Help Center/ Host Security Service/ What's New

Updated on 2025-07-08 GMT+08:00

What's New

This topic describes the features of each Host Security Service (HSS) version and the corresponding documentation updates.

July 2025

No.	Feature	Description	Phase	Related Document
1	Added graph engine detection.	Generally, threat behavior detection checks file, process, network, or other information against the threat feature library to identify and block malicious behaviors. But to identify an attack, which usually involves multiple steps, we need to correlate multiple behaviors. For example, a vulnerability exploit attack involves scan and reconnaissance, system intrusion, malicious file implant, and subsequent attacks. Graph engine detection performs comprehensive source tracing analysis based on the threat information provided by multiple modules (including HIPS detection, AI ransomware detection, and antivirus detection). It can associate and comprehensively analyze multiple suspicious process events to identify intrusion behaviors, enhancing defense against vulnerability exploits. Editions: premium, WTP, and container editions	Commercial use	Configuring Policies
2	Added the cross-account agent installation function.	Added the cross-account agent installation function. You can connect the servers of other accounts to the current account for unified protection and management. In this way, HSS can protect the servers of different accounts. Editions: all editions	Commercial use	Installing the Agent on Huawei Cloud Servers
3	Added fileless attack detection for servers.	Added fileless attack detection for servers. The following fileless attacks on Linux can be detected: Process injection: Malicious code is injected into running processes. Dynamic library injection process: Malicious code is injected into running processes by hijacking functions in dynamic link libraries. Memory file process: A malicious file is created in RAM by calling memfd_create and executed. VDSO hijacking: Attackers exploit specific vulnerabilities (such as Dirty COW) and overwrites the original VDSO code with malicious code. When the root process invokes the VDSO code, the malicious code is executed and privileges are escalated. The following fileless attacks on Windows can be detected: Attack using Windows tools: Attackers exploit the built-in legitimate tools and functions in the OS to bypass traditional security mechanisms and perform malicious operations. Malicious registry injection: Attackers insert malicious code or scripts into the Windows registry. This code can bypass the common file check mechanism and be automatically executed when the system is started. An alarm will be reported immediately if it is detected. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Server Alarms Container Alarms
4	Added automatic isolation and removal of web shells.	HSS can automatically isolate and remove of web shells. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Server Alarms Container Alarms Isolating and Killing Malicious Programs
5	Added AI ransomware protection.	Added AI ransomware prevention. It can monitor all the files on Windows servers; analyze whether multiple files of the same process are created, deleted, modified, or renamed; and determine whether the files are encrypted by ransomware. After detecting suspicious behaviors, HSS uses the graph engine for comprehensive source tracing analysis to identify ransomware attacks and improve the ransomware detection rate. Editions: premium, WTP, and container editions	Commercial use	Enabling Ransomware Prevention
6	Optimized WTP.	Improved the WTP configuration process. Users can operate more smoothly, and can enable protection for an application on multiple servers at once. Editions: WTP edition	Commercial use	Enabling Protection
7	Optimized container image security.	Added functions include but are not limited to the following: Image security statistics can be presented in the risk view or image view. Image vulnerabilities can be ignored or added to the whitelist. Image scan tasks can be stopped. Malicious files, software information, file information, baseline check, sensitive information, and software compliance scan results can be exported. More container applications can be scanned. Newly supported applications and middleware include slf4j, jetty, ca-certificates-java, httpcore, javac2, javaee, Apache2, adaptive_server_enterprise, DB2, http_server, Memcached, Nginx, PostgreSQL, plexus-utils, and core. Editions: container edition	Commercial use	Container Image Security Overview
8	Optimized baseline checks.	Configuration check You can set the export scope of scan results by selecting the result type (All or Failed) and risk level. Editions: enterprise, premium, WTP, and container editions Password complexity policy check The reason why a password complexity policy failed the check is provided. Editions: all editions Common weak password check The passwords encrypted using the Yescrypt algorithm can be checked. Detected weak passwords are masked before display. Editions: all editions	Commercial use	Baseline Inspection
9	Added CI/CD image security scan function.	The CI/CD image security scan function can be integrated into the CI/CD build pipeline of the Jenkins Pipeline project. It can implement security scan in the image build phase; identify system vulnerabilities, application vulnerabilities, abnormal system configurations, malicious files, and sensitive files in images; and shift security left to the DevOps phase, helping you eliminate security risks as early as possible and preventing unsafe images from being deployed in the production environment. Editions: container edition	Commercial use	CI/CD Image Security Scan
10	Added container escape blocking function.	When a container is running, an attacker may configure high-risk capabilities, exploit incorrect system configurations, or mount host directories to escape the container and gain full control over the host system. HSS provides container escape prevention policies to detect container escapes at the levels of networks, servers, pods, containers, processes, and system calls. Five types of abnormal runtime behaviors (processes, files, network activities, process capabilities, and system calls) can be detected, reported, and blocked to prevent container escape and protect container runtime. Editions: container edition	OBT	Configuring a Container Escape Prevention Policy Container Alarms
11	Optimized the application protection function.	The following application protection functions are supported to meet RASP protection requirements in multiple scenarios: Added web application protection for JDK 11 and JDK17. Added Tomcat application protection for Windows. Added Weblogic, Netty, and Jetty application protection for Linux. Editions: premium, WTP, and container editions	OBT	Application Protection
12	Optimized the baseline check function.	The following configuration baselines are added to adapt to compliance baseline check outside China: General security standards of Linux: MySQL8-universal, HCE1.1-universal, Rocky8-universal, Rocky9-universal, AlmaLinux8-universal, OracleLinux6-universal, OracleLinux7-universal, Ubuntu22-universal, CentOS9-universal, SUSE15-universal, AliLinux2-universal, and AliLinux3-universal. General security standard: Windows_2022-universal. Editions: premium, WTP, and container editions	Commercial use	Baseline Check
13	Optimized the asset fingerprint function.	Asset fingerprints can be manually updated. In the detection results of open ports, you can set Dangerous Port to Yes in the search box of the Open Ports area to filter dangerous ports. More than 80 types of assets can be identified by asset fingerprints. The details are as follows: Web service Apache, Nginx, Tomcat, Weblogic, WebSphere, JBoss, WildFly, and Jetty Websites Apache, Nginx, and Tomcat Web applications Wordpress, ThinkPHP, JPress, Jenkins, and Zabbix Web frameworks Java framework: Struts, Struts2, Spring, Hibernate, WebWork, Quartz, Velocity, Tapestry, Turbine, Freemarker, Flexive, Stripes, Vaadin, Vert.x, Wicket, ZKoss, Jackson, Fastjson, Shiro, MyBatis, Spring MVC, Jersey and JFinal. PHP framework: Drupal, Phalcon, Webasyst, ThinkCMF, Laravel, KYPHP, Codelgniter, BEdita, Yli, CakePHP, InitPHP, SpeedPHP, ThinkPHP, Cotonti, MODx, Typo3, CanPHP, OneThink, AgileToolkit, CoreThink, CdvPHP, Flight and PHPixie. Python framework: Django, Flask, Tornado, web.py, and web2py. Go framework: Gin, Beego, Fasthttp, Iris, and Echo. Databases MySQL, Redis, Oracle, MongoDB, Memcache, PostgreSQL, HBase, DB2, Sybase, Dameng, and KingbaseES. Office software Chanjet Editions: premium, WTP, and container editions	Commercial use	Server Fingerprints Container Fingerprints
14	Optimized emergency vulnerability detection.	Windows emergency vulnerability detection is supported. Emergency vulnerability detection of Linux supports the Arm architecture. Editions: professional, premium, WTP, and container editions	Commercial use	Vulnerability Scan
15	Optimized policy management.	The Balanced and Sensitive modes are added. In Balanced mode, the threat detection rate and accuracy are relatively balanced. In Sensitive mode, the threat detection rate is high, and security level is higher. Policies affected by the protection mode: malicious file detection, web shell detection, HIPS detection, antivirus, and abnormal process behavior policies. Editions: professional, premium, WTP, and container editions	Commercial use	Policy Management
16	Optimized login security detection.	Brute-force cracking of SQL Server accounts can be automatically blocked. Editions: professional, premium, WTP, and container editions	Commercial use	Policy Management
17	Added security scanning for third-party image repositories.	HSS can scan third-party image repositories manually or periodically to detect vulnerabilities, baselines, malicious files, software information, file information, sensitive information, software compliance, and basic image information, helping you detect potential security risks in third-party images. Editions: container edition	Commercial use	Accessing a Third-Party Image Repository Managing Repository Images
18	Optimized the container cluster protection function.	Added the security and compliance protection policy types. More than 20 protection policies are added, including restricting pods to start privileged containers, restricting the range of host directories that can be mounted to pods, restricting the Proc types that can be mounted to pods, and restricting Linux capabilities configured in pods. The protection policies meet container cluster protection requirements in different scenarios. Editions: container edition	Commercial use	Container Cluster Protection

