Help Center/ Host Security Service/ What's New

What's New

Updated on 2025/04/03 GMT+08:00
Share

The tables below describe the functions released in each Host Security Service version and corresponding documentation updates. New features will be successively launched in each region.

March 2025

No.

Feature

Description

Phase

Document

1

Added graph engine detection

Generally, threat behavior detection checks file, process, network, or other information against the threat feature library to identify and block malicious behaviors. But to identify an attack, which usually involves multiple steps, we need to correlate multiple behaviors. For example, a vulnerability exploit attack involves scan and reconnaissance, system intrusion, malicious file implant, and subsequent attacks.

Graph engine detection performs comprehensive source tracing analysis based on the threat information provided by multiple modules (including HIPS detection, AI ransomware detection, and antivirus detection). It can associate and comprehensively analyze multiple suspicious process events to identify intrusion behaviors, enhancing defense against vulnerability exploits.

Editions: premium, WTP, and container editions

Commercial use

Configuring Policies

2

Added the cross-account agent installation function

Added the cross-account agent installation function. You can connect the servers of other accounts to the current account for unified protection and management. In this way, HSS can protect the servers of different accounts.

Editions: all editions

Commercial use

Installing the Agent on Huawei Cloud Servers

3

Added fileless attack detection for servers

Added fileless attack detection for servers.

  • The following fileless attacks on Linux can be detected:

    • Process injection: Malicious code is injected into running processes.

    • Dynamic library injection process: Malicious code is injected into running processes by hijacking functions in dynamic link libraries.

    • Memory file process: A malicious file is created in RAM by calling memfd_create and executed.

    • VDSO hijacking: Attackers exploit specific vulnerabilities (such as Dirty COW) and overwrites the original VDSO code with malicious code. When the root process invokes the VDSO code, the malicious code is executed and privileges are escalated.

  • The following fileless attacks on Windows can be detected:

    • Attack using Windows tools: Attackers exploit the built-in legitimate tools and functions in the OS to bypass traditional security mechanisms and perform malicious operations.

    • Malicious registry injection: Attackers insert malicious code or scripts into the Windows registry. This code can bypass the common file check mechanism and be automatically executed when the system is started. An alarm will be reported immediately if it is detected.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Server Alarms

Container Alarms

4

Added automatic isolation and removal of web shells

HSS can automatically isolate and remove of web shells.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Server Alarms

Container Alarms

Isolating and Killing Malicious Programs

5

Added AI ransomware protection

Added AI ransomware prevention. It can monitor all the files on Windows servers; analyze whether multiple files of the same process are created, deleted, modified, or renamed; and determine whether the files are encrypted by ransomware. After detecting suspicious behaviors, HSS uses the graph engine for comprehensive source tracing analysis to identify ransomware attacks and improve the ransomware detection rate.

Editions: premium, WTP, and container editions

Commercial use

Enabling Ransomware Prevention

6

Optimized WTP

Improved the WTP configuration process. Users can operate more smoothly, and can enable protection for an application on multiple servers at once.

Editions: WTP edition

Commercial use

Enabling Protection

7

Optimized container image security

Added functions include but are not limited to the following:

  • Image security statistics can be presented in the risk view or image view.

  • Image vulnerabilities can be ignored or added to the whitelist.

  • Image scan tasks can be stopped.

  • Malicious files, software information, file information, baseline check, sensitive information, and software compliance scan results can be exported.

  • More container applications can be scanned. Newly supported applications and middleware include slf4j, jetty, ca-certificates-java, httpcore, javac2, javaee, Apache2, adaptive_server_enterprise, DB2, http_server, Memcached, Nginx, PostgreSQL, plexus-utils, and core.

Editions: container edition

Commercial use

Container Image Security Overview

8

Optimized baseline checks

  • Configuration check

    You can set the export scope of scan results by selecting the result type (All or Failed) and risk level.

    Editions: enterprise, premium, WTP, and container editions

  • Password complexity policy check

    The reason why a password complexity policy failed the check is provided.

    Editions: all editions

  • Common weak password check

    • The passwords encrypted using the Yescrypt algorithm can be checked.

    • Detected weak passwords are masked before display.

    Editions: all editions

Commercial use

Baseline Inspection

January 2025

No.

Feature

Description

Phase

Document

1

New APIs

Added the following APIs: deleting accounts, querying the multi-account list, adding accounts in batches, querying account organizations, querying agent installation scripts, deleting cluster daemonsets, updating cluster daemonsets, creating CCE integrated protection configurations, and obtaining cluster configurations.

Commercial use

Installation and Configuration

Cluster Management

2

Optimized login security detection

Brute-force cracking of SQL Server accounts can be automatically blocked.

Editions: professional, premium, WTP, and container editions

Commercial use

Policy Management

3

Optimized policy management

The Balanced and Sensitive modes are added. In Balanced mode, the threat detection rate and accuracy are relatively balanced. In Sensitive mode, the threat detection rate is high, and security level is higher.

Policies affected by the protection mode: malicious file detection, web shell detection, HIPS detection, antivirus, and abnormal process behavior policies.

Editions: professional, premium, WTP, and container editions

Commercial use

Policy Management

4

Optimized emergency vulnerability detection

Windows emergency vulnerability detection is supported. Emergency vulnerability detection of Linux supports the Arm architecture.

Editions: professional, premium, WTP, and container editions

Commercial use

Vulnerability Scan

5

Optimized the asset fingerprint function

  • Asset fingerprints can be manually updated.

  • In the detection results of open ports, you can set Dangerous Port to Yes in the search box of the Open Ports area to filter dangerous ports.

  • More than 80 types of assets can be identified by asset fingerprints. The details are as follows:

    • Web services & Websites

      Apache, Nginx, Tomcat, Weblogic, WebSphere, JBoss, Wildfly, and Jetty

    • Websites

      Apache, Nginx, and Tomcat

    • Web applications

      Wordpress, ThinkPHP, JPress, Jenkins, and ZABBIX

    • Web frameworks

      Java framework: Struts, Struts2, Spring, Hibernate, WebWork, Quartz, Velocity, Tapestry, Turbine, Freemarker, Flexive, Stripes, Vaadin, Vert.x, Wicket, ZKoss, Jackson, Fastjson, Shiro, MyBatis, Spring MVC, Jersey and JFinal.

      PHP framework: Drupal, Phalcon, Webasyst, ThinkCMF, Laravel, KYPHP, Codelgniter, BEdita, Yli, CakePHP, InitPHP, SpeedPHP, ThinkPHP, Cotonti, MODx, Typo3, CanPHP, OneThink, AgileToolkit, CoreThink, CdvPHP, Flight and PHPixie.

      Python framework: Django, Flask, Tornado, web.py, and web2py.

      Go framework: Gin, Beego, Fasthttp, Iris, and Echo.

    • Databases

      MySQL, Redis, Oracle, MongoDB, Memcache, PostgreSQL, HBase, DB2, Sybase, Dameng, and KingbaseES.

    • Office software

      Chanjet

Editions: premium, WTP, and container editions

Commercial use

Server Fingerprints

Container Fingerprints

6

Optimized the baseline check function

The following configuration baselines are added to adapt to compliance baseline check outside China:

  • General security standards of Linux: MySQL8-universal, HCE1.1-universal, Rocky8-universal, Rocky9-universal, AlmaLinux8-universal, OracleLinux6-universal, OracleLinux7-universal, Ubuntu22-universal, CentOS9-universal, SUSE15-universal, AliLinux2-universal, and AliLinux3-universal.

  • General security standard: Windows_2022-universal.

Editions: premium, WTP, and container editions.

Commercial use

Baseline Check

7

Optimized the application protection function

The following application protection functions are supported to meet RASP protection requirements in multiple scenarios:

  • Added web application protection for JDK 11 and JDK17.

  • Added Tomcat application protection for Windows.

  • Added Weblogic, Netty, and Jetty application protection for Linux.

Editions: premium, WTP, and container editions

Open beta testing

Application Protection

8

Added container escape blocking function

When a container is running, an attacker may configure high-risk capabilities, exploit incorrect system configurations, or mount host directories to escape the container and gain full control over the host system.

HSS provides container escape prevention policies to detect container escapes at the levels of networks, servers, pods, containers, processes, and system calls. Five types of abnormal runtime behaviors (processes, files, network activities, process capabilities, and system calls) can be detected, reported, and blocked to prevent container escape and protect container runtime.

Editions: container edition

Open beta testing

Configuring Policies

Container Alarms

9

Added CI/CD image security scan function

The CI/CD image security scan function can be integrated into the CI/CD build pipeline of the Jenkins Pipeline project. It can implement security scan in the image build phase; identify system vulnerabilities, application vulnerabilities, abnormal system configurations, malicious files, and sensitive files in images; and shift security left to the DevOps phase, helping you eliminate security risks as early as possible and preventing unsafe images from being deployed in the production environment.

Editions: container edition

Commercial use

CI/CD Image Security Scan

September 2024

No.

Feature

Description

Phase

Document

1

Added security scanning for third-party image repositories

HSS can scan third-party image repositories manually or periodically to detect vulnerabilities, baselines, malicious files, software information, file information, sensitive information, software compliance, and basic image information, helping you detect potential security risks in third-party images.

Editions: container edition

Commercial use

Accessing a Third-Party Image Repository

Managing Repository Images

2

Optimized the container cluster protection function

Added the security and compliance protection policy types. More than 20 protection policies are added, including restricting pods to start privileged containers, restricting the range of host directories that can be mounted to pods, restricting the Proc types that can be mounted to pods, and restricting Linux capabilities configured in pods. The protection policies meet container cluster protection requirements in different scenarios.

Editions: container edition

Commercial use

Container Cluster Protection

July 2024

No.

Feature

Description

Phase

Document

1

Added the API for querying the basic container information list

You can use the API to query the container list and learn about the container status, cluster, and risks.

Commercial use

Querying the Basic Container Information List

2

Added the API for querying the local image list

You can use the API to query the local image list and learn about the basic information and risks of local images.

Commercial use

Querying the Local Image List

June 2024

No.

Feature

Description

Phase

Document

1

Added the multi-cloud cluster management function

HSS supports unified management of third-party cloud clusters and IDC self-built clusters, and provides full-lifecycle security protection for containers.

Editions: container edition

Commercial use

Connecting to Container Assets

2

Added the monthly operation report

On the first day of each month, HSS generates a security operations summary report for last month. You can learn the asset security status and security configurations, analyze monthly operation report, and harden configurations and improve O&M efficiency accordingly.

Editions: all editions

Commercial use

Checking a Monthly Operation Report

3

Added the container audit function

Container audit monitors and records operations and activities of cluster containers, independent containers, and the image repositories of SoftWare Repository for Container (SWR). You can view and analyze their logs on the HSS console.

Editions: container edition

Commercial use

Container Audit Overview

March 2024

No.

Feature

Description

Phase

Document

1

Optimized policy management

  • The container information module detection policy is added.

    Editions: container edition

  • Modify a default policy can be applied to and saved to other enterprise projects of the same version when All projects is selected for Enterprise Project.

    Editions: professional, enterprise, premium, WTP, and container editions

  • Optimized the configuration items of web shell detection, file protection, login security detection, malicious file detection, abnormal process behavior, root privilege escalation, real-time process, and rootkit detection policies.

    Editions: professional, enterprise, premium, WTP, and container editions

  • Optimized the configuration items of asset discovery, configuration detection, and port scanning detection policies.

    Editions: premium, WTP, and container editions

Commercial use

Configuration Policy

2

Added the dynamic port honeypot function

The dynamic port honeypot function is a deception trap. It uses a real port as a bait port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify faulty servers, and protect real resources of the user.

You can enable the dynamic port honeypot using recommended ports or user-defined ports to deceive compromised servers and reduce the risk of resources intrusion.

Editions: premium, WTP, and container editions

Open beta testing

Dynamic Port Honeypot

3

IPv6 server security protection is supported

IPv6 server security protection is supported. multiple security management and defense capabilities are provided, such as asset management, vulnerability management, baseline check, and intrusion detection, meeting security protection requirements in multiple scenarios of customers.

Editions: all editions

Commercial use

HSS Functions

4

Optimized the container firewall function

The container firewall function allows you to configure security group policies to protect clusters of the cloud native network 2.0 model.

Editions: container edition

Commercial use

Container Firewall

5

Optimized the virus scanning and removal function

The function supports automatic isolation of virus files.

Editions: professional, enterprise, premium, WTP, and container editions

Open beta testing

Virus Scanning and Removal

6

Optimized vulnerability fixing

Fixing CCE kernel vulnerabilities may bring inconvenience to your services. When you use HSS to fix system vulnerabilities, batch fixing can automatically filter out CCE kernel vulnerabilities, vulnerability fixing for a single CCE kernel vulnerability is not supported.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Fixing Vulnerabilities

7

Optimized emergency vulnerability scanning

The emergency vulnerability scanning function can scan RunC container escape vulnerability.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Vulnerability Scan

December 2023

No.

Feature

Description

Phase

Document

1

Added the automatic quota binding function

After purchasing a yearly/monthly quota, you need to bind the quota to a server to enable protection. To prevent resource waste, you can enable the automatic quota binding function. HSS automatically binds quotas to unprotected servers.

Editions: all

Commercial use

Automatic Quota Binding

2

Optimize the agent installation and configuration

Use the same agent installation command for the same OS.

Editions: all

Commercial use

Installing an Agent

3

Optimize the alarm notification

Notify users of successful automatic isolation and killing of malicious programs, automatic blocking of ransomware, and automatic blocking of WTP.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Enabling Alarm Notifications

4

Optimize the vulnerability report

Vulnerability reports can be exported in PDF or HTML format.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Exporting a Vulnerability Report

5

Added the virus scanning and removal function

The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.

Editions: professional, enterprise, premium, WTP, and container editions

Open beta testing

Virus Scanning and Removal

6

Added the automatic agent upgrade function

The agent edition is continuously updated to improve server protection capabilities. Therefore, you need to periodically upgrade the agent to the latest version. If you cannot manually upgrade the agent in a timely manner, you are advised to enable the automatic agent upgrade function. HSS will automatically upgrade the agent to the latest version.

Editions: all

Commercial use

Automatic Agent Upgrade

7

Optimized container image security scanning

  • Added security scanning of SWR enterprise edition images.

  • Private images and shared images can be scanned for application vulnerabilities.

  • Private images and shared images can be exported for baseline check reports.

Editions: container edition

Commercial use

Container Image

8

Added the emergency vulnerability scanning function

The emergency vulnerability scan function checks whether the software and any dependencies running on the server have vulnerabilities through version comparison and POC verification. Reports risky vulnerabilities to the console and provides vulnerability alarms for you.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Vulnerability Management

October 2023

No.

Feature

Description

Phase

Document

1

Backup before vulnerability fixing

Vulnerability fixing may fail and interrupt services. To avoid this problem, HSS enables you to back up servers before fixing vulnerabilities. If an exception occurs, you can restore servers to ensure service continuity.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Fixing Vulnerabilities

2

Cluster agent management

To enable protection for all containers in a CCE cluster or an on-premises Kubernetes cluster, you can use the cluster agent management function to install the agent in the cluster. After this function is enabled, you do not need to manually install the agent on new nodes or pods added to the cluster.

Editions: container edition

Commercial use

Installing the Agent in a Cluster

3

Resource monitoring based on Cloud Eye

HSS uses Cloud Eye to perform monitoring over resources and operations, helping you monitor server security and receive alarms and notifications in real time.

Editions: all

Commercial use

Monitoring Security Risks

4

Optimized Dashboard page

The quota management, protection overview, and news modules are added to the HSS Dashboard page. You can easily check the quota usage, enabling status of key functions, and the latest vulnerability information. The security score criteria are optimized to help you quickly locate security risks and improve the security score.

Editions: all

Commercial use

Dashboard

5

Optimized intrusion detection alarms

  • The intrusion detection capability is enhanced. HIPS can detect intrusions in the Linux system. The following types of server and container alarms are added:

    • Servers: abnormal outbound connection and port forwarding

    • Containers: hacker tool, user password theft, file privilege escalation, port forwarding, and abnormal outbound connection

  • The functions of checking and handling intrusion alarms are optimized:

    • ATT&CK phases, forensics, suggestions, and the handling records of similar alarms are added to alarm details, helping you quickly analyze and handle alarms.

    • You can add alarms to the whitelist and create whitelist rules to improve whitelist rule hits to reduce duplicate alarms.

    • When handling a single alarm or handling alarms in batches, you can select Handle duplicate alarms in batches to improve efficiency.

Editions: professional, enterprise, premium, WTP, and container editions

Commercial use

Handling Server Alarms

Handling Container Alarms

6

Container cluster protection

HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security.

Editions: container edition

Commercial use

Enabling Container Cluster Protection

7

Optimized ransomware prevention

Ransomware prevention will be enabled with the HSS premium or higher edition.

Editions: premium, WTP, and container editions

Commercial use

Enabling Ransomware Prevention

8

Application process control

HSS can control different types of application processes on servers. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.

Editions: premium, Web Tamper Protection (WTP), and container editions

Commercial use

Enabling Application Process Control

July 2023

No.

Feature

Description

Phase

Document

1

Container image security

  • Vulnerability reports can be exported for local images.

  • SWR private images support software compliance, basic image information scan, and vulnerability report export.

  • SWR shared images support the scans on vulnerabilities, malicious files, and software information; and vulnerability report export.

Commercial use

Container Images

2

Server vulnerability management

The vulnerability management page is redesigned. The new functions are as follows:

  • Vulnerability and server views: You can view the servers affected by a vulnerability in the vulnerability view; and view the vulnerabilities on a server in the server view.

  • Vulnerability tags: Category tags are added for vulnerabilities and can be used to filter vulnerabilities.

  • Vulnerability whitelist: After a vulnerability is added to the whitelist, its record displayed in the vulnerability list will be marked as ignored and no alarm will be reported. When a new vulnerability scan task is executed, this vulnerability will not be scanned or displayed.

  • Vulnerability handling history: For vulnerabilities that have been handled, you can check who handled them, when then are handled, and the handling results.

  • Automatic vulnerability scan policy: You can specify the scan schedule, scope, and servers for HSS to automatically scan for vulnerabilities.

Commercial use

Viewing Vulnerability Details

Managing the Vulnerability Whitelist

Viewing Vulnerability Handling History

Automatically Scanning for Vulnerabilities

3

Intrusion detection

  • Added automatic blocking of reverse shells. To use this function, enable reverse shell detection, automatic blocking, and the automatic isolation and killing of malicious programs.

  • Added the brute-force attack whitelist: To stop HSS from blocking an IP address suspected of brute-force attacks, you can edit the login security detection policy to add the IP address to the whitelist. You can also configure whether to generate alarms for the brute-force attacks launched from whitelisted IP addresses.

Commercial use

Malicious File Detection

Login Security Check

4

Container intrusion detection

  • Added Docker and Containerd runtime detection.

  • Alarms can be generated for brute-force attacks, malicious files, ransomware, process privilege escalation, and high-risk command executions in container runtime, helping you detect threats in assets in a timely manner.

Commercial use

Container Alarm Events

5

Container asset fingerprint

Information about accounts, auto-started items, clusters, services, workloads, and container instances can be collected to help you identify insecure container assets.

Commercial use

Viewing Container Asset Fingerprints

6

Container security response

You can isolate, suspend, kill, and restore containers with medium or higher security risks to prevent them from affecting secure containers.

Commercial use

Handling Risk Containers

7

Container firewall

The HSS container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks.

Commercial use

Container Firewall

June 2023

No.

Feature

Description

Phase

Document

1

HSS professional edition

HSS provides the professional edition, where you can isolate and kill Trojans, and can scan for and fix vulnerabilities in a few clicks.

Commercial use

Purchasing an HSS Quota

March 2023

No.

Feature

Description

Phase

Document

1

The Docker plug-in is added to enhance container security.

To improve container security capabilities, the Docker plug-in must be installed for Docker containers (Linux).

Commercial use

Installing a Plug-in

2

Honeypot file protection for Windows

Honeypot files can be deployed in protected directories and important directories (except for the excluded directories specified by users) to trap possible ransomware. If an unknown ransomware attempts to encrypt a honeypot file, HSS immediately generates an alarm.

Commercial use

Enabling Ransomware Prevention

3

The Windows policy group supports antivirus and host intrusion prevention system (HIPS) detection policies.

You can set antivirus detection policies for Windows servers to report, isolate, and kill viruses. You can also set HIPS detection policies to detect registries, files, and processes; and to report alarms for suspicious operations such as abnormal changes.

Commercial use

Policy Group

4

Trojans, viruses, and worms can trigger HID alarms.

HSS can detect, generate alarms on, and remove Trojans, viruses, and worms that intrude servers.

Commercial use

Server Alarms

January 2023

No.

Feature

Description

Phase

Document

1

Privileged processes can be configured in the WTP edition.

If WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged process list. Only the modification made by privileged processes can take effect. Modifications made by other processes will be automatically rolled back.

Commercial use

Adding a Privileged Process

2

Batch agent installation

The agent can be installed on multiple servers in batches.

Commercial use

Installing Agents in Batches

November 2022

No.

Feature

Description

Phase

Document

1

Free Scan on Unprotected Servers

Servers that are not protected by HSS are scanned once a week for free. A security report on their vulnerabilities, unsafe passwords, and asset risks will be generated.

Commercial use

Free Scan on Unprotected Servers

2

Manually Performing a Vulnerability Scan

You can manually scan servers for vulnerabilities.

Commercial use

Manually Performing a Vulnerability Scan

September 2022

No.

Feature

Description

Phase

Document

1

Upgrading Your Edition

You can upgrade to a higher edition and enjoy stronger security features.

Commercial use

Upgrading Your Edition

2

Batch Installing Agents

After creating a batch agent installation task, the system will install the agents automatically. You can enable protection for the target servers after the agents are installed successfully.

Commercial use

Batch Installing Agents

July 2022

No.

Feature

Description

Phase

Document

1

Configuring Asset Importance

You can configure the asset importance of a server, and can manage servers by asset importance level.

Commercial use

Configuring Asset Importance

2

Ransomware prevention is supported in Windows

Monitor new files and running processes in real time, control risks in new files, dynamically generate bait files for proactive defense, accurately identify ransomware, and periodically back up servers based on user-defined policies.

Commercial use

Enabling Ransomware Prevention

3

Application Protection

To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.

Commercial use

Viewing Application Protection

June 2022

No.

Feature

Description

Phase

Document

1

Application vulnerability detection

You can check and handle vulnerabilities in applications.

Commercial use

Viewing Details of a Vulnerability

2

Exporting the Baseline Check Report

You can filter and export the baseline check report as required.

Commercial use

Exporting the Baseline Check Report

May 2022

No.

Feature

Description

Phase

Document

1

Asset Details

HSS proactively checks open ports, processes, web directories, and auto-startup entries on your servers Asset Management gives you a better perspective on host asset information and allows you to identify risky server assets in a timely manner. 

Commercial use

Checking Asset Details