Policy Management Overview

What Is a Policy Group?

HSS comes in multiple editions, including basic, professional, enterprise, premium, WTP, container, and serverless editions. Except for the basic edition, they each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to servers to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection.

You can create custom policy groups for HSS premium and container editions. If you have multiple servers protected by the premium or container edition but have different protection requirements for them, you can create custom policy groups for different servers and deploy different policy groups. For details, see Creating a Custom Policy Group.

What Policies Does a Policy Group Contain?

Policy groups vary by edition, as shown in Table 1. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. For details, see Configuring Policies.

**Table 1** Policies
Function Type	Policy	Description	Default Status	Action	Suggestion	Supported OS	Supported HSS Edition
Asset management	Asset discovery	Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Enterprise Premium WTP Container Serverless
Baseline Inspection	Weak password detection	Change weak passwords to stronger ones based on HSS scan results and suggestions.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Professional Enterprise Premium WTP Container
	Configuration check	Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Enterprise Premium WTP Container
	Container information collection	Collect information about all containers on a server, including ports and directories, and report alarms for risky information.	Enabled	Scan	It must be enabled. It is the basic policy for container protection.	Linux	Container
Intrusion detection	Antivirus	Check server assets and report, isolate, and kill the detected viruses. The generated alarms are displayed under Detection & Response > Alarms > Server Alarms > Event Types > Malware. After antivirus is enabled, the resource usage and function availability are as follows: The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status. For details, see How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans? You can use the malware scan and custom defense rules only after antivirus is enabled.	Enabled	Scan and automatic isolation are supported. The default action is automatic isolation.	You are advised to enable it and automatic isolation as well.	Linux and Windows	Professional Enterprise Premium WTP Container
	Cluster intrusion detection	Detect container high-privilege changes, creation in key information, and virus intrusion. This policy applies only to third-party clusters.	Disabled	Scan	This policy will not be applied if it is enabled alone. You also need to enable the audit function on the API Server of the target cluster. For details, see How Do I Enable the API Server Audit for an On-Premises Kubernetes Container?	Linux	Container
	Container escape	Check for and generate alarms on escapes. If you do not want to detect container escape for certain containers, you can set the image, process, and pod name whitelist.	Disabled	Scan	You are advised to enable the policy after configuring the image, process, and pod whitelists.	Linux	Container Serverless
	Container anti-escape	Container escape prevention can monitor abnormal runtime behaviors of five types (including processes, files, network activities, process capabilities, and system calls) on containers and their hosts; and report alarms and block abnormal behaviors to enhance container security. To use abnormal runtime behavior detection, configure a container escape prevention policy, select a protected object (a server or container), and enable the policy.	Disabled	Scanning and blocking are supported. The default action is blocking.	You are advised to enable the policy after configuring the protection scope.	Linux	Container
	Abnormal container behavior	Check for non-image programs (such as Trojans implanted by hackers) started during container running to defend against unknown attacks. The container infrastructure is immutable. Any programs started outside images are regarded abnormal. Processes are monitored and alarms are reported in real time. After the policy is enabled, HSS learns the behaviors of started containers by image. After the learning is complete, a baseline library is established, and HSS checks the processes started in containers based on the library. If the process started in the container is not in the baseline library, an alarm is generated. The alarms are classified based on whether the software that starts the process is in an image. If the software is a piece of known software in the image, an alarm indicating suspicious process startup is reported. If the software is not any known software in the image, an alarm indicating dangerous process startup is reported.	Disabled	Scan	You are advised to enable the policy after configuring the learning duration and whitelist.	Linux	Container
	Container information module	You can configure a trusted container whitelist based on the container name, organization name to which the image belongs, and namespace. The container whitelist does not detect or generate alarms.	Enabled	Scan	You are advised to enable it.	Linux	Container Serverless
	Web shell detection	Scan web directories on servers for web shells.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Professional Enterprise Premium WTP Container
	Container file monitoring	Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.	Enabled	Scan	You are advised to enable the policy after configuring the file monitoring path.	Linux	Container
	Container process whitelist	Check for process startups that violate security policies.	Disabled	Scan	You are advised to enable it.	Linux	Container
	Suspicious image behaviors	Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms.	Disabled	Allow traffic in the user-defined whitelist and block traffic in the user-defined blacklist.	You are advised to enable the policy after configuring the image blacklist and whitelist.	Linux	Container
