Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Policy Management Overview

Updated on 2025-02-12 GMT+08:00

What Is a Policy Group?

HSS comes in multiple editions, including basic, professional, enterprise, premium, WTP, and container editions. Except for the basic edition, they each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to servers to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection.

You can create custom policy groups for HSS premium and container editions. If you have multiple servers protected by the premium or container edition but have different protection requirements for them, you can create custom policy groups for different servers and deploy different policy groups. For details, see Creating a Custom Policy Group.

What Policies Are Does a Policy Group Contain?

Policy groups vary by edition, as shown in Table 1. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. For details, see Configuring Policies.

Table 1 Policies

Function Type

Policy

Action

Supported OS

Default Status

Professional Edition

Enterprise Edition

Premium Edition

WTP Edition

Container Edition

Assets

Asset discovery

Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets.

Linux and Windows

Enabled

×

×

Baseline Inspection

Weak password detection

Change weak passwords to stronger ones based on HSS scan results and suggestions.

Linux and Windows

Enabled

Container information collection

Collect information about all containers on a server, including ports and directories, and report alarms for risky information.

Linux

Enabled

×

×

×

×

Configuration check

Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.

Linux and Windows

Enabled

×

×

Intrusions

AV detection

Check server assets and report, isolate, and kill the detected viruses.

The generated alarms are displayed under Detection & Response > Alarms > Server Alarms > Event Types > Malware.

After AV detection is enabled, the resource usage is as follows:

The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status. For details, see How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?

Linux and Windows

Enabled

×

Cluster intrusion detection

Detect container high-privilege changes, creation in key information, and virus intrusion.

Linux

Disabled

×

×

×

×

Container escape

Check for and generate alarms on container escapes. If you do not want to detect container escape for certain containers, you can set the image, process, and pod name whitelist.

Linux

Disabled

×

×

×

×

Container anti-escape

Container escape prevention can monitor abnormal runtime behaviors of five types (including processes, files, network activities, process capabilities, and system calls) on containers and their hosts; and report alarms and block abnormal behaviors to enhance container security.

To use abnormal runtime behavior detection, configure a container escape prevention policy, select a protected object (a server or container), and enable the policy.

Linux

Disabled

×

×

×

×

Container information module

You can configure a trusted container whitelist based on the container name, organization name to which the image belongs, and namespace. The container whitelist does not detect or generate alarms.

Linux

Enabled

×

×

×

×

Web shell detection

Scan web directories on servers for web shells.

Linux and Windows

Enabled

Container file monitoring

Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.

Linux

Enabled

×

×

×

×

Container process whitelist

Check for process startups that violate security policies.

Linux

Disabled

×

×

×

×

Suspicious image behaviors

Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms.

Linux

Disabled

×

×

×

×

HIPS detection

Check registries, files, and processes, and report alarms for operations such as abnormal changes.

Linux and Windows

Enabled

×

File protection

Check the files in the Linux OS, applications, and other components to detect tampering.

Linux and Windows

Enabled

Login security check

HSS can detect brute-force attacks on the following service accounts:

  • Windows: RDP, SQL Server
  • Linux: MySQL, vsftpd, SSH

If the number of brute-force attacks (consecutive incorrect password attempts) reaches 5 or within 30 seconds or reaches 15 within 1 hour, HSS will block the login source IP address. By the IP address is blocked for 12 hours to prevent server intrusions caused by brute-force attacks.

You can check whether a login IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Linux and Windows

Enabled

Malicious file detection

  • Reverse shell: Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
  • Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

Linux

Enabled

External connection detection

Detect a process proactively connects to an external network.

Linux (kernel 5.10 or later)

Enabled

×

Port scan detection

Detect scanning or sniffing on specified ports and report alarms.

Linux

Disabled

×

×

Abnormal process behaviors

All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.

Linux

Enabled

Root privilege escalation

Detect the root privilege escalation for files in the current system.

Linux

Enabled

Real-time process

Monitor the executed commands in real time and generate alarms if high-risk commands are detected.

Linux and Windows

Enabled

Rootkit detection

Detect server assets and report alarms for suspicious kernel modules, files, and folders.

Linux

Enabled

Fileless attack detection

Scan for process injection, dynamic library injection, and memory file process behavior in user assets.

Linux

Disabled

Self-protection

Windows self-protection

Prevent malicious programs from uninstalling the agent, tampering with HSS files, or stopping HSS processes.

NOTE:
  • Self-protection depends on antivirus detection, HIPS detection, and ransomware protection. It takes effect only when more than one of the three functions are enabled.
  • Enabling the self-protection policy has the following impacts:
    • The agent cannot be uninstalled on the control panel of a server, but can be uninstalled on the HSS console.
    • HSS processes cannot be terminated.
    • In the agent installation path C:\Program Files\HostGuard, you can only access the log and data directories (and the upgrade directory, if your agent has been upgraded).

Windows

Disabled

×

×

×

Linux self-protection

Prevent malicious programs from stopping the HSS process and uninstalling the agent.

NOTE:
  • Enabling the self-protection policy has the following impacts:
    • The agent cannot be uninstalled using commands but can be uninstalled on the HSS console.
    • HSS processes cannot be terminated.

Linux

Disabled

×

×

Policy Group Protection Modes

The Policy groups can detect threats in sensitive or balanced mode to meet the requirements of different scenarios. The two modes apply to the following scenarios:

  • Sensitive mode: applicable to high security scenarios, such as network protection drills and key event security assurance. It achieves a high threat detection rate.
  • Balanced mode: applicable to routine protection scenarios. The threat detection rate and accuracy are relatively balanced.

Policies affected by the protection mode: malicious file detection, web shell detection, HIPS detection, antivirus, and abnormal process behavior policies. For details about the differences between these policies in the two protection modes, see Table 2.

Table 2 Differences between policies in sensitive and balanced modes

Policy Name

Balanced

Sensitive

Malicious File Detection

  • File size: 10 MB
  • File types: ELF, Python, shell, and web shell
  • File size: 50 MB
  • File types: all

Web Shell Detection

The suspicious files that match YARA rules are not checked.

All files

HIPS detection

Moderately sensitive

Highly sensitive. Compared with the balanced mode, it is more suitable for special detection rules in network protection drills and key event assurance.

AV Detection

If Protected File Type is set to All for anti-virus detection, only the files with the following file name extensions are checked:

  • Linux

    bat, bin, cmd, com, cpl, exe, gadget, inf1, ins, inx, isu, job, jse, js, lnk, msc, msi, msp, mst, paf, pif, ps1, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh, doc, dot, wbk, docx, docm, dotm, docb, pdf, wll, wwl, xls, xlt, xlm, xll_, xla_, xla5, xla8, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps, ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pa, accda, accdb, accde, accdt, accdr, accdu, mda, mde, one, ecf, pub, xps, png, tif, wmf, bmp, gif, jpeg, dwg, ico, pgp, psd, cdr, dxf, emf, eps, jp2, sgi, xpm, dll, sys, rar, zip, 7z, sh, cab, gz, gzip, xz, ace, tar, lzh, lha, bz, bz2, iso, jar, apk, jsp, jspx, php, asp, aspx, ashx, asmx, py, hta, ko

  • Windows

    bat, bin, cmd, com, cpl, exe, gadget, inf1, ins, inx, isu, job, jse,js, lnk, msc, msi, msp, mst, paf, pif, ps1, reg, rgs, scr, sct,shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh, doc, dot, wbk,docx, docm, dotm, docb, pdf, wll, wwl, xls, xlt, xlm, xll_, xla_, xla5, xla8, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps,ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pa, accda, accdb, accde, accdt, accdr, accdu, mda, mde, one, ecf, pub, xps, png, tif, wmf, bmp, gif, jpeg, dwg, ico, pgp, psd, cdr, dxf, emf, eps, jp2, sgi, xpm, dll, sys, rar, zip, 7z, sh, cab, gz, gzip, xz, ace, tar, lzh, lha, bz, bz2, iso, jar, apk, jsp, jspx, php, asp, aspx, ashx, asmx, hta

If Protected File Type is set to All for anti-virus detection, all types of files are checked.

Abnormal Process Behaviors

An alarm is generated only if multiple abnormal process behaviors are detected at the same time.

An alarm is generated immediately if an abnormal process behavior is detected.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback