Security vulnerabilities are a primary attack vector that can lead to data breaches and business disruptions. Security Center scans your assets for four vulnerability types: Linux software vulnerabilities, Windows system vulnerabilities, application vulnerabilities, and urgent vulnerabilities. Identify and fix risks before an attack occurs.
Vulnerability scanning mechanism
Security Center uses the following two methods for vulnerability detection:
Software composition analysis (SCA) — passive detection: The Security Center agent collects software version and dependency library information from your servers and compares it against a vulnerability database. This process analyzes only software metadata and has no impact on your business systems.
Web scanner — active validation: The web scanner sends proof-of-concept (POC) requests from the internet to your application services, simulating attack behavior to confirm whether a vulnerability exists. This method can detect high-risk vulnerabilities such as remote command execution and SQL injection. All requests are harmless probes and will not cause damage to your systems.
Assets Outside Chinese Mainland region hosted in the Singapore data center do not currently support the web scanner feature.
Supported editions and scan coverage
Subscription
Edition | Manual scan | Automatic (periodic) scan |
Enterprise、Ultimate | All | |
Advanced | All vulnerability types except Application Vulnerability. | |
Basic、Value-added Plan、Anti-virus | Urgent Vulnerability | Linux Software Vulnerability and Windows System Vulnerability |
Pay-as-you-go
Protection level | Manual scan | Automatic (periodic) scan |
Host Protection and Hosts and Container Protection | All | |
Unprotected and Antivirus | Urgent Vulnerability | Linux Software Vulnerability and Windows System Vulnerability |
Configure a network whitelist
To ensure that the web scanner can access your servers and perform active validation (POC), add the Security Center scanning IP range 47.110.180.32/27 (47.110.180.32 to 47.110.180.63) to the whitelists of your security groups and network firewalls.
If you do not add the scanning IP range to your whitelist, the web scanner's POC requests may be blocked. This prevents detection of application and urgent vulnerabilities, or causes requests to be flagged as attacks.
POC validation requests may include the auxiliary domain s0x.cn (used for application and urgent vulnerability detection). If this triggers an alert, ignore it or create a whitelist rule for the domain.
Configure a security group
If your server is an Alibaba Cloud ECS instance, see Manage security groups and add an inbound rule with the following parameters:
Parameter | Value |
Direction | Inbound |
Action | Allow |
Protocol Type | TCP |
Port Range | 1–65535 |
Source | 47.110.180.32/27 |
Configure a firewall whitelist
If your server uses Web Application Firewall (WAF), see Allow specific requests using whitelist rules and add a whitelist rule with the following parameters:
Parameter | Value |
Match Field | IP |
Logic | Belongs to |
Match Content | 47.110.180.32/27 |
Detection Modules to Skip | All |
Run a vulnerability scan
Security Center provides two scanning methods:
Manual scan: Immediately assess the vulnerability status of your servers on demand.
Automatic (periodic) scan: Set up recurring scan tasks for continuous vulnerability monitoring.
After a scan starts, the system creates a scan task and runs it in the background. You can view scan progress and results in task management.
Manual scan
In the left navigation pane, choose . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
On the Vulnerabilities page, click Quick Scan (All Servers). In the Vulnerability Scan dialog box, select the vulnerability types to scan, and then click OK.
NoteTo scan specific servers instead of all servers, go to the Host page, select the target servers, click Security Check at the bottom of the page, and then select Vulnerabilities in the dialog box.
Automatic (periodic) scan
Automatic scanning uses two scheduling approaches depending on the vulnerability type:
Default cycle (not configurable):
Applies to Linux Software Vulnerability and Windows System Vulnerability.
Default scan frequency:
Subscription:
Advanced, Enterprise, Ultimate — once per day;
Basic, Value-added Plan, Anti-virus — once every two days.
Pay-as-you-go:
Host Protection, Hosts and Container Protection — once per day;
Unprotected, Antivirus — once every two days.
User-defined cycle:
Applies to Application Vulnerability and Urgent Vulnerability.
Available for Subscription (Advanced,Enterprise,Ultimate) and Pay-as-you-go (Host Protection,Hosts and Container Protection).
To configure automatic scanning:
In the left navigation pane, choose . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
In the Vulnerabilities page, click Vulnerability Settings. Configure the following settings as needed:
Parameter
Description
Vulnerability scan switch
Enables or disables scanning for various vulnerability types (Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability). After you enable a scan, you can click Manage to specify the servers to which the scan applies.
YUM/APT Source Configuration
When enabled, Alibaba Cloud official YUM/APT sources take priority for fixing Linux vulnerabilities, which significantly improves the remediation success rate.
Urgent Vulnerability Scan Cycle
Sets the execution frequency for urgent vulnerability scan tasks.
Default scan window:
Chinese Mainland:
00:00:00 (UTC+8)to07:00:00 (UTC+8).Outside Chinese Mainland:
00:00:00 (UTC+7)to07:00:00 (UTC+7).
Available editions/protection levels:
Subscription: Advanced, Enterprise, and Ultimate.
Pay-as-you-go: Host Protection and Hosts and Container Protection.
Application Vulnerability Scan Cycle
Sets the execution frequency for application vulnerability scan tasks.
Default scan window:
Chinese Mainland:
00:00:00 (UTC+8)to07:00:00 (UTC+8).Outside Chinese Mainland: A staggered scheduling mechanism runs scans at different times within a 24-hour period.
Available editions/protection levels:
Subscription: Enterprise and Ultimate.
Pay-as-you-go: Host Protection and Hosts and Container Protection.
System Vulnerabilities Scanned At
Sets a specific time for Linux Software Vulnerability and Windows System Vulnerability scan tasks to run.
