Checking and Handling Application Events
If a whitelist policy takes effect on your servers, HSS will check and mark applications as trusted, untrusted, or unknown, and report alarms on or isolate the applications that are not in the whitelist.
You can manually mark alarmed applications as trusted, untrusted, or unknown.
If you determine that a program is a malicious, you can manually isolate and kill it. When an application is isolated and killed, it is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious applications (if any).
The event management list displays untrusted and unknown applications, and the applications that are not in the whitelist policy.
You are advised to check and handle the alarmed applications in a timely manner.
ARS is a trial function in the current version. To use stronger functions, purchase HSS (New).
Checking Application Events
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose .
- On the Programs page, click the Events tab, as shown in Figure 1.
Table 1 Application event parameters Parameter
Description
Program Path
Path of an application
Marked As
Application status. It can be Trusted, Untrusted, or Unknown.
Affected Server & IP
Name and IP address of an affected server
Matched Whitelist Policy
Whitelist policy that matches an alarm
Reported
Time when an alarm is reported
Event Details
Brief description of an alarm event
Status
Application event status. Its value can be Handled or Unhandled.
Handling Application Events
- In the Operation column of an event, click Handle, as shown in Figure 2.
- In the displayed Handle Event dialog box, select an action, as shown in Figure 3.
Table 2 Event handling actions Action
Description
Trust
Marks an application as trusted. The application startup will no longer trigger alarms.
Untrust
Marks an application as untrusted. The application startup will trigger alarms.
Mark as unknown
Marks an application as unknown. The application startup will trigger alarms.
Isolate and kill
If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.
You can click Isolated Files on the upper right corner to check the files. For details, see Managing Isolated Files.
NOTE:When an application is isolated and killed, it is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious files (if any).
Don't isolate or kill
Cancels the isolation and killing of an application.
NOTE:Exercise caution when performing this operation. If you restore a malicious application, it will harm your servers.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot