Host protection FAQ

更新时间:
复制 MD 格式

This topic lists the frequently asked questions about Security Center host protection features.

FAQ

Anti-ransomware

  • What is the anti-ransomware feature? Why is it charged separately?

    Anti-ransomware protects your servers and databases from ransomware attacks. It supports one-click recovery of encrypted files and one-click backup activation for critical directories. Anti-ransomware uses independent storage resources, which is why it is billed separately from your Security Center edition. For more information, see Anti-ransomware service overview and Enable and purchase the anti-ransomware service.

  • What is the relationship between the Security Center anti-ransomware feature and Alibaba Cloud Cloud Backup?

    Security Center anti-ransomware uses the storage capabilities of Alibaba Cloud Cloud Backup (Cloud Backup). If you have not activated Cloud Backup, it is automatically enabled after you purchase anti-ransomware capacity and complete cloud product authorization. Enabling Cloud Backup does not incur additional charges.

  • Do backups start automatically after purchasing anti-ransomware capacity?

    No. You must first create and enable a protection policy before backups begin. For instructions, see Create and manage anti-ransomware policies and agents.

  • How do I view my purchased anti-ransomware capacity and its usage?

    After activating the anti-ransomware service:

    1. Log on to the Security Center console.

    2. In the navigation pane on the left, select Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

    3. On the Anti-ransomware page, view the capacity usage breakdown.

  • How do I clear a large anti-ransomware backup cache that occupies disk space?

    Anti-ransomware uses disk space on your server as a cache to speed up backups. If the cache in C:\Program Files (x86)\Alibaba\Aegis\hbr\cache (Windows) or /usr/local/aegis/hbr/cache (Linux) grows too large, you can clear the cache files. For instructions, see Clear disk space.

  • Can I change the backup cache location if it uses too much C drive space?

    Yes. Modify the configuration file of the anti-ransomware backup client to change the cache location. For instructions, see Modify the backup cache location, status, and system memory usage limit.

  • What should I do if the anti-ransomware client consumes excessive CPU or memory resources?

    Older versions of the anti-ransomware client may cause high CPU or memory usage during backups. This is resolved in version 2.19.6 and later. If your client version is earlier than 2.19.6, update it:

    1. Log on to the Security Center console. In the navigation pane on the left, select Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

    2. On the Anti-ransomware for Servers tab, locate the target server. In the Actions column, click Uninstall, and then click OK in the confirmation dialog box.

      The client status changes to Uninstalling Agent. Uninstallation takes about 5 minutes.

    3. After uninstallation completes, click Install in the Actions column, and then click OK in the confirmation dialog box.

      The client status changes to Installing. Installation takes about 5 minutes.

    If the issue persists after updating, see Troubleshoot high disk or memory usage from anti-ransomware backups for troubleshooting.

  • What are the differences between the anti-ransomware solution and snapshot backups?

    The following table compares snapshot backups with the anti-ransomware solution:

    Feature

    Data backup

    Virus defense capabilities

    Cost

    Snapshot

    Backs up the entire system disk at once. Restoring data requires a system reboot.

    No virus defense capabilities.

    Higher cost. Snapshots must back up the entire disk and do not support selecting specific files for backup. Snapshots are charged at CNY 0.12/GB/month. For more information, see Snapshot billing.

    Anti-ransomware solution

    Supports flexible, file-level, multi-version backups. You can restore any backed-up version. Restoring data does not require a system reboot.

    Supports real-time blocking and alerting for known ransomware, uses honeypots to detect unknown ransomware, and allows one-click recovery of encrypted data.

    Lower cost. Anti-ransomware supports file-level protection and charges based on your actual usage. You do not need to pay for backing up the entire disk. For more information, see Billing description.

  • What should I do if the purchased anti-ransomware capacity is insufficient?

    Insufficient capacity causes backup failures. Resolve this by expanding capacity or freeing up existing space.

    • Expand capacity

      Log on to the Security Center console. In the navigation pane on the left, select Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland. On the Anti-ransomware page, click Upgrade under Used Capacity/Total Capacity to upgrade your capacity.

      Note

      Allocate 50 GB of capacity per server.

    • Free up capacity

  • What should I do if a protection policy is in an abnormal state?

    An abnormal policy cannot back up data. Go to the Anti-ransomware page to identify the cause and follow the on-screen prompts. Common causes include:

    • Insufficient capacity

      If used capacity exceeds the total during a backup, the backup pauses and no new recovery tasks can be created. Purchase additional capacity to continue. See Upgrades and downgrades.

    • Agent offline

      An offline Agent on the server causes the policy to become abnormal. See Troubleshoot Agent offline issues.

    • Backup exception

      An incorrect backup path or insufficient server disk space causes the recovery task to fail. Create a new recovery task with the correct path and ensure sufficient disk space. The policy returns to Normal after the new task completes.

  • Why do .aeqis or .zaegis folders still exist after disabling anti-ransomware?

    These folders are security decoy files deployed by anti-ransomware. They detect and block ransomware when it attempts to access them. Even if you disable the policy in the console, the resident security component managed by the host protection module (AliHips) retains these files. This is normal — no manual deletion is needed, and no additional charges apply.

  • Does the anti-ransomware service guarantee compensation for ransomware infections?

    No. Server infections result from multiple factors and are not directly caused by the host or Security Center. For liability definitions and service guarantees, see Related agreements.

  • Is anti-ransomware protection necessary for internal network servers without public network access?

    Yes. Internal network servers still face ransomware risks through lateral movement, insider mistakes, or supply chain attacks. Anti-ransomware backs up and protects critical directories, improving your overall security posture.

  • How do I confirm whether a server has been targeted by ransomware when no alerts are generated?

    Follow these steps:

    1. Log on to the Security Center console. Check the Detection and Response > Alert or Agentic SOC > Alert page for alerts about malicious processes, ransomware, or abnormal logons.

    2. If no alerts exist, contact a technical engineer to inspect the server for unusual database table entries, file tampering, or abnormal encryption extensions.

    3. If business applications run normally and none of these signs are present, the server has likely not been targeted by ransomware.

    4. Configure a server snapshot policy and perform regular data backups to ensure data security.

File tamper protection

  • Can the validity period of the Security Center edition differ from that of file tamper protection?

    For subscription instances, all feature modules (including file tamper protection) share the same validity period. You cannot separately purchase subscription services with different service cycles.

    Recommended solution: On the Downgrade page, unsubscribe from the File Tamper-Proofing subscription service, and then activate the File Tamper-Proofing pay-as-you-go service. For more information, see File tamper-proofing.

  • How do I fix "Protection module initialization failed. Check if other software is intercepting or controlling service creation."?

    Another security application on your server is likely blocking the Security Center tamper protection program. Add the Security Center Agent process to the allowlist of the other security software, or disable its driver service creation blocking feature.

  • What are the requirements for the file tamper protection local backup directory?

    • Maximum 100 rules enabled at the same time.

    • Up to 100 protection paths and 100 process paths per rule.

    • Each protection path must be 1 to 128 characters.

    • The full path of a protected file or directory cannot exceed 1,000 characters or 500 Chinese characters.

    • If a protection path points to an NFS server process path, file modifications via an NFS client cannot be defended against.

  • Why does configuring a tamper protection directory prompt a path error?

    For Windows, use backslashes (\) instead of forward slashes (/). For example: C:\Program Files\Common Files.

    Note

    The following characters are not allowed in the protection directory path: /;*?""<>|

  • Why does file tamper protection fail after configuring a protection directory?

    After configuring a protection directory, you must also enable the protection switch and ensure the client is running. Check the following:

    • The files you want to protect are within the protection directory.

    • The protection switch is enabled after creating the rule.

    • The client is online:

      1. Log on to the Security Center console. On the Protection Configuration > Host Protection > File Tamper Proofing page, view the service status on the Protection Management tab.

      2. If the status is Abnormal, retry the operation. If the status is Offline, reinstall the Agent. See Install the Agent.

    • The server has sufficient disk space.

  • Can I still write files to a directory after configuring it for protection?

    No. After configuring a directory for tamper protection, you cannot write new files to it.

  • What should I do if tamper protection does not take effect immediately after configuration?

    Protection may not take effect immediately after configuring a directory. In this case, go to the Protection Management list, turn off the Protection Status switch for the affected server, and then turn it back on.

  • Why are no alerts generated when I modify a protected file via SSH, even with tamper protection enabled?

    Possible causes include:

    • The Protection Status switch is not enabled.

    • You modified the protection directory after enabling the Protection Status switch, but did not toggle the switch off and on again after the change.

    • The file is on the allowlist.

      Allowlisted files are considered trusted. Tamper protection does not generate alerts or block modifications for them. See Add to allowlist.

    • The server kernel is not within the supported range.

      When the kernel is supported, tamper protection directly blocks file modifications without generating an alert.

      Note

      After saving the file, return to the File Tamper Proofing page. In the Handled list, you can see that the modification was blocked. Checking the file on the server confirms your changes were not saved.

  • What should I do if I cannot modify website content and images after configuring tamper protection?

    Choose one of the following solutions:

    • Disable tamper protection, update your website content, and re-enable protection. See File tamper-proofing.

    • Exclude the website path from the tamper protection directory.

    Note

    Tamper protection supports adding Linux and Windows server processes to the allowlist for real-time updates to protected website files. See Add to allowlist.

  • Why are file operations still blocked or generating alerts after I disable or modify a tamper protection rule?

    Possible causes include:

    1. Rule activation delay: Rules take up to 5 minutes to take effect after initial configuration and up to 1 minute after modification. Wait for the rule to take effect before testing.

    2. Rule priority conflict: A higher-priority blocking rule exists and has not been overridden.

    3. To allow legitimate processes (such as deployment processes), configure an Allow rule. Allow rules take priority over Block and Alert rules.

  • Why does the number of tamper protection alerts in the console differ from email notifications?

    Check the region setting in the upper-left corner of the Security Center console and ensure it matches the region of the assets in the alert email. After switching to the correct region, you can view the corresponding alert details.

  • Does the absence of tamper protection alerts mean the files are safe?

    If the rule configuration has not changed and no related records exist in the alert list, the files are in a secure state. An alert indicates that an abnormal operation has been detected.

  • Are tamper protection rules automatically generated after a version upgrade?

    No. All tamper protection rules must be manually configured. The system does not automatically generate rules after a version upgrade.

Virus and malware defense

  • What should I do if I receive an SMS or email alert about a webshell on my server?

    A webshell alert means your server has been compromised and a backdoor file has been uploaded. An attacker can manipulate your website or database. Use Security Center to quarantine the backdoor file, then investigate the root cause of the intrusion to prevent the attacker from exploiting the same vulnerability again.

    To investigate specific vulnerabilities, purchase Managed Security Service for expert consultation.

  • Why does Security Center report a cryptocurrency miner but virus scanning does not detect it?

    Possible causes include:

    1. File already deleted: The malicious file may have been cleaned up by other security software, manually deleted, or self-deleted by the malware. Monitor the situation or mark the alert as Manually Handled or Ignore.

    2. In-memory or covert processes: Some malicious processes run only in memory or without persisting to disk. Enable Memory Check during scanning, or use the Deep Cleanup feature.

    3. False positive: Legitimate programs such as PaddleOCR may be flagged. If you confirm no malicious network connections, select Add to Whitelist or Ignore.

    4. Stale alert: Historical alerts may not be automatically cleared after the file is deleted. Trigger Rescan to update the status.

  • What should I do if local antivirus software (such as 360) reports a virus but Security Center does not, or vice versa?

    1. Local antivirus reports a virus but Security Center does not: This may be a false positive from the local software, or Security Center has classified the file as low-risk or allowlisted. Verify the file source. If confirmed as your own application, ignore the alert in Security Center or contact the software vendor.

      Note

      Third-party antivirus software may conflict with the Security Center Agent. Add the Agent directory to the allowlist of the local antivirus software.

    2. Security Center reports a virus but the local file does not exist: The file may have been in the Recycle Bin (such as $Recycle.Bin) and emptied, or deleted by another tool. Run a full disk scan in Security Center Virus Detection and Removal to synchronize the status. If no threats are found, mark the alert as Manually Handled or Ignore.

  • Does virus scanning affect business performance or Java processes?

    1. Resource usage: Virus scanning uses minimal CPU and I/O resources. The impact on normal business operations is minimal.

    2. Processing mechanism: After detecting a virus, scanning generates an alert by default. It does not proactively terminate business processes or delete files unless you manually execute Deep Cleanup or Quarantine.

    3. Recommendation: For high-load business, run scans during off-peak hours or disable Memory Check to reduce resource consumption. The scanning process does not kill processes such as Java unless confirmed malicious and you choose removal.

  • How do I handle an alert about connections to malicious addresses?

    Follow these steps:

    1. Check the Agent: Verify that the Security Center Agent is online. If offline, reinstall or restart it.

    2. Run virus scanning: On the Virus Detection and Removal page, start a manual scan to detect trojans or backdoor files initiating malicious connections.

    3. Network investigation: Check security group rules and network logs for abnormal outbound connections. Block suspicious IP addresses if necessary.

General host protection

  • Does Security Center proactively clean up system files (such as /dev/shm) or provide symlink checking tools?

    No. Security Center does not proactively clean up files in directories such as /dev/shm. Its core capabilities are threat detection and malicious behavior interception — it does not include a system-level file cleanup mechanism.

    Security Center does not provide a tool to quickly check and remove symlinks on Windows systems. Manually check disk space, verify Windows Defender status, or update patches before running a scan.

  • Does disabling Security Center protection affect cloud server operations?

    No. Disabling Security Center protection does not affect normal server operations. Security Center is host protection software — it enhances security but is not required for server performance. If you disable this service, you must harden the server yourself (for example, by using software versions without known vulnerabilities and setting strong passwords).

  • Do the red prompts (pending items or anti-ransomware quota) in the Security Center console affect business operations?

    • Pending items (such as unfixed vulnerabilities and baseline risks): Increase the risk of attacks if left unresolved, but do not affect normal server operations.

    • Anti-ransomware quota usage approaching the limit: May cause new backup failures, affecting data recovery capabilities, but does not affect existing business operations.

    Check the specific alert details and address vulnerabilities or expand the anti-ransomware quota for long-term stability and data security.

  • Does Security Center provide detailed historical update records for the virus library?

    No. Security Center provides only the virus library version update time. Detailed update records are not available.

  • Why does Security Center report an abnormal logon alert but no corresponding record exists in the Windows system log?

    Possible causes include:

    1. Log collection delay or loss: Log transmission may be delayed.

    2. Local log overwritten: The local log may have been overwritten due to size limits (for example, set to 20 MB), making historical records unavailable.

    3. Non-interactive logon: Non-interactive logons (such as those triggered by background services or scheduled tasks) do not appear as typical Event ID 4624 interactive logon events in Event Viewer, but are captured by Security Center.

  • Does Security Center support viewing the specific logon method (password or key) and detailed source of an ECS instance?

    No. Security Center does not support viewing the specific logon method or detailed source tracing. It can only detect abnormal logon behavior.

  • What is the difference between the Security Center memory usage alert and the CloudMonitor remaining memory usage alert?

    Security Center monitors the memory usage rate, whereas CloudMonitor monitors the remaining memory usage rate. The two products use different metrics, which may result in inconsistent alert triggers.

  • What should I do if the self-service unblock request returns "Permission verification failed" or "Unblock not supported"?

    Self-service unblock entry: Self-service unblock page.

    Note the following restrictions:

    • Self-service unblock can be requested only once. If cryptocurrency mining behavior is detected again, the instance will be blocked again and cannot be unblocked through self-service.

    • Fix security risks (such as weak passwords or viruses) as soon as possible, or back up data and reinstall the operating system.

Clients and permissions

What are the differences between the Security Center Agent, Cloud Assistant client, and anti-ransomware client?

These three clients serve different purposes and can coexist on the same ECS instance without conflict:

  • Security Center Agent: The core agent for Security Center. Installed automatically when you enable host protection (such as vulnerability detection, malware scanning, and baseline checks). Provides comprehensive security scanning and protection.

  • Cloud Assistant Client (Aliyun Assist): A general-purpose ECS agent for running scripts and executing commands. Independent of Security Center. Coexists with the Security Center Agent without conflict.

  • Anti-ransomware client: A dedicated backup agent installed when you enable anti-ransomware. Handles data backup and restoration for ransomware protection. Works alongside the Security Center Agent.