Handle malicious file detection results

更新时间:
复制 MD 格式

Assess risks, choose response actions, and complete security hardening when Malicious File Detection identifies threats such as webshells, mining programs, or trojans on ECS instances or in OSS buckets.

Choose a response action

The Malicious File Detection feature offers the following response actions for at-risk files.

Actions

Persistence

Impact on detections

Use cases

Add to whitelist

Permanent

Files that match a whitelist rule are automatically marked as Added to Whitelist and no longer trigger DingTalk bot notifications.

Use this for a permanently trusted file that is essential to your business.

Ignore

One-time

None.

Use this for temporary or low-priority alerts, or potential false positives needing further analysis.

Block access

Permanent

The file will no longer be scanned.

Use this for a confirmed malicious file in an OSS bucket that requires immediate isolation.

Manually Handled

One-time

None.

Use this after you resolve the risk outside Security Center, such as deleting the file from the server.

Investigate and assess risks

  1. Log on to Security Center console - Risk Governance - Malicious File Detection, and in the upper-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  2. Navigate to the file details page.

    • On the At-risk File Overview tab, find the target file and click Details in the Actions column.

    • On the OSS File Check tab:

      1. Set the Whether Risk is Detected filter to At Risk. Find the target bucket and click Details in the Actions column.

      2. In the At-risk File Details section of the details page, find the target file and click Details in the Actions column.

  3. Assess the business impact.

    Review File Path, Associated Process, and First Discovered Time. Assess the impact using these methods:

    • Confirm file ownership: Contact your development or O&M team to verify whether the file is legitimate, a test artifact, or unnecessary.

    • Trace the file's origin: Check the file's directory. For example, if the file is in a WordPress directory, check whether a known vulnerability was exploited to create a backdoor.

    • Review system recommendations: In the Incident Description section of the details page, review the system's analysis and response guidance.

Perform response actions

Handle at-risk files from the Security Center console or manually from the server. The following procedure uses the console.

Procedure

  1. Open the handling dialog box.

    • On the At-risk File Overview tab, set the status filter to Unhandled. Find the target file and click Handle in the Actions column.

    • On the OSS File Check tab:

      1. Set the Whether Risk is Detected filter to At Risk. Find the target bucket and click Details in the Actions column.

      2. In the At-risk File Details section of the details page, find the target file and click Handle in the Actions column.

  2. Handle the at-risk file.

    1. Configure a Handling Method.

      In the Malicious Script Handling dialog box, select a response action based on your risk assessment and configure rules. Detailed response actions.

    2. Configure batch processing (optional).

      To batch-process similar alerts, select Handle similar alerts simultaneously.

      1. On the Same File Content or Same Alert Type tab, click Show to view the details of similar alerts.

      2. Review alert details and select which similar alerts to handle together.

        1. Same file content: All alerts for files that have the identical SHA256 hash value.

        2. Same alert type: All alerts for the same type of risk, such as a webshell, detected by the same engine.

Response actions

Add to Whitelist

  • Set a whitelist rule.

    1. On the Add to Whitelist tab, click Create Rule to add a rule.

    2. Configure rule details.

      Important

      Multiple rules use OR logic — a file is whitelisted if it matches any rule.

      Each rule consists of the following four fields:

      1. File information field: Match files by File Name, File MD5, SHA256, or the Bucket Name where the file is stored.

      2. Condition type: Supported operations include Regular Expression Match, equals, and Contain. Examples:

        • Regular expression example: To match all temporary files that end with .tmp, set File Information Field to File Name, Condition Type to Regular Expression Match, and Condition Value to .*\.tmp$.

        • File name matching: To match all temporary files whose names contain post, set File Information Field to File Name, Condition Type to Contain, and Condition Value to post.

      3. Condition value: Supports constants and regular expressions.

  • How it works:

    • The status of the file is changed to Added to Whitelist.

    • This action creates a whitelist rule on the Policy Configuration page. Manage whitelists.

    • When a file that matches the whitelist rule is detected again, its status is automatically set to Added to Whitelist, and no risk notification is sent from the DingTalk bot.

  • Security recommendations:

    • Use exact matches: Use File MD5 or SHA256 matching to avoid whitelisting actual malicious files.

    • Use full path matching: When matching by filename, combine Bucket Name and File Name Match to avoid overly broad rules.

Denied Access

Important

This action is available only for OSS files.

  • How it works:

    • The file's status changes to Denied Access, which prevents future detections of identical content.

    • Security Center adds an mfd_forbidden tag and the following Bucket Policy to the file, which blocks access and related operations.

      Note
      {
      		"Effect": "Deny",
      		"Action": [
      			"oss:GetObject"
      		],
      		"Principal": [
      			"*"
      		],
      		"Resource": [
      			"acs:oss:*:*:${BucketName}/*"
      		],
      		"Condition": {
      			"StringEquals": {
              		"oss:ExistingObjectTag/mfd_forbidden": [
      					"true"
      				]
      			}
      		}
      	}
  • Security recommendation:

    This action may interrupt business functions. Before proceeding, confirm that no legitimate services depend on this file.

Ignore

  • How it works:

    Marks the alert as "Ignored" without resolving the underlying security issue.

  • Security recommendations:

    • Only ignore confirmed false positives or accepted risks to avoid overlooking real attacks.

    • Review ignored alerts periodically (weekly or monthly).

    • To suppress future alerts of this type, use Add to Whitelist instead.

Manually Handled

  • How it works: This action only updates the status of the detected file to Manually Handled. It does not verify the actual security status of the file.

  • Security recommendation: Use this only after resolving the issue by other means, such as deleting the file from the server.

Manage response outcomes

Change a response action

  1. Go to Security Center console > Risk Governance > Malicious File Detection, and in the upper-left corner of the page, select the region where the asset that you want to protect is located: Chinese Mainland or Outside Chinese Mainland.

  2. Open the modification dialog box.

    1. Find the target file.

      • On the At-risk File Overview tab, set the filter to a handled status, such as Added to Whitelist, and then locate the file.

      • On the OSS File Check tab:

        1. Set the Whether Risk is Detected filter to At Risk, and then click Details in the Actions column of the target bucket.

        2. In the At-risk File Details section, set the filter to a handled status, such as Added to Whitelist, and then locate the file.

    2. Change the file's status.

      Click Change Status in the Actions column of the target file.

  3. Change the response action.

    In the dialog box, select a new response action and configure rules. Handle the at-risk file.

    Important

    You can reset the status to Unhandled.

Revert a whitelist or ignore action

  • Method 1: Reset the status

    Use Change a response action to set the status to Unhandled.

  • Method 2: Use the Remove from Whitelist and Cancel Ignore actions

    1. Find the target file.

      • On the At-risk File Overview tab, set the filter to Added to Whitelist or Ignored, and then locate the file.

      • On the OSS File Check tab:

        1. Set the Whether Risk is Detected filter to At Risk, and then click Details in the Actions column of the target bucket.

        2. In the At-risk File Details section, set the file status filter to Added to Whitelist or Ignored, and then locate the file.

    2. Revert the file's status.

      Select the checkbox next to the target file, and then click Remove from Whitelist or Cancel Ignore at the bottom of the list.

Restore access to a blocked file

  • Method 1: Reset the status

    Use Change a response action to set the status to Unhandled.

  • Method 2: Handle manually in the OSS console

    1. Log on to the OSS console, and then click the name of the target bucket.

    2. Remove the tag.

      1. In the left-side navigation pane, select Objects. In the Actions column of the target file, click the more icon and select Tags.

      2. On the Tags tab, delete the mfd_forbidden tag.

    3. Delete the authorization policy (use with caution).

      Warning

      This affects all files with the mfd_forbidden tag. Do not perform this operation unless necessary.

      1. In the left-side navigation pane, choose Permission Control > Bucket Policy.

      2. On the Bucket Policy page, on the Add by Syntax tab, delete the policy that contains the mfd_forbidden tag condition.

Manage whitelists

  • Add or modify a rule

    1. In the upper-right corner, click Policy Management. On the Whitelists tab, click Add Rule or click Edit in the Actions column of the target rule.

    2. Follow Configure rule details to complete the configuration, then click Confirm.

  • Delete a rule

    In the upper-right corner, click Policy Management. On the Whitelists tab, find the rule you want to delete and click Delete in the Actions column.

    Important

    Deleting a rule does not change the status of already-whitelisted files, but new matching files will no longer be auto-whitelisted.