Server Alarms
generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You can learn all these events on the console, and eliminate security risks in your assets in a timely manner.
Constraints
Servers that are not protected by HSS do not support alarm-related operations.
Supported Alarms and Events
Event Type |
Alarm Name |
Description |
Basic Edition |
Enterprise Edition |
Premium Edition |
WTP Edition |
Supported OS |
Add to Alarm Whitelist |
Isolate and Kill |
---|---|---|---|---|---|---|---|---|---|
Malware |
Unclassified malware |
Malicious programs include Trojans and web shells implanted by hackers to steal your data or control your servers. For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability. Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. |
× |
√ |
√ |
√ |
Linux and Windows |
√ |
√ |
Rootkits |
Detect server assets and report alarms for suspicious kernel modules, files, and folders. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
Ransomware |
Check for ransomware in web pages, software, emails, and storage media. Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion. |
× |
× |
√ |
√ |
Linux and Windows |
√ |
√ (Partially supported) |
|
Web shells |
Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells. You can configure the web shell detection rule in the Web Shell Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. You need to add a protected directory in policy management. For details, see Web Shell Detection. |
× |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
|
Vulnerability Exploits |
Redis vulnerability exploits |
Detect the modifications made by the Redis process on key directories in real time and report alarms. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
Hadoop vulnerability exploits |
Detect the modifications made by the Hadoop process on key directories in real time and report alarms. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
MySQL vulnerability exploits |
Detect the modifications made by the MySQL process on key directories in real time and report alarms. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
Abnormal System Behavior |
Reverse shells |
Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
File privilege escalations |
Detect file privilege escalation behaviors and generate alarms. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
Process privilege escalations |
Detect the privilege escalation operations of the following processes and generate alarms:
|
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
Important file changes |
Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For details about the monitored paths, see Monitored Important File Paths. HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
File/Directory changes |
Monitor system files and directories in real time and generate alarms if such files are created, deleted, moved, or if their attributes or content are modified. |
× |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
|
Abnormal process behaviors |
Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected:
|
× |
√ |
√ |
√ |
Linux and Windows |
√ |
x (Partially supported) |
|
High-risk command executions |
You can configure what commands will trigger alarms in the High-risk Command Scan rule on the Policies page. HSS checks executed commands in real time and generates alarms if high-risk commands are detected. |
× |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
|
Abnormal shells |
Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files. You can configure the abnormal shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. |
× |
√ |
√ |
√ |
Linux |
√ |
× |
|
Suspicious crontab tasks |
Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders. You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans. |
× |
× |
√ |
√ |
Linux and Windows |
√ |
× |
|
System protection disabling |
Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Backup deletion |
Detect the preparations for ransomware encryption: Delete backup files or files in the Backup folder. Once backup deletion is detected, an alarm is reported immediately. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Suspicious registry operations |
Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
System log deletions |
An alarm is generated when a command or tool is used to clear system logs. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Suspicious command executions |
|
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Abnormal User Behavior |
Brute-force attacks |
If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks.
Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.
|
√ |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
Abnormal logins |
Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers. |
√ |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
|
Invalid accounts |
Hackers can probably crack unsafe accounts on your servers and control the servers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. |
× |
√ |
√ |
√ |
Linux and Windows |
√ |
× |
|
Password theft |
Detect the abnormal obtaining of system accounts and password hashes on servers and report alarms. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Abnormal Network Access |
Suspicious download request |
An alarm is generated when a suspicious HTTP request that uses system tools to download programs is detected. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
Suspicious HTTP requests |
An alarm is generated when a suspicious HTTP request that uses a system tool or process to execute a remote hosting script is detected. |
× |
√ |
√ |
√ |
Windows |
√ |
× |
|
Reconnaissance |
Port scan |
Detect scanning or sniffing on specified ports and report alarms. |
× |
× |
√ |
√ |
Linux |
× |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot