All Products
Search

This Product

    Security Center:Analyze and handle security alerts

    Document Center

    Security Center:Analyze and handle security alerts

    Last Updated:Sep 16, 2025

    To secure your assets, you should promptly view and handle security alerts detected by Security Center. This topic describes how to analyze and handle these alerts.

    Analyze security alerts

    Before you handle a security event, you must assess the impact of the alert, analyze the attack, and identify false positives. This process helps prevent disruptions to your system. You can go to the alert details page to obtain information that helps you assess the situation.

    Go to the alert details page

    1. Log on to the Security Center console. In the top navigation bar, select the region where your asset is deployed: China or Outside China.

    2. In the navigation pane on the left, choose Detection and Response > Security Alerts.

      Note

      If you have activated Cloud Threat Detection and Response (CTDR), the navigation path in the navigation pane on the left changes to CTDR > Alert.

    3. On the CWPP tab, find the target alert and click Actions in the Details column.

      Important

      • You can enable alert notifications in System Settings > Notification Settings. This lets you quickly find a target alert based on the information in the notification, such as the alert name.

      • The Ultimate Edition supports filtering alerts by asset type. Above the alert list, you can click All, Host, Container, K8s, or Cloud Product to view alerts for the corresponding asset type.

    Understand alert details

    You can use the alert source tracing, Alert Description, and Cloud Sandbox Check features to understand the basis for the alert, its occurrence count, and its possible causes. This information helps you determine whether the alert is a false positive and decide on an appropriate solution.

    Alert description

    The alert description explains the detected abnormality, potential risks, and associated threats. It also provides handling suggestions.

    Example assessment:

    imageAs shown in the preceding figure:

    Potential risk: The relevant configuration file was modified to create a logon back door.

    Recommended action: Confirm with the relevant business department whether this process is part of normal business operations. If not, prioritize terminating the process and then investigate the system for other threats.

    Alert source tracing

    Security Center provides an automated attack source tracing feature. It integrates logs from multiple cloud products and uses data analytics to generate a visual intrusion event chain diagram. It also supports raw data previews. This feature helps you quickly identify the cause of an intrusion and develop an emergency response policy.

    Note

    • This feature is available only for servers that are protected by the Enterprise or Ultimate Edition.

    • An automated attack source tracing chain is generated 10 minutes after a threat is detected. You can view this information 10 minutes after the alert is generated.

    • The automated attack source tracing information for a security alert is automatically purged three months after the alert is triggered. We recommend that you view this information promptly.

    Scenarios:

    Attack source tracing is suitable for emergency response and source tracing in cloud environments for scenarios such as web intrusions, worm events, ransomware, and active connections to malicious download sources.

    Example assessment:

    • In the source tracing area of the details page, check whether the attack chain is complete and valid. The more complete the attack chain, the more urgently you need to handle the alert.

      How to determine whether an event chain is valid?

      • Invalid chain: The source tracing result shows only single-point scanning or probing behavior, such as an isolated port scan or an unsuccessful vulnerability exploit attempt. It does not trigger subsequent actions, such as establishing a connection, executing a command, or downloading a malicious file.

      • Valid chain: The source tracing graph shows a clear intrusion path, for example: Vulnerability exploit → Web shell write → Intranet probing → Malicious file download → Lateral movement.

    • Click a node in the source tracing graph. In the node details area on the left, check whether the attack target was reached. For example:

      • Check endpoint behavior: The attacker executed commands on the server, such as whoami and net user.

      • Check for data breaches: There are abnormal outbound connections, such as connections to a miner pool or C2 server, or sensitive files were read or uploaded.

      • Check for persistence traces: A back door account, scheduled task, or malicious service was created.

    • Click a node in the source tracing graph. In the node details area on the left, check whether the raw logs are verifiable, such as WAF block records, host process creation logs, or network connection logs.

      • Verifiable: Underlying logs exist to support the evidence, such as WAF block records or host process logs for executing malicious commands. This proves that the attack actually occurred. If the attack was blocked, you can mark the alert as "Handled" and do not need to take further action. If it was not blocked, handle it as soon as possible.

      • Not verifiable: No supporting logs exist. This could be because the logs were deleted or the detection was bypassed. Be highly vigilant in this scenario because it may be a sign of an advanced attack.

    Sandbox detection

    Security Center provides a sandbox detection feature. By running files in a secure and isolated environment, Security Center analyzes static and dynamic file behavioral data to safely analyze suspicious applications and detect malicious behavior. If security alerts are generated, you can handle malicious programs based on the sandbox detection results.

    Note

    Not all malware alerts support the sandbox detection feature. The page indicates which alerts are supported.

    1. In the security alert list, find the alert that you want to manage and click Details in the Actions column.

    2. In the Sandbox section, view the sandbox detection results.

    Example assessment:

    image

    • Behavior Tag: This section tags the features of malicious files and highlights the high-risk operations they perform. Red indicates the intrusion behaviors that require the most attention.

    • ATT&CK Matrix: This section shows the runtime process flow of the sandbox detection and highlights the high-risk operations performed by the malicious file. Red indicates the intrusion behaviors that require the most attention.

    Quick guide for handling alerts

    Important

    • If you verify the alert information and determine that it is normal behavior or does not need to be handled, you can choose to ignore or add the alert to a whitelist.

    • If you encounter a persistent virus threat or the same alert repeatedly, handle it in the console and then perform security hardening by following the instructions in Security hardening and attack prevention.

    Alert type

    Alert name

    Recommended action

    Malware

    Mining program

    Virus scan

    DDoS Trojan

    Trojan program

    Malicious program

    Exploit program

    Suspicious PowerShell command

    Back door program

    Reverse shell back door

    Infectious virus

    Deep scan

    Abnormal Logon

    Malicious IP logon

    Block

    Successful brute-force attack on ECS

    Logon from an uncommon account to ECS

    Logon from an uncommon location to ECS

    Back door account logon

    Web shell

    Web shell file detected

    Quarantine

    Log/image file containing web shell code

    Trojan or hotlinking back door file detected

    Arbitrary file write back door detected

    Abnormal process behavior

    Abnormal command execution in Java application

    End process

    Suspicious process path

    Network proxy forwarding behavior

    Suspicious PowerShell command

    Persistence back door creation behavior

    SSH back door

    Suspicious encoded command

    Suspicious command execution

    Malicious script

    Malicious script code execution

    End process

    Precise Defense

    Anti-security software

    Deep scan

    Cloud product threat detection

    RAM user logon from an uncommon location

    1. Change the account password or restrict user access by IP address through RAM.

    2. Change the alert status to Manually Handled.

    Hacking tool using an AccessKey

    1. Delete the AccessKey of a RAM user or disable the AccessKey of a RAM user.

    2. Change the alert status to Manually Handled.

    Abnormal role permission traversal behavior

    1. Log on to the Resource Access Management (RAM) console as a RAM administrator and modify the RAM user permissions.

    2. Change the alert status to Manually Handled.

    RAM user logs on to the console and performs sensitive operations

    Other

    Security Center agent is abnormally offline

    Troubleshooting

    Methods for handling security alerts

    Important

    If you handle an event that is aggregated from Security Center alerts using the security event handling feature, Security Center automatically updates the status of the related alerts on the CWPP tab. You do not need to manually update the alert status.

    Procedure

    1. Log on to the . In the top navigation bar, select the region where your asset is deployed: China or Outside China.

    2. In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have activated CTDR, the navigation path in the navigation pane on the left changes to CTDR > Alert.

    3. On the Alert page, on the CWPP tab, find the target alert. In the Actions column, click Handle, select a handling method for the alert, and then click Handle Now.

      Note

      • The handling methods vary based on the alert type. The methods that are displayed on the console page prevail.

      • You can add remarks as needed. The remarks can include the reason for handling the alert and the name of the operator. This helps you manage handled alerts.

    The handling methods are described as follows:

    Virus Detection and Removal

    Common scenarios

    • Confirm malicious activity: This method is used when Security Center detects a malicious process, such as a virus, trojan, or ransomware, and you need to immediately stop it from damaging the system.

    • Emergency response: This method is used when you need to quickly contain the spread of a virus or the risk of a data breach to prevent the threat from spreading to other servers.

    Pre-check

    A virus scan may cause service interruptions. To prevent disruptions to normal business operations, check the source file before you handle the alert. Common checks include the following:

    • Verify file properties: Confirm whether the file is a virus by checking its file path, signature, and hash value. This helps prevent you from accidentally terminating system or business files.

    • Assess business dependencies: Check whether the file is called by critical services, such as nginx or mysql related components.

    Description

    • Immediately terminate the virus process and move the virus file to the quarantine area. Quarantined files cannot be executed, accessed, or spread.

      Warning

      • Ending a process may cause services that depend on it to become abnormal. For example, this can happen if the virus is disguised as a legitimate process.

      • If the quarantined file is a business file into which malicious code is injected, such as a core application component, quarantining the file may cause a service interruption.

    • A successfully quarantined file can be restored with one click within 30 days. The restored file reappears in the security alert list, and Security Center continues to monitor it. For more information about how to restore files, see View and restore quarantined files.

      Note

      Files that are not restored within 30 days are automatically purged and cannot be recovered.

    Follow-up actions

    Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.

    Deep Cleanup

    Deep Cleanup is a specialized scanning feature developed by the Security Center security expert team for persistent and stubborn viruses.

    Common scenarios

    A deep scan is a specialized solution for stubborn and infectious viruses. These viruses have the following characteristics:

    • Infecting host files: The virus injects itself into system files, application files, or your personal documents, which makes them part of the virus.

    • Difficult to eradicate: A normal virus scan may only delete the parent virus but fail to repair infected files, causing the problem to recur.

    Note

    If you are not dealing with this type of virus, use the regular Virus scan feature first.

    Pre-check

    A Deep Cleanup may pose risks such as accidental file deletion, service interruption, and data integrity issues. To prevent disruptions to normal business operations, check the source file before you handle the alert. Common checks include the following:

    • Verify file properties: Confirm whether the file is a virus by checking its file path, signature, and hash value. This helps prevent you from accidentally terminating system or business files.

    • Assess business dependencies: Check whether the file is called by critical services, such as nginx or mysql related components.

    Description

    • It cleans up stubborn viruses by terminating malicious virus processes, quarantining malicious files, and clearing the persistence mechanisms of virus trojans.

    • It also provides a snapshot creation feature. You can create snapshots to back up data so that if useful data is accidentally cleared during a deep scan, you can restore it from the snapshot.

      Important

      Creating and retaining snapshots incurs fees. The fees are charged by the snapshot service. The default billing method is pay-as-you-go. For more information about the fees, contact pre-sales support.

    Follow-up actions

    Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.

    Quarantine

    Common scenarios

    This method is used when you confirm that a file is a malicious file, such as a back door program or virus, and you need to immediately stop it from running.

    Description

    • The system moves the suspicious file to the quarantine area. Quarantined files cannot be executed, accessed, or spread.

      Warning

      If the quarantined file is a business file into which malicious code is injected, such as a core application component, quarantining the file may cause a service interruption.

    • A successfully quarantined file can be restored with one click within 30 days. The restored file reappears in the security alert list, and Security Center continues to monitor it. For more information about how to restore files, see View and restore quarantined files.

      Note

      Files that are not restored within 30 days are automatically purged and cannot be recovered.

    Follow-up actions

    Review the quarantine area on a regular basis. Confirm the nature of the files within 30 days to avoid being unable to recover them after they are accidentally deleted. For more information about how to view files in the quarantine area, see View and restore quarantined files.

    End Process

    Common scenarios

    This method is primarily used to handle alerts related to abnormal process behavior, such as MySQL executing abnormal commands or a web vulnerability exploit leading to abnormal command execution.

    Description

    Security Center attempts to end the process. If it fails, you can try to manually terminate the process with the kill [process ID] command, and then select the Manually Handled option.

    Note

    You can find the process ID on the alert details page under More Information.

    Add to Whitelist

    Warning

    After you add an alert to the whitelist, you will no longer be notified of the same alert or alerts that match the whitelist rule. Use this option with caution.

    Common scenarios

    The current alert is a false positive, or you need to add a permanent exception rule. For example, if a suspicious process with abnormal outbound TCP packets is actually a normal business interaction, or if suspicious scanning behavior is actually normal network detection, you need to set a whitelist rule to avoid such false positives.

    Result description

    For the current alert:

    • This alert is marked as "Handled", and the alert status changes to Manually Add to Whitelist.​

    • When the same alert occurs again, no new alert data is generated, but the latest occurrence time of this alert is updated.

      What is the same alert?

      The same alert refers to a security threat with highly consistent characteristics. For example:

      • Virus-type alerts: Same asset + same virus file path + same virus file MD5.

      • Abnormal logon: Same asset + same logon IP address.

    For subsequent alerts:

    If a specific whitelist rule is set, when an alert that matches the custom whitelist rule occurs again, the alert is automatically moved to the handled list with the status Automatically Add to Whitelist, and no alert notification is sent.

    Set a specific whitelist rule (optional)

    In the alert handling dialog box, click the Add to Whitelist tab. Click Create Rule to add a new rule. Click image to delete a rule.

    Important

    • You can set multiple rules. The relationship between multiple rules is "AND", which means the rule takes effect only when all conditions are met.

    • Ensure precision when you configure rules to avoid an overly broad scope. For example, setting "Path contains: /data/" might mistakenly whitelist other sensitive subdirectories and increase security risks.

    • We recommend that you combine multiple conditions to set a rule, such as "Path contains: /app/" AND "Process name: test.exe", to achieve more refined whitelist management.

    Each rule has four configuration boxes from left to right, as described below:

    1. Alert information field: On the details page, under More Information, you can see which alert information fields are supported for the current alert.

    2. Condition type: Supports operations such as regular expression matching, greater than, equal to, less than, and contains. Some rules are described as follows:

      • Regular expression: You can use regular expressions to accurately match specific patterns. For example, to whitelist all content in the "/data/app/logs/" folder, you can set the rule "Path matches regex: ^/data/app/logs/.*". This matches all files or processes in that folder and its subdirectories.

      • Contains keyword: Set a rule "Path contains: D:\programs\test\". All events whose path contains this folder are whitelisted.

    3. Condition value: Supports constants and regular expressions.

    4. Applicable assets:

      • All assets: Takes effect for new assets and all existing assets.

      • Only for the current asset: Takes effect only for the asset that is involved in the current alert.

    Difference between Add to Whitelist and Ignore

    Difference

    Allowlist

    Ignore

    Scenario

    Permanent exception issues

    Suitable for temporary, occasional false positives or known issues.

    Scope of impact

    • When a file with the same MD5 as the current alert appears in the same file path on the same host asset.

    • If other whitelist rules are set, subsequent alerts that match the whitelist rules will also not be notified.

    Only handles the current alert and has no effect on subsequent alerts.

    How to remove an item from the whitelist?

    Cancel an automatic whitelist rule

    Important

    • This action affects only subsequently generated alerts. Alerts that match the whitelist rule are no longer automatically whitelisted.

    • This has no effect on already handled alerts. The alert status remains unchanged.

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.

    3. On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Automatically Add to Whitelist.

    4. Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.

    Cancel whitelisting for an alert

    Important

    After you cancel the whitelisting, the alert reappears in the Unhandled alert list. You must re-evaluate and handle the alert.

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. On the CWPP tab, set the Handled or Not filter to Handled.

    3. Find the alert data that you want to remove from the whitelist and click the Remove from Whitelist button in the Actions column to cancel the whitelisting for the current alert.

      Note

      You can also select multiple alert data items and click the Remove from Whitelist button at the bottom of the list to perform a batch cancellation.

    image

    Ignore

    Important

    • "Ignore" is only a status management operation. It does not resolve the underlying security problem that triggered the alert.

    • Use this option only after you fully confirm that the alert is a false positive or a known and accepted risk to avoid masking real attacks.

    • We recommend that you periodically review the list of "Ignored" alerts, for example, on a weekly or monthly basis.

    Common scenarios

    • Confirmed as a false positive or low priority.

    • Temporary/Known issue: The issue to which the alert points exists but is a known and accepted risk, or it is a temporary, non-malicious state, such as an authorized internal penetration test or abnormal behavior during a specific maintenance window. You do not intend or are unable to fix the root cause immediately but need to clear the current alert list.

    • Test or debug environment: In a non-production environment, such as a development or testing environment, expected and non-security-affecting alerts frequently appear. These alerts interfere with normal monitoring and need to be temporarily silenced.

    Result description

    For the current alert: This alert is marked as "Handled", and the alert status changes to Ignored. For subsequent alerts: This operation has no effect. Security Center will generate a new alert if the same type of event occurs again.

    How to cancel ignoring an alert?

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. On the CWPP tab, set the Handled or Not filter to Handled.

    3. Find the alert data that you want to stop ignoring and click the Cancel Ignore button in the Actions column to cancel the ignore status for the current alert.

      Note

      You can also select multiple alert data items and click the Cancel Ignore button at the bottom of the list to perform a batch cancellation.

    Block

    Common scenarios

    This method is primarily used for IP-based attack scenarios, such as abnormal logons and brute-force attacks.

    Description

    • A security group defense rule is generated to block access from the malicious IP address.

      • You can click Show Details to view the basic information of the generated defense rule, such as Assets, Rule Direction, Port Range, and Rule Direction.image

      • Security Center automatically selects a blocking mechanism based on the client installation status. The supported blocking mechanisms are as follows:

        • Security Center: This interception mechanism uses the AliNet plug-in. If you use the Advanced, Enterprise or Ultimate edition of Security Center and enable the Malicious Network Behavior Prevention feature, Security center automatically uses the AliNet plug-in to block logons. For more information about how to enable the Malicious Network Behavior Prevention feature, see Proactive Defense.

        • ECS Security Group: When you enable a system rule, a security group rule is automatically created. If the system rule expires or is disabled, the security group rule is automatically deleted.

    • The Rule Validity Period is the effective time of the blocking rule. The default validity period is 6 hours and cannot be changed.

    • The generated blocking rule can be viewed in Protection Configuration > Host Protection > Host-specific Rule Management on the Defense Against Brute-force Attacks tab under System Rules.

      Note

      To terminate the blocking policy early, you can turn off the enable switch in the system rules.

    Do Not Intercept Rule

    Scenario

    This method currently supports only handling alerts that are generated by the Adaptive WebShell Communication Block rule. You can find the rule in Protection Configuration > Host Protection > Host-specific Rule Management under Malicious Behavior Defense > System Defense Rule.

    Description

    The system does not block requests to the corresponding URI and no longer generates alerts.

    Defense Without Notification

    Warning

    You will not be separately notified of subsequent identical alerts. Use this option with caution.

    Scenario

    This method is used for alerts that are generated by rules in Protection Configuration > Host Protection > Host-specific Rule Management under Malicious Behavior Defense. The alert type is Precise Defense.

    Description

    Current alert: This alert is marked as "Handled".

    Subsequent alerts: When the same defense rule is hit again, the generated alert event is automatically moved to the handled list, and no alert notification is sent.

    How to cancel the Defend without notification rule?

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.

    3. On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Defense Without Notification.

    4. Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.

    Troubleshooting

    Scenario

    This method only supports handling the Security Center agent is abnormally offline alert.

    Description

    The client diagnostic program of Security Center collects data related to the client on the local machine, such as network, process, and log data, and reports the data to Security Center for analysis.

    Important

    This check consumes a certain amount of CPU and memory resources. Use this feature only after careful evaluation.

    • Select a diagnostic mode:

      • Standard Mode

        This mode collects client-related log data and reports the data to Security Center for analysis.

      • Enhancement Mode

        This mode collects client-related data, such as network, process, and log data, and reports the data to Security Center for analysis.

    • After you click Handle Now, a diagnostic task is generated. You can view the diagnostic task result and progress in Assets > Host in the upper-right corner under Agent Task Management. For more information, see Client troubleshooting.

      Note

      • If a solution is provided in the Result column, follow the recommended solution.

      • If no solution is provided in the Result column, click Download Diagnostic Log in the Actions column. Provide the exported diagnostic log and your Alibaba Cloud account ID to technical support for further analysis.

    Manually Handled

    If you have manually handled the alert, select Manually Handled. The status of the current alert is updated to Manually Handled.

    Tutorials on how to handle common virus alerts

    Security hardening and attack prevention

    • Upgrade Security Center

      The Enterprise and Ultimate editions support automatic virus isolation to provide accurate defense. These editions support defense against common ransomware, DDoS Trojans, mining programs, trojans, malicious programs, backdoors, and worms. They also support more security check items.

    • Configure security groups for servers

      The following are common security group configurations. If you use Alibaba Cloud ECS instances, see Manage security groups.

      • Allow only specified IP addresses to log on to your server using Remote Desktop Protocol (RDP) on port 3389 or SSH on port 22. This prevents hackers from scanning for or launching brute-force attacks on the management ports of your server.

      • In the security group, allow access only to required service ports, such as 80 and 443. Do not allow access to other ports.

      • For database ports, such as 1433, 3306, and 6379, allow access only from specified IP addresses. We recommend that you do not expose these ports to the internet.

    • Set complex server passwords

      Create complex passwords that contain uppercase letters, lowercase letters, digits, and special characters. The passwords must be at least eight characters in length.

    • Upgrade software

      Regularly upgrade applications to the latest versions. Do not use outdated software.

    • Create disk snapshots

      Create snapshots for important servers periodically. If data is lost, deleted by mistake, or tampered with by hackers in an event such as a ransomware attack, you can use the snapshots to restore your data. If you use Alibaba Cloud ECS instances, see Create an automatic snapshot policy.

