Help Center> Host Security Service (New)> User Guide> Prevention> Ransomware Prevention> Viewing and Handling Ransomware Protection Events
Updated on 2024-03-28 GMT+08:00
View PDF

Viewing and Handling Ransomware Protection Events

After ransomware protection is enabled, if a ransomware attack event occurs on the server, the event will be recorded and displayed in the ransomware event list. You can handle the events based on your service requirements.

Prerequisites

You have enabled HSS premium, WTP, or container edition.

Constraints

  • Ransomware backup only supports Huawei Cloud servers.
  • After ransomware protection is enabled, you need to handle ransomware alarms and fix the vulnerabilities in your systems and middleware in a timely manner.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. Choose Prevention > Ransomware Prevention.

    If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

  4. Click the Events tab and check events.
  5. After confirming the severity of an event, click Handle in the Operation column of the target event to handle the event. For details about the processing modes, see Table 1.

    You can also select multiple events and click Batch Handle above the list to handle events in batches.
    Table 1 Alarm handling methods

    Marked As

    Description

    Ignore

    Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.

    Isolate and kill

    If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.

    You can click Isolated Files on the upper right corner to check the files. For details, see Managing Isolated Files.

    NOTE:

    When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any).

    Mark as handled

    When manually handle an event, you can add remarks to record the details about the event.

    Add to alarm whitelist

    Add false alarmed items to the login whitelist.

    HSS will no longer report alarm on the whitelisted items. A whitelisted alarm will not trigger alarms.

    You can click Add Rule and configure file paths in alarm masking rules. HSS will not report the alarms matching these rules.

Parent Topic: Ransomware Prevention