File tamper-proofing monitors file system activity in real time, intercepts unauthorized operations such as writes and deletes by non-authorized processes, and records all events for audit. This ensures the integrity of critical files on your servers.
Prerequisites
Before you begin, ensure that you have:
Operating system and kernel: Server OS and kernel version within the supported range of the Security Center agent (AliWebGuard). For details, see Supported operating systems and kernel versions.
Security Center agent: The Security Center agent installed on all servers to be protected. For instructions, see Install the Security Center agent.
How it works
File tamper-proofing monitors file system events — read, write, delete, rename, and permission changes — in real time. The agent analyzes these events and takes action based on the rules you configure.
Rule priority: When a file operation matches multiple rules, the system applies them in a fixed order: Allow > Block > Alert. Once a higher-priority rule matches, lower-priority rules are skipped.
Kernel compatibility:
Supported kernels: Full support for all modes (alert, block, allow), with precise identification of process, path, and operation.
Unsupported kernels: Functionality may be limited on older or custom kernels. For details, see Quotas and limits.
Rule activation: A rule takes effect when a file operation on a monitored server matches all conditions configured in that rule.
Procedure
Step 1: Activate the service and bind server quota
Choose the billing mode that matches your needs and follow the corresponding activation steps.
Subscription
Activate the service
Access the Security Center console - Mitigation Settings - Host Protection - Web Tamper Protection. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
Click Buy Now. You are redirected to the Security Center purchase page. In the File Tamper-Proofing section, set Yes to Yes.
Set the quota: To use Block or Alert rules,specify the Quantity. You will bind quota to servers after purchase.
NoteUnused quota expire at the end of each month and do not carry over. Purchase quota you need for your protected servers.
Click Buy Now and complete payment.
Pay-as-you-go
Activate the service
Access the Security Center console - Mitigation Settings - Host Protection - Web Tamper Protection. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
Click Activate Pay-as-you-go. Review the Pay-As-You-Go User Agreement, and then click Activate Now.
Step 2: Configure protection rules
Protection rules define the scope and action for file tamper-proofing. Create alert, block, or allow rules and combine them for comprehensive coverage.
Procedure
On the File Tamper-Proofing page, click Create Rule.
In the Create Rule panel, configure the parameters and click OK.
Rule Name: An identifier for the rule.
Handling Method: The action to take when the rule matches.
Alert: Records the event and generates an alert without blocking the operation. Available when the action type is Alert or Block.
Block: Actively blocks unauthorized file modifications from non-authorized processes.
Allow: Permits the operation without recording events or generating alerts. Use to exclude legitimate processes from monitoring.
Alert Level:The severity level for alerts. Available only when the action type is Alert or Block.
Urgent: High-risk events requiring immediate attention.
Suspicious: Potential security risks that warrant investigation.
Notice: Low-risk events for administrator reference.
OS Type: The OS type to monitor. Options: Linux, Windows.
Status: Whether to enable the rule immediately. Enabled rules typically take effect within 5 minutes. A maximum of 100 rules can be enabled at the same time.
Protection Path: The file or directory path to monitor.
Single file: enter the full path, for example
/etc/passwd.All files in a directory: use the wildcard
*. Example:/var/www/html/*protects all files in that directory, including subdirectories.Enter each path on a separate line. Maximum 100 paths per rule.
Each path must be 1 to 128 characters.
File Type: The file types to protect (optional). Select from common web file types or enter custom types.
If no file type is specified, all types in the protection path are monitored.
Maximum 64 file types per rule, each up to 15 characters.
File types match only the last extension segment. For example, to match
backup.tar.gz, specifygz. Specifyingtar.gzdoes not match. To match the.tar.gzsuffix, add/protected/path/*.tar.gzas a protection path.
File Operation: The operations to monitor.
Read: Monitors file read operations.
Write: Monitors file content modifications.
Delete: Monitors file deletion.
Rename: Monitors file rename operations.
Change Permissions: Monitors file permission modifications. Not supported on Windows.
Process Path: The process path to monitor.
Single process: enter the full path, for example
/usr/bin/bash.All processes: use
*.All processes in a directory: use a wildcard, for example
/etc/*.Enter each path on a separate line. Maximum 100 paths per rule, each 1 to 128 characters.
Exclude Users: OS users to exclude from monitoring (optional). Not supported on Windows.
Operations by excluded users do not trigger alerts or blocks, even if they match a rule.
Enter each user on a separate line. Maximum 5 users per rule.
Rule Scope: The servers to which the rule applies.
All Assets: Applies to all servers that meet the edition requirements.
By Asset: Select specific servers from the list.
Configuration examples
Combine rules to cover different protection scenarios.
Website file protection
Protect web directory files from unauthorized modifications. Applies to web servers, content management systems, and similar services.
Example: Protect all web page files in /var/www/html/ using block mode.
Rule 1 (block rule): Action Type = Block, Protection Path =
/var/www/html/*, File Types =html,php,jspand similar, File Operations = Write and Delete, Process Path =*(all processes).Rule 2 (allow rule): Action Type = Allow, Protection Path =
/var/www/html/*, Process Path = the path of your deployment process (for example,/usr/bin/rsync), File Operations = Write and Delete.
Core configuration file monitoring
Monitor access to core system configuration files to prevent unauthorized tampering or data theft.
Example: Monitor all access to /etc/passwd.
Rule 1 (alert rule): Action Type = Alert, Alert Severity = Critical, Protection Path =
/etc/passwd, File Operations = all operations, Process Path =*.Rule 2 (allow rule): Action Type = Allow, Protection Path =
/etc/passwd, Process Path =/usr/lib/systemd/systemd(legitimate process), File Operations = all operations.
For alert rules, set Process Path to * (all processes). Otherwise, access from processes outside the configured scope cannot be detected.
Do not use wildcard process paths in allow rules. Attackers can exploit broad allow rules to bypass alert rules.
Step 3: View and handle alerts
View and manage file tamper-proofing alerts through the Alerts feature in Security Center.
In the navigation pane on the left, select . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf the Agentic SOC service is activated, the navigation entry changes to CWPP.
On the CWPP tab, click the number under File Tamper-Proofing Alerts to open the alert list.
In the alert list, click Details in the Actions column to view alert details.Security Center may not capture accurate command-line information in these situations:
When a Python script accesses a file, the command line cannot be captured.
When a shell built-in command accesses a file, the captured command may differ from the original input. For example, for the command
echo "new content" >> /etc/nginx/nginx.conf, the captured behavior may appear as["-bash"].The captured command line appears as a JSON array after shell parsing, which may differ from the original user input.
Take action based on the alert details.
Confirmed anomaly:
Handle the file: If safe for your business, manually terminate the related processes and isolate the affected file. If a block rule is already in place, the system handles it automatically and the event status shows Blocked.
Create a rule (optional): Add a Block rule to actively prevent unauthorized file modifications.
Dismiss the alert: Return to the alert list. Click Handle in the Actions column and select Handle.
Normal operation:
Create a rule (optional): Add an Allow rule to exclude the legitimate process and prevent recurring alerts.
Dismiss the alert: Click Handle in the Actions column and select Ignore.
Manage rules and quota
View and manage protection rules
On the File Tamper-Proofing page, view the following overview information:
Protected Directories: Total number of configured protection paths across all rules.
Protected Servers: Total number of servers with active protection rules.
Used Quota/Quota: Current usage and purchased quota. Click Quota Management for details.
Edit: Click Edit in the Actions column to modify a rule. Changes take effect within 1 minute and do not affect existing alerts or recorded events.
Delete: Click Delete in the Actions column to remove a rule. Deleted rules become invalid immediately. Evaluate the impact before deleting.
Enable/Disable: Use the toggle in the Status column to activate or deactivate a rule.
Batch operations: Select multiple rules to enable, disable, or delete in bulk. Cross-page select-all is supported.
Upgrade interception quota
In subscription mode, if your quota is zero or insufficient, increase your quota:
On the File Tamper-Proofing page, click By Asset in the upper-right corner.
In the File Tamper-Proofing section, increase the quantity based on the number of servers you need to protect.
Click Buy Now and complete payment.
Cancel quota
In the Used Quota/Quota section, click Quota Management.
In the Quota for File Tamper Proofing dialog, clear the check boxes for the servers to remove in the Select Asset area, then click OK.
Unsubscribe
Subscription mode: On the Overview page, in the Subscription section, click .On the downgrade page, in the File Tamper-Proofing section, set Yes to No. For details, see Downgrade.
NoteThe actual refund amount is shown on the downgrade page. For information on refund processing, see Refund directions.
Pay-as-you-go mode:
On the Overview page, in the Pay-as-you-go section, turn off the File Tamper-Proofing switch.
On the File Tamper-Proofing page, click Suspended in the Used Quota/Quota section.
Quotas and limits
Quota limit: One quota protects one server.
Rule configuration limits:
Maximum 100 rules enabled at the same time.
Up to 100 protection paths and 100 process paths per rule.
Each protection path must be 1 to 128 characters.
The full path of a protected file or directory cannot exceed 1,000 characters or 500 Chinese characters.
If a protection path points to an NFS server process path, file modifications via an NFS client cannot be defended against.
Other limits:
Excluded users: maximum 5 per rule.
File types: maximum 64 per rule, each up to 15 characters.
System limitations:
Windows does not support monitoring file Change Permissions operations.
Windows does not support Exclude Users rules.
Billing and quota consumption
Billing mode and quota consumption depend on the rule type in use.
Billing modes:
Subscription: Pre-purchase interception quota for a fixed period. Unused quota expire at the end of each month and do not carry over.
Pay-as-you-go: Billed by actual protection duration (in seconds) multiplied by the number of protected servers. The following are automatically counted:
Servers with block rules.
Servers with alert rules whose protection edition is below Enterprise Edition or whose protection level is below Host Protection.
Quota consumption:
Block rules: Consumes quota.
Alert rules: Consumes quota if the server protection edition is below Enterprise Edition or the protection level is below Host Protection.
Allow rules: No quota consumption. Free to use.
For more information, see Billing details.
FAQ
What is the relationship between the new File tamper-proofing and the legacy Web tamper-proofing and Core file monitoring?
The new file tamper-proofing feature consolidates the legacy Web tamper-proofing and Core file monitoring modules. It provides a unified rule management interface that supports file interception protection and file access monitoring, simplifying configuration and management.
NoteOn the File Tamper-Proofing page, click Old Version in the upper-right corner to switch to the legacy console. The legacy features will be phased out in a future release. For details, see [Upgrade] Security Center [Web Tamper-Proofing] and [Core File Monitoring] Merge and Upgrade.
Comparison item
Legacy - Web tamper-proofing
Legacy - Core file monitoring
New - File tamper-proofing
Action type
Whitelist/blacklist mode with protection scope set by directory and file type.
Rule-based alert/allow mode.
Unified rule management with three action types: alert, block, and allow.
Capabilities
Identifies abnormal file changes and blocks or alerts on the responsible process.
Monitors abnormal file access (read, write, delete) and generates alerts.
Monitors, blocks, or alerts on file read, write, delete, rename, and permission change operations.
Supports excluded users (user whitelist) so that file operations by whitelisted users do not trigger alerts or blocks.
Quota consumption
Requires tamper-proofing quota purchase.
Free for Enterprise Edition or Ultimate Edition users. No quota consumption.
Block rules: Consumes quota.
Alert rules: Consumes quota if the server protection edition is below Enterprise Edition or the protection level is below Host Protection.
Allow rules: No quota consumption. Free to use.
When both alert and block rules are configured, which takes priority?
When a file operation matches multiple rules, Security Center evaluates them in this order: Allow > Block > Alert. The allow rule is evaluated first. If it does not match, the block rule is evaluated. If the block rule does not match, the alert rule is evaluated.
What is the difference between alert rules and block rules?
Comparison item
Alert rule
Block rule
Function
Records events and generates alert notifications without blocking file operations.
Actively blocks unauthorized file operations from non-authorized processes.
Quota consumption
Consumes quota if the server protection edition is below Enterprise Edition or the protection level is below Host Full Protection.
Consumes tamper-proofing quotas.
Use case
Monitoring scenarios.
Active defense scenarios.
How long does it take for a rule to take effect after creation?
When a rule is first enabled on a server, it takes up to 5 minutes to take effect.
Modified rules take effect within 1 minute. Modifications do not affect existing alerts or recorded events.