	HIPS detection	Check registries, files, and processes, and report alarms for operations such as abnormal changes.	Enabled	Scanning and automatic blocking are supported. The default action is scanning.	You are advised to enable it and automatic blocking as well. If automatic blocking is enabled, configure trustworthy processes.	Linux and Windows	Professional Enterprise Premium WTP Container
	File protection	Check the files in the Linux OS, applications, and other components to detect tampering.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Professional Enterprise Premium WTP Container
	Graph engine detection	Generally, threat behavior detection checks file, process, network, or other information against the threat feature library to identify and block malicious behaviors. But to identify an attack, which usually involves multiple steps, we need to correlate multiple behaviors. For example, a vulnerability exploit attack involves scan and reconnaissance, system intrusion, malicious file implant, and subsequent attacks. Graph engine detection performs comprehensive source tracing analysis based on the threat information provided by multiple modules (including HIPS detection, AI ransomware detection, and antivirus detection). It can associate and comprehensively analyze multiple suspicious process events to identify intrusion behaviors, enhancing defense against vulnerability exploits.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Premium WTP Container
	Login security check	HSS can detect brute-force attacks on the following service accounts: Windows: RDP, SQL Server Linux: MySQL, vsftpd, SSH The following types of attacks can be detected: Single-IP brute-force attacks: By default, if five or more consecutive incorrect passwords are entered from the same IP address within 30 seconds, or the total number of incorrect passwords entered from the same IP address reaches 15 within 1 hour, HSS will generate an alarm for the latest user who entered an incorrect password from the IP address, and will block the IP address (for 12 hours by default) to prevent server intrusions caused by brute-force attacks. Multi-IP brute-force attacks: If HSS detects that multiple IP addresses attempt to log in and the number of login failures exceeds the preset threshold within the specified time window, an alarm will be generated.	Enabled	Scanning and automatic blocking are supported. The default action is automatic blocking.	You are advised to enable it and automatic blocking as well.	Linux and Windows	Professional Enterprise Premium WTP Container
	Malicious file detection	Reverse shell: This policy monitors user process behaviors in real time to detect reverse shells caused by invalid connections. Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.	Enabled	Scan	You are advised to enable it.	Linux	Professional Enterprise Premium WTP Container
	External connection detection	Detect a process proactively connects to an external network.	Enabled	Scan	You are advised to enable it.	Linux (kernel 5.10 or later)	Premium Container
	Port scan detection	Detect scanning or sniffing on specified ports and report alarms.	Disabled	Scan	After this policy is enabled, packets will be captured on servers. It may cause soft interruptions under heavy traffic and affect system performance. Enable this function as needed.	Linux	Premium WTP Container
	Abnormal process behavior	All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.	Enabled	Scan	You are advised to enable it.	Linux	Professional Enterprise Premium WTP Container Serverless
	Root privilege escalation	Detect the root privilege escalation for files in the current system.	Enabled	Scan	You are advised to enable it.	Linux	Professional Enterprise Premium WTP Container Serverless
	Real-time process	Monitor the executed commands in real time and generate alarms if high-risk commands are detected.	Enabled	Scan	You are advised to enable it.	Linux and Windows	Professional Enterprise Premium WTP Container Serverless
	Rootkit detection	Detect server assets and report alarms for suspicious kernel modules, files, and folders.	Enabled	Scan	You are advised to enable it.	Linux	Professional Enterprise Premium WTP Container
	Fileless attack detection	Scan for fileless attacks in user assets, including process injections, dynamic library injections, and memory file processes.	Disabled	Scan	Enable it to meet special security requirements, for example, during cybersecurity drills or key event assurance.	Linux	Premium WTP Container
Self-protection	Windows self-protection	This function prevents malicious programs from uninstalling the agent, tampering with HSS files, or stopping the HSS process. NOTE: Self-protection depends on antivirus detection, HIPS detection, and ransomware protection. It takes effect only when more than one of the three functions are enabled. Enabling the self-protection policy has the following impacts: The agent cannot be uninstalled through the control panel of a server. It can be uninstalled through the HSS console. HSS processes cannot be terminated. In the agent installation path C:\Program Files\HostGuard, you can only access the log and data directories (and the upgrade directory, if your agent has been upgraded).	Enabled	Prevent all the attempts to uninstall the agent, tamper with HSS files, or stop the HSS process.	Enable self-protection as needed after you fully understand its impact.	Windows	Professional Enterprise Premium WTP
Self-protection	Linux self-protection	This function prevents malicious programs from stopping the HSS process or uninstalling the agent. NOTE: Enabling the self-protection policy has the following impacts: The agent cannot be uninstalled using commands but can be uninstalled on the HSS console. HSS processes cannot be terminated.	Enabled	Prevent all the attempts to stop the HSS process or uninstall the agent.	Enable self-protection as needed after you fully understand its impact.	Linux	Professional Enterprise Premium WTP Container

