Help Center > > Service Overview> Functions and Features

Functions and Features

Updated at:Sep 23, 2020 GMT+08:00

HSS provides asset management, vulnerability management, intrusion detection, baseline inspection, and web tamper protection (WTP) functions.

Asset Management

Deeply scan the accounts, ports, processes, web directories, software information, and auto-started tasks on your servers. You can manage all your information assets on the Assets page.

Table 1 Asset management

Function

Description

Check Mode

Account information management

Check and manage all accounts on your servers to keep them secure.

You can check real-time and historical account information to find suspicious accounts.

  • Real-time account information includes Account ID, server quantity and names, Administrator Rights, User Group, User Directory, and User Startup Shell.
  • The operation history of an account includes the Action, Account ID, Administrator Rights, User Group, User Directory, User Startup Shell, and Time of the action.

Real-time check

Open port check

Check open ports on your servers, including risky and unknown ports.

You can check Port Type, Servers, Risk Level, Status, Port Description, and the specific Server, Bound IP Address, Status, PID, and Program File of a port.

Real-time check

Process check

Check processes on your servers and find abnormal processes.

You can check Process Name, Servers, Total Number of Processes, Total Number of File Names, and the specific Server, Process Path, File Permission, User, PID, and startup time of a process.

Real-time check

Web directory management

Check and manage directories used by web services on your servers.

You can check the File Path, Application Type, Local Port, URL, PID, and Program File.

Real-time check

Software information management

Check and manage all software installed on your servers, and identify insecure versions.

You can check real-time and historical software information to determine whether the software is risky.

  • Real-time software information includes the Software Name, server quantity and names, and Software Version.
  • The software operation history includes Action, Software Name, Software Version, and Time.
  • You can use the manual detection function to check software information.
  • Automatic check in the early morning every day
  • Manual check

Auto-startup

Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.

Real-time check

Vulnerability Management

The vulnerability management function detects vulnerabilities and risks in Linux OSs, Windows OSs, and Web content management systems (Web-CMSs).

Table 2 Vulnerability management

Function

Description

Check Mode

Software vulnerability detection

Check vulnerabilities in Linux and Windows OSs.

Check and handle vulnerabilities in your system and the software (such as SSH, OpenSSL, Apache, and MySQL) you obtained from official sources and have not compiled.

  • Automatic check in the early morning every day
  • Manual check

Web-CMS vulnerability detection

Check and handle vulnerabilities found by scanning web directories and files in your Web-CMS.

Baseline Inspection

The baseline check function detects risky configurations of server systems and key software.

Table 3 Baseline inspection

Function

Description

Check Mode

Password policy check

  • Check whether your password complexity policy is proper and modify it based on suggestions provided by HSS, improving password security.
  • You can use the manual detection function to check password complexity policies.
  • Automatic check in the early morning every day
  • Manual check

Common weak password detection

  • Check for weak passwords and remind users to change them, preventing easy guessing.
  • On the Common Weak Password Detection tab, you can view the account name, account type, and usage duration of a weak password.
  • You can use the manual detection function to detect weak passwords on servers.
  • Automatic check in the early morning every day
  • Manual check

Unsafe configuration item check

Check for unsafe Tomcat, Nginx, and SSH login configurations.

On the Configure Detection page, you can view the description, matched detection rule, threat level, and status of a configuration.

  • You can handle risky configuration items and ignore trusted items based on the detection rules and detection results.
  • You can use the manual detection function to check key configurations.
  • Automatic check in the early morning every day
  • Manual check

Intrusion Detection

The intrusion detection function identifies and prevents intrusion to servers, discovers risks in real time, detects and kills malicious programs, and identifies web shells and other threats.

Table 4 Intrusion detection

Intrusion

How HSS Detects It

Check Mode

Brute-force attack

Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.

  • If the number of brute-force attacks from an IP address reaches 5 within 30 seconds, the IP address will be blocked.

    By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours.

  • You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Real-time check

Abnormal login

Detect abnormal login behavior, such as remote login and brute-force attacks.

  • Check and handle remote logins.

    HSS can check the blocked login IP addresses, and who used them to log in to which servers at what time.

    If a user's login location is not any common login location you set, an alarm will be triggered.

  • Trigger an alarm if a user logs in by a brute-force attack.

Real-time check

Malicious program (cloud scan)

Check and kill malware, such as viruses, Trojan horses, web shells, worms, mining software, unknown malicious programs, and variants. All this can be done with just a few clicks. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.

You can manually isolate and kill identified and suspicious malicious programs, and cancel the isolation of and ignore trusted programs.

Real-time check

Abnormal process behavior

All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.

The following abnormal process behavior can be detected:
  • Abnormal CPU usage
  • Processes accessing malicious IP addresses
  • Abnormal increase in concurrent process connections

Real-time check

Changes made to critical files

  • Check alarms about modifications on key files (such as ls, ps, login, and top).
  • Key file change information includes the paths of modified files, the last modification time, and names of the servers storing configuration files.

Real-time check

Web shells

Check whether the files (often PHP and JSP files) in your web directories are web shells.

  • Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
  • You can use the manual detection function to detect web shells on servers.
  • Real-time check
  • Manual check

Reverse shell

Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

Reverse shells can be detected for protocols including TCP, UDP, and ICMP.

Real-time check

Abnormal shell

Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

Real-time check

High-risk command execution

Check executed commands in real time and generate alarms on high-risk commands.

Real-time check

Auto-startup check

Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

Real-time check

Unsafe account

Scan accounts on servers and list suspicious accounts in a timely manner.

You can check the name, user group, UID/SID, user directory, and startup shell of an account.

Real-time check

Privilege escalation

Detect privilege escalation for processes and files in the current system.

The following abnormal privilege escalation operations can be detected:
  • Root privilege escalation by exploiting SUID program vulnerabilities
  • Root privilege escalation by exploiting kernel vulnerabilities
  • File privilege escalation

Real-time check

Rootkit

Detect suspicious rootkit installation in a timely manner by checking:

  • File signatures
  • Hidden files, ports, processes, and kernel modules

Automatic check every day

Advanced Protection

Function

Description

Check Mode

Application recognition service (ARS)

Set whitelist policies, and determine whether applications are Trusted, Untrusted, or Unknown. The applications that are not whitelisted are not allowed to run. This function protects your servers from untrusted or malicious applications, reducing unnecessary resource usage.

Real-time check

File integrity monitoring (FIM)

Check the files in the Linux OS, applications, and other components to detect tampering.

Real-time check

Ransomware prevention

Analyze operations on servers, identify trusted applications, and report alarms on or block untrusted applications, depending on your settings.

Real-time check

WTP

Web Tamper Protection (WTP) can detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.

Table 5 WTP

Function

Description

Check Mode

Static WTP

Prevents static web page files on website servers from being tampered with.

Real-time check

Net disk tampering prevention

Prevents web page files in shared net disks from being tampered with.

Dynamic WTP

Prevents dynamic web page content in website databases from being tampered with.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel