OSS malicious file detection

更新时间:
复制 MD 格式

Use the malicious file detection feature in OSS to scan for threats like webshells, ransomware, and trojans in your buckets. If a malicious file is detected, take immediate action based on the provided recommendations.

Supported threat types

Supported virus types

For the full list of detectable virus types, see Supported virus types in the appendix.

Prerequisites

A RAM user must have the oss:ActivateProduct permission. For more information, see RAM Policy common examples.

Billing

  • This feature is charged based on the number of files scanned. The rate is CNY 10 per 10,000 files.

  • Malicious file detection uses the following API operations: ListBuckets (GetService), GetBucketStat, ListObjectsV2 (GetBucketV2), GetObjectMeta, and GetObject. OSS charges standard request fees for these API calls. For more information, see Request fees.

  • This feature supports only the pay-as-you-go billing method and is billed hourly. Bills are typically generated after the current billing cycle ends. The actual billing time depends on the system.

Limitations

  • Supported regions

    Malicious file detection is available in the following regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Indonesia (Jakarta), Thailand (Bangkok), Philippines (Manila), Malaysia (Kuala Lumpur), South Korea (Seoul), Japan (Tokyo), US (Silicon Valley), UK (London), US (Virginia), and Germany (Frankfurt).

  • Detection task completion time

    By default, there is no limit on the number of files that can be scanned in a bucket. Detection tasks are processed asynchronously in a queue. When the queue is not busy, a task scanning hundreds of thousands of files can be completed within 1 hour, and a task scanning millions of files can be completed within 24 hours.

  • Bucket storage class

    Malicious file detection supports only buckets of the Standard and Infrequent Access (IA) storage classes. Buckets of the Archive, Cold Archive, and Deep Cold Archive storage classes do not support this feature.

  • Object storage class

    Malicious file detection scans only objects in the Standard and Infrequent Access (IA) storage classes. Objects of the Archive, Cold Archive, and Deep Cold Archive storage classes are not scanned.

  • Single file size limit

    The maximum size of a single file that can be scanned is 500 MB.

  • Compressed file limits

    Supported compressed file types include .7z, .zip, .tar, .gz, .rar, .ar, .bz2, .xz, and .lzma.

    The maximum decompression depth is 5 layers. A maximum of 1,000 files can be extracted from a single archive, and the total size of the extracted files cannot exceed 1 GB. Files that exceed these limits are not scanned.

OSS console

  1. The first time you scan a bucket for malicious files, you must authorize the AliyunServiceRoleForOssMfd role.

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

    3. In the left-side navigation pane, choose Content Detection > Malicious Object Detection.

    4. On the Malicious Object Detection page, click Enable Now. Follow the on-screen instructions to claim your free trial quota. Usage that exceeds the free trial quota is billed on a pay-as-you-go basis.

    5. On the Malicious Object Detection page, click OK.

      After you grant the permissions, the system automatically creates an access policy named AliyunServiceRolePolicyForOssMfd for the role. This access policy grants permissions to read bucket and object lists, access KMS, and decrypt objects.

  2. Configure a malicious file detection rule.

    Immediate detection

    Full detection

    A full detection provides a comprehensive scan of an OSS bucket to identify security risks and ensure compliance.

    1. In the upper-right corner of the Malicious Object Detection page, click Detect.

    2. In the Detect dialog box, configure File Detection Type and Scan Path.

      • File Detection Type

        You can choose to scan all file types or only specific file types.

      • Scan Path

        To scan all files in the bucket, select Configure For The Entire Bucket. To scan only files that match a specific prefix, select Object Prefix and specify a prefix.

    3. Click OK.

    Incremental detection

    After you run a full detection on a bucket or a path within a bucket, you can run an incremental detection to scan only new or modified files. This saves computing resources and time.

    1. In the upper-right corner of the Malicious Object Detection page, click Incremental Detection.

    2. In the Detect dialog box, configure File Detection Type and Scan Path.

      • File Detection Type

        You can choose to scan all file types or only specific file types.

      • Scan Path

        To scan all files in the bucket, select Configure For The Entire Bucket. To scan only files that match a specific prefix, select Object Prefix and specify a prefix.

    3. Click OK.

    Scheduled detection

    1. In the basic information area of the bucket, click the Dingtalk_20231129131037.jpg icon next to Policy Configuration Status.

    2. In the Create Policy dialog box, configure the following parameters.

      Parameter

      Description

      Policy Name

      Enter a name for the policy.

      Policy Status

      Enable the policy.

      Scan Path

      • Match By Prefix

      • Select this option to scan only files that match a specific prefix. Then, specify a prefix, such as dir.

      • Configure For The Entire Bucket

      • Select this option to scan all files in the bucket.

      Detection Cycle

      Specify a detection cycle. You can select multiple days. For example, run the detection task every Monday and Tuesday.

      File Detection Time

      Specify the start and end time for the detection, accurate to the second.

      File Detection Type

      Select whether to scan all file types or specify file types. If you select specific file types, you must select the types from the drop-down list, such as files with the .7z extension.

    3. Click OK.

  3. View detection results.

    • If no malicious files are found, the details area is empty.

    • If malicious files are found, the details area displays the file name, threat label, file MD5 hash, risk level, first discovery time, and latest scan time for each file.

      test.jpg

  4. Handle malicious files.

    You can click View Details in the Actions column for a malicious file to view its event details. Handle the file promptly based on the recommendations provided in the event details.