Policy Group Protection Modes

The Policy groups can detect threats in sensitive or balanced mode to meet the requirements of different scenarios. The two modes apply to the following scenarios:

Sensitive mode: applicable to high security scenarios, such as network protection drills and key event security assurance. It achieves a high threat detection rate.
Balanced mode: applicable to routine protection scenarios. The threat detection rate and accuracy are relatively balanced.

Policies affected by the protection mode: malicious file detection, web shell detection, HIPS detection, antivirus, and abnormal process behavior policies. For details about the differences between these policies in the two protection modes, see Table 2.

**Table 2** Differences between policies in sensitive and balanced modes
Policy	Balanced Mode	Sensitive Mode
Malicious File Detection	File size: 10 MB File types: ELF, Python, shell, and web shell	File size: 50 MB File types: all
Web Shell Detection	The suspicious files that match YARA rules are not checked.	All files
HIPS Detection	Moderately sensitive	Highly sensitive. Compared with the balanced mode, it is more suitable for special detection rules in network protection drills and key event assurance.
Antivirus	If Protected File Type is set to All for anti-virus detection, only the files with the following file name extensions are checked: Linux bat, bin, cmd, com, cpl, exe, gadget, inf1, ins, inx, isu, job, jse, js, lnk, msc, msi, msp, mst, paf, pif, ps1, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh, doc, dot, wbk, docx, docm, dotm, docb, pdf, wll, wwl, xls, xlt, xlm, xll_, xla_, xla5, xla8, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps, ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pa, accda, accdb, accde, accdt, accdr, accdu, mda, mde, one, ecf, pub, xps, png, tif, wmf, bmp, gif, jpeg, dwg, ico, pgp, psd, cdr, dxf, emf, eps, jp2, sgi, xpm, dll, sys, rar, zip, 7z, sh, cab, gz, gzip, xz, ace, tar, lzh, lha, bz, bz2, iso, jar, apk, jsp, jspx, php, asp, aspx, ashx, asmx, py, hta, ko Windows bat, bin, cmd, com, cpl, exe, gadget, inf1, ins, inx, isu, job, jse, js, lnk, msc, msi, msp, mst, paf, pif, ps1, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh, doc, dot, wbk, docx, docm, dotm, docb, pdf, wll, wwl, xls, xlt, xlm, xll_, xla_, xla5, xla8, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps, ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pa, accda, accdb, accde, accdt, accdr, accdu, mda, mde, one, ecf, pub, xps, png, tif, wmf, bmp, gif, jpeg, dwg, ico, pgp, psd, cdr, dxf, emf, eps, jp2, sgi, xpm, dll, sys, rar, zip, 7z, sh, cab, gz, gzip, xz, ace, tar, lzh, lha, bz, bz2, iso, jar, apk, jsp, jspx, php, asp, aspx, ashx, asmx, hta	If Protected File Type is set to All for anti-virus detection, all types of files are checked.
Abnormal Process Behaviors	An alarm is generated only if multiple abnormal process behaviors are detected at the same time.	An alarm is generated immediately if an abnormal process behavior is detected.
Fileless Attack Detection	Parameters such as LD hijacking and Full process detection cannot be configured. Fileless attacks utilizing dynamic-link library (DLL) injections cannot be detected or blocked.	You can configure LD hijacking and Full process detection, and configure Path trustlist as needed to accurately control whitelist rules and reduce false positives.