September 2024

No.	Feature	Description	Phase	Related Document
1	Added the multi-cloud cluster management function.	HSS supports unified management of third-party cloud clusters and IDC self-built clusters, and provides full-lifecycle security protection for containers. Editions: container edition	Commercial use	Connecting to Container Assets
2	Added the container audit function.	Container audit monitors and records operations and activities of cluster containers, independent containers, and the SWR image repositories. You can view and analyze their logs on the HSS console. Editions: container edition	Commercial use	Container Audit Overview
3	Added the monthly operation report.	On the first day of each month, HSS generates a security operations summary report for last month. You can learn the asset security status and security configurations, analyze monthly operation report, and harden configurations and improve O&M efficiency accordingly. Editions: all editions	Commercial use	Checking a Monthly Operation Report
4	Added the dynamic port honeypot function.	The dynamic port honeypot function is a deception trap. It uses a real port as a bait port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify faulty servers, and protect real resources of the user. You can enable the dynamic port honeypot using recommended ports or user-defined ports to deceive compromised servers and reduce the risk of resources intrusion. Editions: premium, WTP, and container editions	OBT	Dynamic Port Honeypot
5	IPv6 server security protection is supported.	IPv6 server security protection is supported. Multiple security management and defense capabilities are provided, such as asset management, vulnerability management, baseline check, and intrusion detection, meeting security protection requirements in multiple scenarios of customers. Editions: all editions	Commercial use	HSS Functions
6	Optimized the virus scanning and removal function.	The function supports automatic isolation of virus files. Editions: professional, enterprise, premium, WTP, and container editions	OBT	Virus Scanning and Removal
7	Optimized emergency vulnerability scanning.	The emergency vulnerability scanning function can scan RunC container escape vulnerability. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Vulnerability Scan
8	Optimized vulnerability fixing.	Fixing CCE kernel vulnerabilities may bring inconvenience to your services. When you use HSS to fix system vulnerabilities, batch fixing can automatically filter out CCE kernel vulnerabilities, vulnerability fixing for a single CCE kernel vulnerability is not supported. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Fixing Vulnerabilities
9	Optimized the container firewall function.	The container firewall function allows you to configure security group policies to protect clusters of the cloud native network 2.0 model. Editions: container edition	Commercial use	Container Firewall
10	Optimized policy management.	The container information module detection policy is added. Editions: container edition Modify a default policy can be applied to and saved to other enterprise projects of the same version when selecting all projects for enterprise projects. Editions: professional, enterprise, premium, WTP, and container editions Optimized the configuration items of web shell detection, file protection, login security detection, malicious file detection, abnormal process behavior, root privilege escalation, real-time process, and rootkit detection policies. Editions: professional, enterprise, premium, WTP, and container editions Optimized the configuration items of asset discovery, configuration detection, and port scanning detection policies. Editions: premium, WTP, and container editions	Commercial use	Configuration Policy

November 2023

No.	Feature	Description	Phase	Related Document
1	Added the virus scanning and removal function.	The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Virus Scanning and Removal
2	Added the emergency vulnerability scanning function.	The emergency vulnerability scan function checks whether the software and any dependencies running on the server have vulnerabilities through version comparison and POC verification. Reports risky vulnerabilities to the console and provides vulnerability alarms for you. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Vulnerability Management
3	Added the automatic quota binding function.	After purchasing a yearly/monthly quota, you need to bind the quota to a server to enable protection. To prevent resource waste, you can enable the automatic quota binding function. HSS automatically binds quotas to unprotected servers. Editions: all editions	Commercial use	Automatic Quota Binding
4	Added the automatic agent upgrade function.	The agent edition is continuously updated to improve server protection capabilities. Therefore, you need to periodically upgrade the agent to the latest version. If you cannot manually upgrade the agent in a timely manner, you are advised to enable the automatic agent upgrade function. HSS will automatically upgrade the agent to the latest version. Editions: all editions	Commercial use	Automatic Agent Upgrade
5	Optimized container image security scanning.	Added security scanning of SWR enterprise edition images. Private images and shared images can be scanned for application vulnerabilities. Private images and shared images can be exported for baseline check reports. Editions: container edition	Commercial use	Container Image
6	Optimize the vulnerability report.	Vulnerability reports can be exported in PDF or HTML format. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Exporting a Vulnerability Report
7	Optimize the alarm notification.	Notify users of successful automatic isolation and killing of malicious programs, automatic blocking of ransomware, and automatic blocking of WTP. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Enabling Alarm Notifications
8	Optimize the agent installation and configuration.	Use the same agent installation command for the same OS. Editions: all editions	Commercial use	Installing an Agent
9	Container cluster protection	HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security. Editions: container edition	Commercial use	Enabling Container Cluster Protection
10	Application process control	HSS can control different types of application processes on servers. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes. Editions: premium, WTP, and container editions	Commercial use	Enabling Application Process Control
11	Cluster agent management	To enable protection for all containers in a CCE cluster or an on-premises Kubernetes cluster, you can use the cluster agent management function to install the agent in the cluster. After this function is enabled, you do not need to manually install the agent on new nodes or pods added to the cluster. Editions: container edition	Commercial use	Installing the Agent in a Cluster
12	Backup before vulnerability fixing	Vulnerability fixing may fail and interrupt services. To avoid this problem, HSS enables you to back up servers before fixing vulnerabilities. If an exception occurs, you can restore servers to ensure service continuity. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Fixing Vulnerabilities
13	Optimized Dashboard page	The quota management, protection overview, and news modules are added to the HSS Dashboard page. You can easily check the quota usage, enabling status of key functions, and the latest vulnerability information. The security score criteria are optimized to help you quickly locate security risks and improve the security score. Editions: all editions	Commercial use	Dashboard
14	Optimized intrusion detection alarms	The intrusion detection capability is enhanced. HIPS can detect intrusions in the Linux system. The following types of server and container alarms are added: Servers: abnormal outbound connection and port forwarding Containers: hacker tool, user password theft, file privilege escalation, port forwarding, and abnormal outbound connection The functions of checking and handling intrusion alarms are optimized: ATT&CK phases, forensics, suggestions, and the handling records of similar alarms are added to alarm details, helping you quickly analyze and handle alarms. You can add alarms to the whitelist and create whitelist rules to improve whitelist rule hits to reduce duplicate alarms. When handling a single alarm or handling alarms in batches, you can select Handle duplicate alarms in batches to improve efficiency. Editions: professional, enterprise, premium, WTP, and container editions	Commercial use	Handling Server Alarms Handling Container Alarms
15	Optimized ransomware prevention	Ransomware prevention will be enabled with the HSS premium or higher edition. Editions: premium, WTP, and container editions	Commercial use	Enabling Ransomware Prevention

July 2023

No.	Feature	Description	Phase	Related Document
1	Server vulnerability management	The vulnerability management page is redesigned. The new functions are as follows: Vulnerability and server views: You can view the servers affected by a vulnerability in the vulnerability view; and view the vulnerabilities on a server in the server view. Vulnerability tags: Category tags are added for vulnerabilities and can be used to filter vulnerabilities. Vulnerability whitelist: After a vulnerability is added to the whitelist, its record displayed in the vulnerability list will be marked as ignored and no alarm will be reported. When a new vulnerability scan task is executed, this vulnerability will not be scanned or displayed. Vulnerability handling history: For vulnerabilities that have been handled, you can check who handled them, when then are handled, and the handling results. Automatic vulnerability scan policy: You can specify the scan schedule, scope, and servers for HSS to automatically scan for vulnerabilities.	Commercial use	Viewing Vulnerability Details Managing the Vulnerability Whitelist Viewing Vulnerability Handling History Automatically Scanning for Vulnerabilities
2	Intrusion detection	Added automatic blocking of reverse shells. To use this function, enable reverse shell detection, automatic blocking, and the automatic isolation and killing of malicious programs. Added the brute-force attack whitelist: To stop HSS from blocking an IP address suspected of brute-force attacks, you can edit the login security detection policy to add the IP address to the whitelist. You can also configure whether to generate alarms for the brute-force attacks launched from whitelisted IP addresses.	Commercial use	Malicious File Detection Login Security Check
3	Container asset fingerprint	Information about accounts, auto-started items, clusters, services, workloads, and container instances can be collected to help you identify insecure container assets.	Commercial use	Viewing Container Asset Fingerprints
4	Container image security	Vulnerability reports can be exported for local images. SWR private images support software compliance, basic image information scan, and vulnerability report export. SWR shared images support the scans on vulnerabilities, malicious files, and software information; and vulnerability report export.	Commercial use	Container Images
5	Container intrusion detection	Added Docker and Containerd runtime detection. Alarms can be generated for brute-force attacks, malicious files, ransomware, process privilege escalation, and high-risk command executions in container runtime, helping you detect threats in assets in a timely manner.	Commercial use	Container Alarm Events
6	Container security response	You can isolate, suspend, kill, and restore containers with medium or higher security risks to prevent them from affecting secure containers.	Commercial use	Handling Risk Containers
7	Container firewall	The HSS container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks.	Commercial use	Container Firewall

June 2023

No.	Feature	Description	Phase	Related Document
1	HSS professional edition	HSS provides the professional edition, where you can isolate and kill Trojans, and can scan for and fix vulnerabilities in a few clicks.	Commercial use	Purchasing an HSS Quota

March 2023

No.	Feature	Description	Phase	Related Document
1	Honeypot file protection for Windows	Honeypot files can be deployed in protected directories and important directories (except for the excluded directories specified by users) to trap possible ransomware. If an unknown ransomware attempts to encrypt a honeypot file, HSS immediately generates an alarm.	Commercial use	Enabling Ransomware Prevention
2	The Windows policy group supports antivirus and host intrusion prevention system (HIPS) detection policies.	You can set antivirus detection policies for Windows servers to report, isolate, and kill viruses. You can also set HIPS detection policies to detect registries, files, and processes; and to report alarms for suspicious operations such as abnormal changes.	Commercial use	Policy Group
3	Trojans, viruses, and worms can trigger HID alarms.	HSS can detect, generate alarms on, and remove Trojans, viruses, and worms that intrude servers.	Commercial use	Server Alarms
4	The Docker plug-in is added to enhance container security.	To improve container security capabilities, the Docker plug-in must be installed for Docker containers (Linux).	Commercial use	Installing a Plug-in

January 2023

No.

Feature

Description

Phase

Related Document

1

Batch agent installation

The agent can be installed on multiple servers in batches.

Commercial use

Installing Agents in Batches

2

Privileged processes can be configured in the WTP edition.

If WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged process list.

Only the modification made by privileged processes can take effect. Modifications made by other processes will be automatically rolled back.

Commercial use

Adding a Privileged Process

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel