Functions and Features

HSS provides asset management, vulnerability management, intrusion detection, baseline inspection, and web tamper protection (WTP) functions.

Asset Management

Deeply scan the accounts, ports, processes, web directories, software information, and auto-started tasks on your servers. You can manage all your information assets on the Assets page.

**Table 1** Asset management
Function	Description	Check Mode
Account information management	Check and manage all accounts on your servers to keep them secure. You can check real-time and historical account information to find suspicious accounts. Real-time account information includes Account ID, server quantity and names, Administrator Rights, User Group, User Directory, and User Startup Shell. The operation history of an account includes the Action, Account ID, Administrator Rights, User Group, User Directory, User Startup Shell, and Time of the action.	Real-time check
Open port check	Check open ports on your servers, including risky and unknown ports. You can check Port Type, Servers, Risk Level, Status, Port Description, and the specific Server, Bound IP Address, Status, PID, and Program File of a port.	Real-time check
Process check	Check processes on your servers and find abnormal processes. You can check Process Name, Servers, Total Number of Processes, Total Number of File Names, and the specific Server, Process Path, File Permission, User, PID, and startup time of a process.	Real-time check
Web directory management	Check and manage directories used by web services on your servers. You can check the File Path, Application Type, Local Port, URL, PID, and Program File.	Real-time check
Software information management	Check and manage all software installed on your servers, and identify insecure versions. You can check real-time and historical software information to determine whether the software is risky. Real-time software information includes the Software Name, server quantity and names, and Software Version. The software operation history includes Action, Software Name, Software Version, and Time. You can use the manual detection function to check software information.	Automatic check in the early morning every day Manual check
Auto-startup	Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders. You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.	Real-time check

Vulnerability Management

The vulnerability management function detects vulnerabilities and risks in Linux OSs, Windows OSs, and Web content management systems (Web-CMSs).

**Table 2** Vulnerability management
Function	Description	Check Mode
Software vulnerability detection	Check vulnerabilities in Linux and Windows OSs. Check and handle vulnerabilities in your system and the software (such as SSH, OpenSSL, Apache, and MySQL) you obtained from official sources and have not compiled.	Automatic check in the early morning every day Manual check
Web-CMS vulnerability detection	Check and handle vulnerabilities found by scanning web directories and files in your Web-CMS.

Baseline Inspection

The baseline check function detects risky configurations of server systems and key software.

**Table 3** Baseline inspection
Function	Description	Check Mode
Password policy check	Check whether your password complexity policy is proper and modify it based on suggestions provided by HSS, improving password security. You can use the manual detection function to check password complexity policies.	Automatic check in the early morning every day Manual check
Common weak password detection	Check for weak passwords and remind users to change them, preventing easy guessing. On the Common Weak Password Detection tab, you can view the account name, account type, and usage duration of a weak password. You can use the manual detection function to detect weak passwords on servers.	Automatic check in the early morning every day Manual check
Unsafe configuration item check	Check for unsafe Tomcat, Nginx, and SSH login configurations. On the Configure Detection page, you can view the description, matched detection rule, threat level, and status of a configuration. You can handle risky configuration items and ignore trusted items based on the detection rules and detection results. You can use the manual detection function to check key configurations.	Automatic check in the early morning every day Manual check

Intrusion Detection

The intrusion detection function identifies and prevents intrusion to servers, discovers risks in real time, detects and kills malicious programs, and identifies web shells and other threats.

**Table 4** Intrusion detection
Intrusion	How HSS Detects It	Check Mode
Brute-force attack	Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts. If the number of brute-force attacks from an IP address reaches 5 within 30 seconds, the IP address will be blocked. By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours. You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.	Real-time check
Abnormal login	Detect abnormal login behavior, such as remote login and brute-force attacks. Check and handle remote logins. HSS can check the blocked login IP addresses, and who used them to log in to which servers at what time. If a user's login location is not any common login location you set, an alarm will be triggered. Trigger an alarm if a user logs in by a brute-force attack.	Real-time check
Malicious program (cloud scan)	Check and kill malware, such as viruses, Trojan horses, web shells, worms, mining software, unknown malicious programs, and variants. All this can be done with just a few clicks. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. HSS can detect only running malicious programs. You can manually isolate and kill identified and suspicious malicious programs, and cancel the isolation of and ignore trusted programs. NOTE: HSS can detect only running malicious programs.	Real-time check
Abnormal process behavior	All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions. The following abnormal process behavior can be detected: Abnormal CPU usage Processes accessing malicious IP addresses Abnormal increase in concurrent process connections	Real-time check
Changes made to critical files	Check alarms about modifications on key files (such as ls, ps, login, and top). Key file change information includes the paths of modified files, the last modification time, and names of the servers storing configuration files.	Real-time check
Web shells	Check whether the files (often PHP and JSP files) in your web directories are web shells. Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files. You can use the manual detection function to detect web shells on servers.	Real-time check Manual check
Reverse shell	Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP.	Real-time check
Abnormal shell	Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.	Real-time check
High-risk command execution	Check executed commands in real time and generate alarms on high-risk commands.	Real-time check
Auto-startup check	Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.	Real-time check
Unsafe account	Scan accounts on servers and list suspicious accounts in a timely manner. You can check the name, user group, UID/SID, user directory, and startup shell of an account.	Real-time check
Privilege escalation	Detect privilege escalation for processes and files in the current system. The following abnormal privilege escalation operations can be detected: Root privilege escalation by exploiting SUID program vulnerabilities Root privilege escalation by exploiting kernel vulnerabilities File privilege escalation	Real-time check
Rootkit	Detect suspicious rootkit installation in a timely manner by checking: File signatures Hidden files, ports, processes, and kernel modules	Automatic check every day

Advanced Protection

Function	Description	Check Mode
Application recognition service (ARS)	Set whitelist policies, and determine whether applications are Trusted, Untrusted, or Unknown. The applications that are not whitelisted are not allowed to run. This function protects your servers from untrusted or malicious applications, reducing unnecessary resource usage.	Real-time check
File integrity monitoring (FIM)	Check the files in the Linux OS, applications, and other components to detect tampering.	Real-time check
Ransomware prevention	Analyze operations on servers, identify trusted applications, and report alarms on untrusted applications, depending on your settings.	Real-time check

WTP

Web Tamper Protection (WTP) can detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.

**Table 5** WTP
Function	Description	Check Mode
Static WTP	Prevents static web page files on website servers from being tampered with.	Real-time check
Dynamic WTP	Prevents dynamic web page content in website databases from being tampered with.	Real-time check