it may lead to service interruptions.
You can restore a successfully quarantined file within 30 days. After restoration, the file reappears in the security alert list, and Security Center continues to monitor it. For more information, see View and restore quarantined files.
NoteFiles not restored within 30 days are permanently deleted.
Next steps
Regularly review the quarantine area to confirm the nature of quarantined files within 30 days. This helps prevent accidental deletion and permanent data loss. For more information, see View and restore quarantined files.
End Process
Use cases
This method is primarily used to handle alerts related to abnormal process behavior, such as a MySQL process executing an unusual command or a web vulnerability exploit leading to abnormal command execution.
How it works
Security Center attempts to terminate the process. If this fails, you can try to terminate the process manually by running the
kill <process ID>command and then selecting the Manually Handled option.NoteYou can find the process ID in the More Information section on the alert details page.
Block
Use cases
This method is often used for IP-based attack scenarios, such as unusual logons and brute-force attacks.
How it works
This action generates a security group defense rule to block access from the malicious IP address.
You can click Details to view the basic information about the generated defense rule, such as Assets, Rule Direction, Port Range, and Rule Direction.
Security Center automatically selects a blocking mechanism based on the agent's installation status. The supported mechanisms are:
Security Center: This mechanism uses the Security Center agent to block logon attempts. This agent is used by default if your Security Center edition is Advanced, Enterprise, or Ultimate, and you turn on the Malicious Network Behavior Prevention switch. For more information about how to enable the Malicious Network Behavior Prevention feature, see Proactive defense.
ECS Security Group: When this rule is enabled, a corresponding rule is automatically created in the security group. This rule is automatically deleted when the blocking rule expires or is disabled.
The Rule Validity Period is 6 hours by default and cannot be changed.
You can view the generated blocking rules by navigating to and clicking the Defense Against Brute-force Attacks tab. The rules are listed under System Rules.
NoteIf you need to stop the blocking policy early, you can disable the rule on the System Rules page.
Alert suppression
Security Center primarily uses the Add to Whitelist and Ignore methods for alert suppression. For specific alerts, it also supports Do Not Intercept Rule, Defense Without Notification, and Manually Handled.
Add to Whitelist vs. Ignore
Difference | Add to Whitelist | Ignore |
Use case | Permanent exceptions | Temporary or occasional false positives and known issues. |
Scope of impact |
| Only affects the current alert. It has no impact on subsequent alerts. |
Add to Whitelist
After you add an alert to the whitelist, you will no longer be notified of identical alerts or alerts that match the whitelist rules. Use this option with caution.
Use cases
Use this method when the current alert is a false positive or when you need to add a permanent exception rule. For example, if a suspicious process making unusual outbound TCP connections is part of normal business activity, you can create a whitelist rule to prevent false positives.
Result
For the current alert
The alert status changes to "Handled", and the specific status is Manually Add to Whitelist.
If an identical alert reoccurs, Security Center does not generate a new alert. Instead, it updates the last occurrence time of the existing one.
For subsequent alerts
If you set a specific whitelist rule, any future alert that matches the rule will automatically be moved to the handled list with the status Automatically Add to Whitelist. You will not receive a notification.
Set a specific whitelist rule (Optional)
In the alert handling dialog box, click the Add to Whitelist tab. Click Create Rule to add a new rule. Click the
icon to delete a rule.ImportantMultiple rules are combined with an OR operator, meaning an alert is whitelisted if it matches any single rule.
Ensure that your rules are precise to avoid an overly broad scope. For example, a rule like "Path contains: /data/" could unintentionally whitelist sensitive subdirectories, increasing security risks.
Each rule has four configuration fields from left to right:
Alert field: You can view the supported alert fields for the current alert in the More Information section on the details page.
Condition type: Supported operators include Matches regex, Greater than, Equals, Less than, and Contains. Details for some rules:
Matches regex: Use a regular expression to precisely match specific patterns. For example, to whitelist all content in the "/data/app/logs/" folder, you can set the rule "Path matches regex: ^/data/app/logs/.*". This rule matches all files and processes in that folder and its subdirectories.
Contains: If you set a rule "Path contains: D:\programs\test\", all events with paths that include this folder will be whitelisted.
Condition value: Supports constants and regular expressions.
Applicable assets:
All assets: The rule applies to all existing and newly added assets.
This Asset Only: The rule applies only to the asset involved in the current alert.
Remove from whitelist
Cancel an automatic whitelist rule
ImportantThis action only affects future alerts. Alerts that match the rule will no longer be automatically whitelisted.
It does not affect alerts that have already been handled; their status remains unchanged.
Log on to the . In the left-side navigation pane, choose .
NoteIf you have subscribed to Agentic SOC, choose in the left-side navigation pane.
On the CWPP tab, click Cloud Workload Alert Management in the upper-right corner and select Alert Settings.
On the Alert Settings page, in the Alert Handling Rule section, select Automatically Add to Whitelist as the handling method.
Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.
Remove an alert from the whitelist
ImportantAfter you remove an alert from the whitelist, it reappears in the Unhandled alert list, requiring you to evaluate and handle it again.
Log on to the . In the left-side navigation pane, choose .
NoteIf you have subscribed to Agentic SOC, choose in the left-side navigation pane.
On the CWPP tab, set the Handled or Not filter to Handled.
Find the alert you want to remove from the whitelist and click Remove from Whitelist in the Actions column.
NoteYou can also select multiple alerts and click Remove from Whitelist at the bottom of the list to perform a bulk removal.
Ignore
Ignoring an alert is a status management action and does not resolve the underlying security issue.
Use this option only after you have confirmed that the alert is a false positive or a known, accepted risk. This helps avoid overlooking real attacks.
We recommend that you periodically review the list of ignored alerts, for example, weekly or monthly.
Use cases
Confirmed false positive or low priority.
Temporary or known issue: The issue that triggered the alert exists but is a known and accepted risk, or it is a temporary, non-malicious state. Examples include authorized internal penetration testing or unusual behavior during a specific maintenance window. You do not plan to or cannot immediately fix the root cause but need to clear the current alert list.
Test or development environment: In non-production environments, expected and non-critical alerts appear frequently, interfering with normal monitoring. You need to temporarily suppress them.
Result
For the current alert: The alert status changes to "Handled", and the specific status is Ignored.
For subsequent alerts: No impact. Security Center will generate a new alert if a similar incident occurs.
Stop ignoring an alert
Log on to the . In the left-side navigation pane, choose .
NoteIf you have subscribed to Agentic SOC, choose in the left-side navigation pane.
On the CWPP tab, set the Handled or Not filter to Handled.
Find the alert you want to stop ignoring and click Cancel Ignore in the Actions column.
NoteYou can also select multiple alerts and click Cancel Ignore at the bottom of the list to perform a bulk action.
Do Not Intercept Rule
Use cases
This option is currently available only for alerts generated by the Adaptive WebShell Communication Interception rule, which is a System Defense Rule within the Malicious Behavior Defense feature. You can find this feature under .
How it works
The system will stop blocking requests to the corresponding URI and will no longer generate alerts for it.
Defense Without Notification
You will no longer receive separate notifications for subsequent identical alerts. Use this option with caution.
Use cases
This applies to alerts generated by the Malicious Behavior Defense rules (alert type: precision defense), which are found under .
How it works
For the current alert: The alert status changes to "Handled".
For subsequent alerts: When the same defense rule is triggered again, the generated alert event is automatically moved to the handled list, and no notification is sent.
Cancel a "Defend Without Notification" rule
Log on to the . In the left-side navigation pane, choose .
NoteIf you have subscribed to Agentic SOC, choose in the left-side navigation pane.
On the CWPP tab, click Cloud Workload Alert Management in the upper-right corner and select Alert Settings.
On the Alert Settings page, in the Alert Handling Rule section, select Defense Without Notification as the handling method.
Find the target rule and click Delete in the Actions column to cancel the rule.
Manually Handled
If you resolved the alert manually, select Manually Handled. The alert's status will change to Manually Handled.
Troubleshooting
Use cases
This is only available for handling Security Center Agent is Offline alerts.
How it works
The Security Center agent diagnostic tool will run on the machine to collect agent-related data, such as network, process, and log information, and report it to Security Center for analysis.
This check consumes CPU and memory. Assess the potential impact before running it.
Select a problem mode:
Standard Mode: Collects and reports agent-related log data to Security Center for analysis.
Enhancement Mode: Collects and reports agent-related network, process, and log data to Security Center for analysis.
After you click Handle Now, a diagnostic task is generated. You can view the task progress and results by navigating to and clicking Agent Task Management in the upper-right corner. For more information, see Agent troubleshooting.
NoteIf a solution is provided in the Result column, follow the recommended steps.
If no solution is provided in the Result column, click Download Diagnostic Logs in the Actions column. Provide the exported diagnostic log and your Alibaba Cloud account ID (AliUid) to the relevant personnel for further analysis.
Tutorials for handling common virus alerts
Security hardening and attack prevention
Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus quarantine (automatic trojan scan) to provide precise defense and support more security check items.
Tighten access controls: Open only necessary service ports, such as 80 and 443. Configure strict IP address whitelists for management ports, such as 22 and 3389, and database ports, such as 3306.
NoteFor Alibaba Cloud ECS servers, see Manage security groups.
Set complex server passwords: Set complex passwords for your servers and applications that contain uppercase letters, lowercase letters, digits, and special characters.
Upgrade software: Promptly update your application software to the latest official version. Avoid using old versions that are no longer maintained or have known security vulnerabilities.
Create regular backups: Create a regular automatic snapshot policy for important data and system disks.
NoteFor Alibaba Cloud ECS servers, see Create an automatic snapshot policy.
Fix vulnerabilities in a timely manner: Regularly use the Vulnerability Fixing feature of Security Center to patch important system and application vulnerabilities.
Reset the server's operating system (use with caution).
If a virus has deeply infiltrated the system and is associated with underlying system components, we strongly recommend that you back up important data and then reset the server's operating system. The procedure is as follows:
Create a snapshot to back up important data on the server. For more information, see Create a snapshot for a disk.
Reinitialize the server's operating system. For more information, see Re-initialize a system disk.
Use the snapshot to create a cloud disk. For more information, see Create a disk from a snapshot.
Attach the cloud disk to the server after reinstalling the operating system. For more information, see Attach a data disk.
FAQ
Alert handling issues
What should I do if a handled alert recurs?
Recurrent infections can be caused by:
Weak password: Your SSH, RDP, or database password is too simple.
Unpatched vulnerabilities: High-risk vulnerabilities exist in applications such as Redis, XXL-JOB, or WebLogic.
Latent backdoors: The initial cleanup was incomplete and left a hidden backdoor.
Data contamination: You restored a backup or snapshot that contained a virus.
Solution:
Perform security hardening as described in Security hardening and attack prevention.
After removing the virus, back up your data and then restart the server.
WarningRestarting a server causes a brief service disruption. During this time, websites and applications that depend on the server will be inaccessible, which may affect user experience or business continuity. We recommend that you perform this action during off-peak hours.
Some applications deployed on a server may not be configured to start automatically or may depend on specific environment variables. These applications often require a manual restart. For example, certain versions of message queues require a manual restart. Evaluate your restart plan in advance.
If the issue persists after a restart, back up your data and then reset the server's operating system.
Why can't I delete a virus file (such as a trojan or mining program)?
The file and its parent directory have an immutable attribute. Use the
chattr -icommand to remove the immutable attribute from the file and its parent directory before deleting them.I received a DDoS trojan alert. Why does the alert persist even after I manually deleted the file?
The file was not completely removed. To resolve this issue, perform the following steps:
If you are using the Free edition of Security Center, you can start a 7-day free trial of the Enterprise or Ultimate edition. Alternatively, see Purchase Security Center to upgrade to the Antivirus or Enterprise edition.
After the upgrade, go to the security alert handling page, find the DDoS trojan alert, click Handle, and select Antivirus. The system automatically terminates the trojan process and quarantines the file. For more information, see Antivirus.
How do I whitelist precise defense alerts?
Alerts generated by the precise defense feature rely on a defense plug-in and are automatically blocked. You must manually add these alerts to a whitelist in the Host Rule Management section.
Go to the Security Center console > Protection Settings > Host Protection > Host Rule Management. In the upper-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Malicious Behavior Defense tab, select the Custom Defense Rule sub-tab and click Create Rule. The following types are supported for whitelisting:
Process Hash
Command Line
Process Network
File Read/Write
Registry Operation
Dynamic-link Library Loading
File Rename
Console feature issues
What should I do if an alert reports a nonexistent file?
This can happen if the virus was removed by another method or if the virus cleaned up its own traces. To clear this alert, click "Ignore" or "Handled Manually" in the alert list.
I received a security alert, but I cannot find the related data in the console. What should I do?
Check your current Security Center edition. The Free edition has limited functionality. We recommend that you see Purchase Security Center to upgrade to the Antivirus or Enterprise edition.
Use the Antivirus feature to scan for and handle threats.
How do I handle multiple alerts in bulk?
Security Center currently supports bulk actions such as whitelisting, ignoring, removing from a whitelist, and undoing an ignore action.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland. In the security alert list, select the alerts you want to handle.
In the lower-left corner, click Ignore Once, Add to Whitelist, Remove from Whitelist, or Cancel Ignore.
Why is the Handle button for a security alert grayed out?
Check your current Security Center edition. The Free edition does not support handling security alerts. You can start a 7-day free trial or upgrade to the Antivirus or Enterprise edition. For more information, see Purchase Security Center.
Different editions support different types of security alerts. For more information, see security alert types.