Retain Invalid Vulnerabilities For
Sets the data cleanup period for stale vulnerabilities.
The system considers vulnerabilities that are not re-detected or handled for an extended period to be stale. Stale vulnerabilities are automatically archived to the "Handled" list. After the period you configured in Retain Invalid Vulnerabilities For expires, the system permanently deletes them to reduce clutter.
NoteIf Security Center detects the same type of vulnerability again in the future, a new alert is generated.
Vulnerability Scan Level
Sets the risk levels of vulnerabilities to scan for. The system scans for and reports only the vulnerabilities that match the selected levels.
Vulnerability Whitelist Settings
Add vulnerabilities that you decide not to fix (for example, due to business requirements or acceptable risk) to a whitelist. These vulnerabilities are then ignored in future scans.
NoteAfter you add a vulnerability whitelist rule, you can manage it (edit or delete) on the Vulnerability Whitelist Settings tab in the Vulnerability Settings panel.
View scan tasks
On the Vulnerabilities page, click Task Management in the upper-right corner.
Click Details in the Actions column for a task to view its impact data, including including Affected Servers, Successful Servers, and Failed Servers.
For successfully scanned servers, the Status column shows the scope of detected vulnerabilities. For failed scans, the Status column shows the failure reason.
View and handle vulnerabilities
On the Vulnerabilities page, go to the tab for the target vulnerability type, enter the vulnerability details page, and follow the instructions to fix it. For remediation steps, see Manage vulnerabilities.
Application Vulnerability and Urgent Vulnerability do not support one-click remediation from the console. You must log on to the server and fix them manually based on the remediation suggestions in the vulnerability details.
Service model | Service edition / Protection level | Description |
Subscription | Enterprise and Ultimate | Supports remediation for Linux Software Vulnerability,and Windows System Vulnerability. |
Advanced | Supports remediation for Linux Software Vulnerability and Windows System Vulnerability. | |
Basic, Value-added Plan, and Anti-virus | Important You must purchase the Vulnerability Fix value-added service to use one-click remediation. For purchase instructions, see Purchase Security Center. Supports remediation for Linux Software Vulnerability and Windows System Vulnerability. | |
Pay-as-you-go | All protection levels |
Limitations
Task Management: After a manual scan task is created, you must wait 15 minutes before you can manually click Stop in Task Management.
Scan duration: Scan completion time depends on the number of assets and the complexity of the vulnerabilities. A scan is typically completed within 30 minutes.
FAQ
Scan behavior and results
Why are multiple instances of the same vulnerability reported for a single server?
Application vulnerability detection targets specific running process instances. If a server runs multiple instances of a process with the same vulnerability, such as two identical Tomcat services on different ports, the system reports a separate vulnerability for each instance. If the vulnerable software is installed but its corresponding process is not running, the vulnerability is not detected.
Why do scan results for vulnerabilities like Fastjson sometimes vary?
The detection of such vulnerabilities depends on whether their components, such as JAR packages, are loaded into a "runtime" state during the scan. In a dynamic loading model, the system identifies the vulnerability only when business logic calls the vulnerable component. Therefore, scan results may differ at different times.
NoteTo improve detection accuracy for these types of vulnerabilities, we recommend that you run periodic or multiple scans.
Why do vulnerability records for a host remain on the console after its agent goes offline?
When an agent goes offline, its previously detected vulnerability records are retained on the console. However, these records automatically become stale, and you cannot act on them (for example, remediate, verify, or delete them). Vulnerabilities automatically become stale after the following periods:
ImportantAll data is permanently deleted only if the Security Center service expires and is not renewed within 7 days.
Linux Software Vulnerability and Windows System Vulnerability: 3 days.
Web-CMS Vulnerability: 7 days.
Application Vulnerability: 30 days.
Urgent Vulnerability: 90 days.
Performance impact and security
Do vulnerability scans or POCs for urgent vulnerabilities affect business systems?
Typically, no. The POCs from Security Center send only one or two harmless probe requests and do not perform any attacks or destructive actions. However, in rare cases where an application handles unexpected input poorly, a minimal, unknown risk might exist.
Why can a vulnerability scan trigger an out-of-memory (OOM) error?
The Security Center agent has a default memory limit of 200 MB. If memory usage during a scan exceeds this limit, the system's OOM mechanism terminates the detection process (ALiSecCheck) to conserve resources.
NoteThis limit is typically managed by a control group (cgroup) named
aegisRtap0. You can find related OOM information in the dmesg logs.This is normal behavior and does not indicate a system-wide memory shortage. No user intervention is required.
This type of Out of Memory (OOM) error results from a cgroup memory limit, not a system-wide memory shortage.
Scan scope and capabilities
What does the vulnerability scan cover?
Scanning covers both the system and application layers:
System layer: Linux Software Vulnerability and Windows System Vulnerability.
ImportantWindows System Vulnerability scanning supports only monthly security update patches.
Application layer: Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability.
How do I view the list of vulnerabilities that Security Center can detect?
Log on to the Security Center console.
In the left-side navigation pane, choose Vulnerabilities > Vulnerabilities. In the overview section, find the Disclosed Vulnerabilities card.
Click the total number of vulnerabilities on the card to view a list of all detectable vulnerabilities and their details.
Is detection for specific vulnerabilities like Elasticsearch supported?
Yes. You can view detection results for services like Elasticsearch on the Application Vulnerability page in the console.
NoteThis feature is available only for Subscription (Enterprise and Ultimate editions) and Pay-as-you-go (Host Protection and Hosts and Container Protection). If your current edition does not support this feature, upgrade your service.