Memory-resident malware is a type of malicious program that runs only in memory and is not written to a disk. This allows it to launch stealthy attacks and evade conventional virus detection. Application Protection's Runtime Application Self-Protection (RASP) technology analyzes memory data to detect memory-resident malware in real time. It can also intercept the injection and execution of memory-resident malware. This topic describes how to use the memory-resident malware defense feature.
Prerequisites
Onboard your Java applications to Application Protection and ensure their application instances are authorized. For more information, see Onboard applications to Application Protection.
Detection and interception logic
The memory-resident malware defense feature detects threats such as memory-resident malware, injection attempts, and malicious execution calls within authorized instances of an application group.
Memory-resident malware detection: This engine scans memory for malicious code to find hidden threats and displays memory-resident malware detection alerts in the console. You can activate this engine by enabling the In-memory Webshell switch for an application group.

Memory-resident malware injection: This engine monitors and intercepts memory-resident malware attacks in real time, including their injection and execution behaviors. This engine is activated when the detection types for an application group include In-memory Webshell Injection. If the Protection Mode for the application group is set to Monitoring, the engine only reports alerts without blocking threats. If the Protection Mode is set to Block, the engine actively blocks suspicious calls and generates corresponding alerts. This engine provides two interception methods to defend against attacks that target various middleware.
Interception during the injection process: By monitoring sensitive API functions, RASP can observe attacker behaviors in real time, such as injecting memory-resident malware through expression execution or deserialization. It can block the attack during the injection process, preventing the malware from being injected into the application context.
Interception during execution: If memory-resident malware is successfully injected and attempts to run, RASP uses a combination of deep learning and behavioral recognition to monitor the program's execution. By comparing program behavior against a database of known malicious signatures, this technique can accurately identify and prevent the activation and execution of the malware without disrupting normal business operations. As a result, even if malware is implanted in the system, an attacker cannot use it.
View and handle alerts
By default, Application Protection enables memory-resident malware detection for all application groups. After you onboard an application to Application Protection, you can follow these steps to view and handle memory-resident malware alerts.
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Application Protection page, on the Memory-resident Malware Defense tab, specify the application group and time range that you want to view.
View the In-memory Webshell Alert Trend, In-memory Webshell Distribution, and the list of memory-resident malware alerts.
Alert for In-memory Webshell Detection: These alerts identify static memory-resident malware files detected by the detection engine. The following list describes the handling status of these alerts:
Unhandled: The detection engine has detected the malware file. You must handle the alert manually and promptly.
Automatically handled and blocked: The memory-resident malware injection engine detected the execution of the malware file that triggered the alert and blocked its execution. RASP can defend against this malware with high precision. It also blocks subsequent execution attempts. You can restart the application to remove the malware file from memory.
Unhandled and monitored: The memory-resident malware injection engine detected the execution of the malware file that triggered the alert but did not block the execution. This behavior was determined by the Protection Mode setting of the application group. You can enable the protection feature for the application group with a single click.
The following describes the active and inactive statuses of alerts:
Active: The application instance that triggered the alert is online.
Inactive: The application instance that triggered the alert is offline.
Alert for In-memory Webshell Insertion: These alerts identify events that are detected by the memory-resident malware injection model.
In the Actions column of a target alert, click Details. View the Details and Alert Analysis tabs to determine whether you need to handle the alert.
On the Details tab, if you want to view the source code of the Java program running in memory, turn on the Decompiled Java File switch. If you turn off this switch, Security Center does not display the decompiled code.
The Alert Analysis tab uses a large language model (LLM) to provide an analysis of the code running in memory, including the specific evidence for why the code was identified as memory-resident malware. This helps you more accurately assess whether the detected malware poses a real threat, improving your security judgment and response efficiency.
ImportantYou must turn on the Decompiled Java File switch to view the content on the Alert Analysis tab. The alert analysis feature analyzes the decompiled Java file.

Handle the memory-resident malware alert.
Manually handle the memory-resident malware: Restart the application during off-peak hours to remove the memory-resident malware. Then, set the handling status to Mark as Handled in the console.
Enable protection with a single click: Change the Block to Block for the application group that contains the affected server. After the change, the engine will automatically intercept all future injection or execution attempts of memory-resident malware detected in this application group.
Ignore: If you do not need to handle the alert, set the handling status to Ignore in the console.
Add to whitelist: Go to the Attack Alerts tab. In the Actions column of the target memory-resident malware injection alert, click Handle to add the alert to the whitelist. For more information, see Add an alert to the whitelist.
NoteMemory-resident malware detection alerts cannot be added to a whitelist.
Enable or disable defense
To enable or disable memory-resident malware defense for an application group, follow these steps.
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Application Protection page, click the Application Configurations tab. In the Actions column of the target application group, click Protection Policy.
In the Protection Policy panel, on the Protection Policy tab, select or deselect a protection policy group that includes In-memory Webshell Injection as a detection type.
If you select a protection policy group that includes In-memory Webshell Injection as a detection type, the memory-resident malware injection engine is enabled. If Protection Mode is set to Monitor, the engine only reports alerts and does not block threats. If Protection Mode is set to Block, the engine reports alerts and blocks memory-resident malware injection and execution attempts.

In the Protection Policy panel, on the Detection Policy tab, turn the In-memory Webshell switch on or off, and then click OK.
If you turn on the Memory-resident malware detection switch, memory-resident malware detection is enabled for the application group.
