Assess risks, choose response actions, and complete security hardening when Malicious File Detection identifies threats such as webshells, mining programs, or trojans on ECS instances or in OSS buckets.
Choose a response action
The Malicious File Detection feature offers the following response actions for at-risk files.
|
Actions |
Persistence |
Impact on detections |
Use cases |
|
Add to whitelist |
Permanent |
Files that match a whitelist rule are automatically marked as Added to Whitelist and no longer trigger DingTalk bot notifications. |
Use this for a permanently trusted file that is essential to your business. |
|
Ignore |
One-time |
None. |
Use this for temporary or low-priority alerts, or potential false positives needing further analysis. |
|
Block access |
Permanent |
The file will no longer be scanned. |
Use this for a confirmed malicious file in an OSS bucket that requires immediate isolation. |
|
Manually Handled |
One-time |
None. |
Use this after you resolve the risk outside Security Center, such as deleting the file from the server. |
Investigate and assess risks
-
Log on to Security Center console - Risk Governance - Malicious File Detection, and in the upper-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
-
Navigate to the file details page.
-
On the At-risk File Overview tab, find the target file and click Details in the Actions column.
-
On the OSS File Check tab:
-
Set the Whether Risk is Detected filter to At Risk. Find the target bucket and click Details in the Actions column.
-
In the At-risk File Details section of the details page, find the target file and click Details in the Actions column.
-
-
-
Assess the business impact.
Review File Path, Associated Process, and First Discovered Time. Assess the impact using these methods:
-
Confirm file ownership: Contact your development or O&M team to verify whether the file is legitimate, a test artifact, or unnecessary.
-
Trace the file's origin: Check the file's directory. For example, if the file is in a WordPress directory, check whether a known vulnerability was exploited to create a backdoor.
-
Review system recommendations: In the Incident Description section of the details page, review the system's analysis and response guidance.
-
Perform response actions
Handle at-risk files from the Security Center console or manually from the server. The following procedure uses the console.
Procedure
-
Open the handling dialog box.
-
On the At-risk File Overview tab, set the status filter to Unhandled. Find the target file and click Handle in the Actions column.
-
On the OSS File Check tab:
-
Set the Whether Risk is Detected filter to At Risk. Find the target bucket and click Details in the Actions column.
-
In the At-risk File Details section of the details page, find the target file and click Handle in the Actions column.
-
-
-
Handle the at-risk file.
-
Configure a Handling Method.
In the Malicious Script Handling dialog box, select a response action based on your risk assessment and configure rules. Detailed response actions.
-
Configure batch processing (optional).
To batch-process similar alerts, select Handle similar alerts simultaneously.
-
On the Same File Content or Same Alert Type tab, click Show to view the details of similar alerts.
-
Review alert details and select which similar alerts to handle together.
-
Same file content: All alerts for files that have the identical SHA256 hash value.
-
Same alert type: All alerts for the same type of risk, such as a webshell, detected by the same engine.
-
-
-
Response actions
Add to Whitelist
-
Set a whitelist rule.
-
On the Add to Whitelist tab, click Create Rule to add a rule.
-
Configure rule details.
ImportantMultiple rules use OR logic — a file is whitelisted if it matches any rule.
Each rule consists of the following four fields:
-
File information field: Match files by File Name, File MD5, SHA256, or the Bucket Name where the file is stored.
-
Condition type: Supported operations include Regular Expression Match, equals, and Contain. Examples:
-
Regular expression example: To match all temporary files that end with
.tmp, set File Information Field to File Name, Condition Type to Regular Expression Match, and Condition Value to.*\.tmp$. -
File name matching: To match all temporary files whose names contain
post, set File Information Field to File Name, Condition Type to Contain, and Condition Value topost.
-
-
Condition value: Supports constants and regular expressions.
-
-
-
How it works:
-
The status of the file is changed to Added to Whitelist.
-
This action creates a whitelist rule on the Policy Configuration page. Manage whitelists.
-
When a file that matches the whitelist rule is detected again, its status is automatically set to Added to Whitelist, and no risk notification is sent from the DingTalk bot.
-
-
Security recommendations:
-
Use exact matches: Use File MD5 or SHA256 matching to avoid whitelisting actual malicious files.
-
Use full path matching: When matching by filename, combine Bucket Name and File Name Match to avoid overly broad rules.
-
Denied Access
This action is available only for OSS files.
-
How it works:
-
The file's status changes to Denied Access, which prevents future detections of identical content.
-
Security Center adds an
mfd_forbiddentag and the following Bucket Policy to the file, which blocks access and related operations.Note-
You can view the tag and policy in the OSS console. Restore access to a blocked file, Object tagging, Bucket Policy.
-
If you have already deleted the file in the OSS console, the tag and policy are not added.
{ "Effect": "Deny", "Action": [ "oss:GetObject" ], "Principal": [ "*" ], "Resource": [ "acs:oss:*:*:${BucketName}/*" ], "Condition": { "StringEquals": { "oss:ExistingObjectTag/mfd_forbidden": [ "true" ] } } } -
-
-
Security recommendation:
This action may interrupt business functions. Before proceeding, confirm that no legitimate services depend on this file.
Ignore
-
How it works:
Marks the alert as "Ignored" without resolving the underlying security issue.
-
Security recommendations:
-
Only ignore confirmed false positives or accepted risks to avoid overlooking real attacks.
-
Review ignored alerts periodically (weekly or monthly).
-
To suppress future alerts of this type, use Add to Whitelist instead.
-
Manually Handled
-
How it works: This action only updates the status of the detected file to Manually Handled. It does not verify the actual security status of the file.
-
Security recommendation: Use this only after resolving the issue by other means, such as deleting the file from the server.
Manage response outcomes
Change a response action
-
Go to Security Center console > Risk Governance > Malicious File Detection, and in the upper-left corner of the page, select the region where the asset that you want to protect is located: Chinese Mainland or Outside Chinese Mainland.
-
Open the modification dialog box.
-
Find the target file.
-
On the At-risk File Overview tab, set the filter to a handled status, such as Added to Whitelist, and then locate the file.
-
On the OSS File Check tab:
-
Set the Whether Risk is Detected filter to At Risk, and then click Details in the Actions column of the target bucket.
-
In the At-risk File Details section, set the filter to a handled status, such as Added to Whitelist, and then locate the file.
-
-
-
Change the file's status.
Click Change Status in the Actions column of the target file.
-
-
Change the response action.
In the dialog box, select a new response action and configure rules. Handle the at-risk file.
ImportantYou can reset the status to Unhandled.
Revert a whitelist or ignore action
-
Method 1: Reset the status
Use Change a response action to set the status to Unhandled.
-
Method 2: Use the Remove from Whitelist and Cancel Ignore actions
-
Find the target file.
-
On the At-risk File Overview tab, set the filter to Added to Whitelist or Ignored, and then locate the file.
-
On the OSS File Check tab:
-
Set the Whether Risk is Detected filter to At Risk, and then click Details in the Actions column of the target bucket.
-
In the At-risk File Details section, set the file status filter to Added to Whitelist or Ignored, and then locate the file.
-
-
-
Revert the file's status.
Select the checkbox next to the target file, and then click Remove from Whitelist or Cancel Ignore at the bottom of the list.
-
Restore access to a blocked file
-
Method 1: Reset the status
Use Change a response action to set the status to Unhandled.
-
Method 2: Handle manually in the OSS console
-
Log on to the OSS console, and then click the name of the target bucket.
-
Remove the tag.
-
In the left-side navigation pane, select Objects. In the Actions column of the target file, click the
icon and select Tags. -
On the Tags tab, delete the
mfd_forbiddentag.
-
-
Delete the authorization policy (use with caution).
WarningThis affects all files with the
mfd_forbiddentag. Do not perform this operation unless necessary.-
In the left-side navigation pane, choose Permission Control > Bucket Policy.
-
On the Bucket Policy page, on the Add by Syntax tab, delete the policy that contains the mfd_forbidden tag condition.
-
-
Manage whitelists
-
Add or modify a rule
-
In the upper-right corner, click Policy Management. On the Whitelists tab, click Add Rule or click Edit in the Actions column of the target rule.
-
Follow Configure rule details to complete the configuration, then click Confirm.
-
-
Delete a rule
In the upper-right corner, click Policy Management. On the Whitelists tab, find the rule you want to delete and click Delete in the Actions column.
ImportantDeleting a rule does not change the status of already-whitelisted files, but new matching files will no longer be auto-whitelisted.