    • Fix vulnerabilities promptly

      Use the vulnerability fixing feature of Security Center to fix high-risk system and application vulnerabilities promptly. Note: Before you fix a vulnerability, create a snapshot backup.

    • Reset the server system (use with caution).

      If a virus deeply infects the system and is associated with underlying system components, we strongly recommend that you back up important data and then reset the server system. Follow these steps:

      1. Create a snapshot to back up important data on the server. For more information, see Create a snapshot.

      2. Initialize the operating system of the server. For more information, see Reinitialize a system disk.

      3. Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.

      4. Attach the disk to the server on which the operating system was reinstalled. For more information, see Attach a data disk.

    FAQ

    What should I do if an alert recurs after being handled (repeatedly infected with the same virus)?

    The issue may recur after processing for the following reasons:

    • Weak password: The SSH, RDP, or database password is too simple.

    • Unpatched vulnerabilities: Applications such as Redis, XXL-JOB, and WebLogic have high-risk vulnerabilities.

    • Latent back door: The initial cleanup was not thorough and left a hidden back door.

    • Data contamination: A backup or snapshot that contains the virus was restored.

    Solutions:

    • Perform security hardening by following the instructions in Security hardening and attack prevention.

    • After you handle the virus, back up data and then restart the server and applications.

      Warning

      • Restarting the server causes a brief service interruption. During this time, websites, applications, and other services that run on the server are inaccessible. This may affect user experience or business process continuity. Perform this operation during off-peak hours.

      • Some applications that are deployed on the server do not have an automatic startup mechanism or depend on specific environment variables. They usually need to be manually restarted. Otherwise, the application service becomes unavailable. For example, this applies to specific versions of message queues. Evaluate the restart plan in advance.

    • If the issue persists after the restart, back up the data and then reset the server system.

      How do I reset the server system?

      1. Create a snapshot to back up important data on the server. For more information, see Create a snapshot.

      2. Initialize the operating system of the server. For more information, see Reinitialize a system disk.

      3. Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.

      4. Attach the disk to the server on which the operating system was reinstalled. For more information, see Attach a data disk.

    What should I do if an alert shows that a file does not exist?

    This may occur because the virus was removed by another method or it cleared its own traces. You can click Ignore or Manually Handled in the alert list to clear this alert.

    I received a security alert, but there is no related data in the console. Why?

    1. Check your current Security Center edition. The Free Edition has limited features. We recommend that you refer to Purchase Security Center and upgrade to the Pro or Enterprise Edition.

    2. Use its virus scan feature to scan and handle the alert.

    Why can't I delete a virus file (trojan, mining)?

    The file and its parent directory have been assigned hidden permissions. You must use the chattr -i command to remove the 'i' permission from the file and its parent directory before you can delete the file.

    My server has a DDoS trojan alert. I have manually deleted the file, but the alert persists. Why?

    The file was not completely deleted. You can use the following solution:

    1. If you are using the Free Edition of Security Center, you can activate a 7-day free trial of the Enterprise or Ultimate Edition. You can also refer to Purchase Security Center and upgrade to the Pro or Enterprise Edition.

    2. After the activation, go to the security alert handling interface, find the DDoS Trojan alert, click the Handle button, and select Virus scan. The system automatically ends the trojan process and quarantines the file. For more information, see Virus scan.

    How do I handle multiple alerts (batch handle alerts)?

    Currently, Security Center supports batch handling of security alerts only for the following actions: whitelisting, ignoring, removing from whitelist, and canceling ignore.

    1. In the navigation pane on the left, choose Detection and Response > Security Alerts. Go to the security alert list, select the alerts that you want to handle, and select the check box on the left.

    2. Click the Ignore Once, Add to Whitelist, Remove from Whitelist, or Cancel Ignore button.

    Why is the security alert handle button grayed out?

    Check your current Security Center edition. The Free Edition does not support handling security alerts. You can activate a 7-day free trial or upgrade to the Pro, Enterprise, or Ultimate Edition. For more information, see Purchase Security Center. The types of security alerts that are supported by each edition vary. For more information, see Security alert types.

    References

    • You can enable features such as malicious host behavior defense and web shell connection defense to automatically block viruses on hosts. For more information, see Host protection settings.

    • You can enable the container K8s threat detection and container escape prevention switches to enable detection for Container Cluster Anomaly and Container Escape type alerts. For more information, see Container protection settings.

    • For more information about how to manage web directories in your assets and set alert whitelist rules, see Alert settings.