Scanning for Viruses

Scenarios

Once a static virus file is started, it may become a malicious process and become a security risk of servers. You are advised to scan for and clear viruses on servers in a timely manner.

HSS supports quick scans, full-disk scans, and custom scans. For details, see Table 1.

**Table 1** Virus scan methods
Method	Description	File Type	Directory Scope
Quick Scan	Quick virus scan tasks can save time and costs. This function scans and removes preset key system files and directories.	Windows Processes (active processes, hidden processes, and Docker processes), kernel modules, installed programs, dynamic library hijacking, services, scheduled tasks, auto-started items, sensitive directories, Office files, images, videos, scripts, and compressed packages Linux Processes (active processes, hidden processes, and Docker processes), kernel modules, installed programs, dynamic library hijacking, services, scheduled tasks, auto-started items, sensitive directories, Office files, images, videos, scripts, and compressed packages	Windows User desktop, downloaded files, and document directories Startup items in the Start menu System directories C:\Windows\System, C:\Windows\System32, C:\Windows\SysWOW64 Temporary directories C:\Users\[Username]\AppData\Local\Temp\, C:\Temp, C:\Windows\Temp Download directories of browsers Google Chrome, Microsoft Edge, and Mozilla Firefox Linux Standard system directories /bin, /sbin, /lib, /lib64, /usr/bin, /usr/sbin, /usr/lib, /usr/lib64, /usr/local/lib, /usr/local/lib64, /usr/local/bin, /usr/local/sbin Other important directories /tmp, /root, /home, /boot, /opt, /data, /var/tmp, /var/run, /var/lib, /dev/shm, /etc, /etc/sysconfig, /usr/local/src, /usr/share, and the root directory Directories of the executable files corresponding to the startup items /etc/rc.d, /etc/init.d
Full-disk Scan	A time-consuming full-disk virus scan can comprehensively check servers for viruses.	Executable: executable files and dynamic link libraries (DLLs), such as .exe, .dll, and .so files Compressed: installation packages or other compressed packages, such as .zip, .rar, and .tar files Script: script files, such as .bat, .py, and .ps1 files Document: document files, such as .txt, .doc, and .pdf files Image: image files, such as .bmp, .jpg, and .gif files Audio & Video: audiovisual files, such as .mp3, .mp4, and .flv files	All directories except network directories. The reasons for not scanning network directories are as follows: Inefficient scan A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan. Network bandwidth consumption Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase. You can create a custom scan task to scan network directories.
Custom Scan	You can create a custom virus scan task as needed.	You can scan executable, compressed, script, document, image, or audiovisual files.	User-defined

Constraints

A virus scan uses a lot of memory, CPU, and I/O resources. Perform this operation during off-peak hours. For details about the resource usage, see How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?
The HSS professional edition only supports quick scan and removal.
A full-disk scan does not check network directories.

Quick Scan

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
Choose Server Protection > Virus Scan.
Click Quick Scan. The dialog box is displayed.

Set parameters related to the quick scan task as prompted.

**Table 2** Quick scan parameters
Parameter	Description	Example Value
Task Name	HSS automatically generates a task name based on the task creation time (accurate to seconds). You can modify it as needed.	Quick Scan-20250425173536
Select Server	Select the servers where you want to perform a quick scan. You can select and scan servers that meet all the following conditions: The agent is online and meets the following requirements. For details about how to install the agent, see Installing the Agent on Servers. Unlimited scans: Windows agent version ≥ 4.0.20, Linux agent version ≥ 3.2.9 Pay-per-use scans: Windows agent version ≥ 4.0.23, Linux agent version ≥ 3.2.12 The AV detection policy is enabled. For details about how to enable it, see Configuring Policies. The server is not being scanned.	-
Handling Policy	Action to be taken on the detected virus-infected files. Automatic Handling: HSS automatically isolates the detected malicious files. The suspicious files that are not confirmed as viruses are labeled as suspicious and need to be manually checked and handled. CAUTION: In rare cases, files may be incorrectly isolated. In this case, you can restore the isolated files on the Isolated Files page. For details, see Restoring Isolated Files. Manual Handling: Alarms are generated only for detected infected files. You need to manually confirm the files before handling them.	Automatic Handling

Click Scan and start the scan task.

Full-disk Scan

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
Choose Server Protection > Virus Scan.
Click Full-disk Scan. The dialog box is displayed.

Set parameters related to the full-disk scan task as prompted.

**Table 3** Full-disk scan parameters
Parameter	Description	Example Value
Task Name	HSS automatically generates a task name based on the task creation time (accurate to seconds). You can modify it as needed.	Full-disk Scan-20250425174038
Select Server	Select the servers where you want to perform a full scan. You can select and scan servers that meet all the following conditions: The agent is online and meets the following requirements. For details about how to install the agent, see Installing the Agent on Servers. Unlimited scans: Windows agent version ≥ 4.0.20, Linux agent version ≥ 3.2.9 Pay-per-use scans: Windows agent version ≥ 4.0.23, Linux agent version ≥ 3.2.12 The AV detection policy is enabled. For details about how to enable it, see Configuring Policies. The server is not being scanned.	-
Handling Policy	Action to be taken on the detected virus-infected files. Automatic Handling: HSS automatically isolates the detected malicious files. The suspicious files that are not confirmed as viruses are labeled as suspicious and need to be manually checked and handled. CAUTION: In rare cases, files may be incorrectly isolated. In this case, you can restore the isolated files on the Isolated Files page. For details, see Restoring Isolated Files. Manual Handling: Alarms are generated only for detected infected files. You need to manually confirm the files before handling them.	Automatic Handling

Click Scan and start the scan task.

Custom Scan

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
Choose Server Protection > Virus Scan.
Click Custom Scan.

Set the parameters of the Custom Scan policy as prompted. For details about the parameters, see Custom antivirus policy parameters.

**Table 4** Custom antivirus policy parameters
Parameter	Description	Example Value
Task Name	HSS automatically generates a task name based on the task creation time (accurate to seconds). You can modify it as needed.	Custom Scan-20250425180036
Startup Type	Scan task execution type. Scan Now: Start a scan immediately. Scan Later: Start a scan at the specified time. Periodic Start: Start a scan periodically based on your settings.	Scan Later
Start	If Startup Type is set to Scan Later, configure this parameter to set the start time of the scan. You can set the start time to a time within one month.	2025/04/25 18:10
Schedule	If Startup Type is set to Periodic Start, configure this parameter to set the scan period.	-
File Type	Type of the file to be scanned. Currently, the following types of files can be scanned: Executable: executable files and dynamic link libraries (DLLs), such as .exe, .dll, and .so files Compressed: installation packages or other compressed packages, such as .zip, .rar, and .tar files Script: script files, such as .bat, .py, and .ps1 files Document: document files, such as .txt, .doc, and .pdf files Image: image files, such as .bmp, .jpg, and .gif files Audio & Video: audiovisual files, such as .mp3, .mp4, and .flv files	Select All
(Optional) Directory Settings	Directory where virus-infected files need to be scanned. If this parameter is not set, full scan is performed by default. Full scan does not cover network directories. WARNING: The reasons for not scanning network directories are as follows: Inefficient scan A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan. Network bandwidth consumption Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase.	-
(Optional) Exclude Specified Directories	Directories that do not require virus scan.	-
Select Server	Select the servers to be scanned. You can select and scan servers that meet all the following conditions: The agent is online and meets the following requirements: For details about how to install the agent, see Installing the Agent on Servers. Unlimited scans: Windows agent version ≥ 4.0.20, Linux agent version ≥ 3.2.9 Pay-per-use scans: Windows agent version ≥ 4.0.23, Linux agent version ≥ 3.2.12 The AV detection policy is enabled. For details about how to enable it, see Configuring Policies. The task start conditions required by the corresponding policy are met: Policy whose Startup Type is Scan Now: The server is not being scanned. Policy whose Startup Type is Scan Later: No other custom scan policies using the same startup time as the current policy are bound to the server. Policy whose Startup Type is Periodic Start: No other custom policies whose Startup Type is Periodic Start are bound to the server.	-
Handling Policy	Action to be taken on the detected virus-infected files. Automatic Handling: HSS automatically isolates the detected malicious files. The suspicious files that are not confirmed as viruses are labeled as suspicious and need to be manually checked and handled. CAUTION: In rare cases, files may be incorrectly isolated. In this case, you can restore the isolated files on the Isolated Files page. For details, see Restoring Isolated Files. Manual Handling: Alarms are generated only for detected infected files. You need to manually confirm the files before handling them.	Automatic Handling

Click Scan and start the scan task.

Viewing Virus Scan Status

After starting a scan task, you can view its execution status by referring to this section.

On the Virus Scan page, click Scan tasks. The Scan Tasks page is displayed.

Figure 1 Viewing scan tasks
On the Scan Task page, view the task start time, task status, and scan status.
- To view information about specific scan tasks, configure search criteria in the search box above the scan task list.
- To stop an ongoing scan task, click Cancel in the Operation column of the task.
- To retry a failed scan task, click Scan Again in the Operation column of the task.
Figure 2 Scan tasks
Click to view the scan status and number of scanned files of each server.
- Click Cancel in the Operation column of the server to stop scanning the server.
- To retry a failed scan on a server, click Scan Again in the Operation column of the server.

Follow-up Operations

After a virus scan task is complete, you can manually handle the detected virus-infected files based on service requirements. For details, see Viewing and Handling Viruses.

Parent Topic: Virus Scan

Previous topic: Virus Scan Overview

Next topic: Viewing and Handling Viruses