Server Alarms
HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You can learn all these events on the console, and eliminate security risks in your assets in a timely manner.
Alarms generated by AV detection and HIPS detection are displayed under different types of events.
- Alarms generated by AV detection are displayed only under the Malware events.
- Alarms generated by HIPS detection are displayed in subcategories of all events.
Constraints
Servers that are not protected by HSS do not support alarm-related operations.
Server Security Alarms
For details about server security alarm types and alarm items, see Table 1. Alarms vary by HSS edition. For details, see Features.
Alarm Type |
Alarm Type Description |
Alarm |
Alarm Description |
---|---|---|---|
Malware |
Malicious software includes viruses, worms, Trojans, and web shells implanted by hackers to steal your data or control your servers. For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability. |
Unclassified malware |
Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one-click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
Viruses |
Detect diverse viruses in server assets, reports alarms, and isolate and remove virus files. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Worms |
Detect and kill worms on servers and report alarms. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Trojans |
Detect and remove Trojan and viruses on servers and report alarms. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Botnets |
Detect and kill botnets on servers and report alarms. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Backdoors |
Detect backdoors in servers and reports alarms. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Rootkits |
Detect server assets and report alarms for suspicious kernel modules, files, and folders. Supported OSs: Linux. |
||
Ransomware |
Check for ransomware in web pages, software, emails, and storage media. Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion. Supported OSs: Linux and Windows. Isolation and killing: Automatically or manually detect, isolate, and remove some ransomware. |
||
Hacker tools |
Detect and kill hacker tools on servers and report alarms. Supported OSs: Linux and Windows. Isolation and removal: manual |
||
Web shells |
Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells. You can configure the web shell detection rule in the Web Shell Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. You need to add a protected directory in policy management. For details, see Web Shell Detection. Supported OSs: Linux and Windows. Isolation and removal: manual |
||
Mining software |
Detect, scan, and remove mining software on servers, and report alarms. Supported OSs: Linux and Windows. Isolation and removal: automated or manual |
||
Vulnerability Exploits |
The exploit of vulnerabilities in the server system, software, or network to obtain unauthorized access rights, steal data, or damage the target system. Exploits can be performed remotely or locally. In a remote vulnerability exploit, an attacker connects to the target system through the network and discovers system vulnerabilities to launch attacks. In a local vulnerability exploit, an attacker obtains low access permissions on the target system and exploits vulnerabilities to escalate permissions or perform other malicious operations. |
Remote code executions |
Detect and report alarms on server intrusions that exploit vulnerabilities in real time. Supported OSs: Linux and Windows. |
Redis vulnerability exploits |
Detect the modifications made by the Redis process on key directories in real time and report alarms. Supported OSs: Linux. |
||
Hadoop vulnerability exploits |
Detect the modifications made by the Hadoop process on key directories in real time and report alarms. Supported OSs: Linux. |
||
MySQL vulnerability exploits |
Detect the modifications made by the MySQL process on key directories in real time and report alarms. Supported OSs: Linux. |
||
Abnormal System Behaviors |
Abnormal system behaviors occur while servers are running, and are usually caused by system faults, malicious attacks, or security vulnerabilities. Abnormal system behaviors may cause data loss or system breakdown. To protect server system and data security, it is important to detect and handle abnormal system behaviors in a timely manner. |
Reverse shells |
Monitor user process behaviors in real time to report alarms on and block reverse shells caused by invalid connections. Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. You can also configure automatic blocking of reverse shells in the HIPS Detection rule on the Policies page. Supported OSs: Linux. |
File privilege escalations |
Detect file privilege escalation behaviors and generate alarms. Supported OSs: Linux. |
||
Process privilege escalations |
Detect the privilege escalation operations of the following processes and generate alarms:
Supported OSs: Linux. |
||
Important file changes |
Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For details about the monitored paths, see Monitored Important File Paths. HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes. Supported OSs: Linux. |
||
File/Directory changes |
Monitor system files and directories in real time and generate alarms if such files are created, deleted, moved, or if their attributes or content are modified. Supported OSs: Linux and Windows. |
||
Abnormal process behaviors |
Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected:
Supported OSs: Linux and Windows. Isolation and killing: Some abnormal processes can be manually isolated and killed. |
||
High-risk command executions |
You can configure what commands will trigger alarms in the High-risk Command Scan rule on the Policies page. HSS checks executed commands in real time and generates alarms if high-risk commands are detected. Supported OSs: Linux and Windows. |
||
Abnormal shells |
Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files. You can configure the abnormal shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. Supported OSs: Linux. |
||
Sensitive file access detection |
Detect the unauthorized access to or modifications of sensitive files. Supported OSs: Linux and Windows. |
||
Suspicious crontab tasks |
Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders. You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans. Supported OSs: Linux and Windows. |
||
System protection disabling |
Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately. Supported OSs: Windows. |
||
Backup deletion |
Detect the operations performed by ransomware before it encrypts your data. Once HSS detects that backup files or files in the Backup folder are deleted, an alarm is reported. Supported OSs: Windows. |
||
Suspicious registry operations |
Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected. Supported OSs: Windows. |
||
System log deletion |
An alarm is generated when a command or tool is used to clear system logs. Supported OSs: Windows. |
||
Suspicious command executions |
Supported OSs: Windows. |
||
Suspicious process executions |
If application process control is enabled, HSS checks for application processes that are not authenticated or authorized based on the whitelist policy, and reports an alarm if such a process is detected. For more information, see Application Process Control Overview. Supported OSs: Linux and Windows. |
||
Suspicious process file access |
If application process control is enabled, HSS checks for application processes that access specified directories but are not authenticated or authorized based on the whitelist policy, and reports an alarm if such a process is detected. For more information, see Application Process Control Overview. Supported OSs: Linux and Windows. |
||
Abnormal User Behaviors |
Abnormal or unexpected user behaviors that occur in a specific environment or system, sometimes within a short period of time, such as abnormal logins or unauthorized access. To detect and identify these abnormal behaviors, user operations need to be checked and analyzed. |
Brute-force attacks |
If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks.
Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.
Supported OSs: Linux and Windows. |
Abnormal logins |
Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.
Supported OSs: Linux and Windows. |
||
Invalid accounts |
Hackers can probably crack unsafe accounts on your servers and control the servers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. Supported OSs: Linux and Windows. |
||
User account added |
Detect the commands used to create hidden accounts. Hidden accounts cannot be found in the user interaction interface or be queried by commands. Supported OSs: Windows. |
||
Password thefts |
Detect the abnormal obtaining of hash value of system accounts and passwords on servers and report alarms. Supported OSs: Windows. |
||
Abnormal Network Access |
Abnormal network access refers to exceptions that occur during network connection or data transmission and different from normal usage. These exceptions include abnormal resource usage, unauthorized access, and abnormal connections. Abnormal network access behaviors on servers may be a prelude to attacks. |
Cloud honeypots |
An alarm is reported if a connection to the honeypot port of a server is detected. Supported OSs: Linux and Windows. |
Suspicious download requests |
An alarm is generated when a suspicious HTTP request that uses system tools to download programs is detected. Supported OSs: Windows. |
||
Suspicious HTTP requests |
An alarm is generated when a suspicious HTTP request that uses a system tool or process to execute a remote hosting script is detected. Supported OSs: Windows. |
||
Abnormal outbound connections |
Report alarms on suspicious IP addresses that initiate outbound connections. Supported OSs: Linux. |
||
Port forwarding |
Report alarms on port forwarding using suspicious tools. Supported OSs: Linux. |
||
Reconnaissance |
Reconnaissance is the act of gathering information about a target network before launching an attack. |
Port scan |
Detect scanning or sniffing on specified ports and report alarms. Supported OSs: Linux. |
Host scan |
Detect the network scan activities based on server rules (including ICMP, ARP, and nbtscan) and report alarms. Supported OSs: Linux. |
||
Fileless Attacks |
A fileless attack does not release malicious executable files. Instead, it writes malicious code into the system memory or registry. Because there are no malicious files used, such an attack is difficult to detect. Fileless attacks are classified into the following types based on disk file activities:
|
Process injection |
Scan for malicious code injection into running processes and report alarms. Supported OSs: Linux. |
Dynamic library injection |
Scan for the payloads injected by hijacking functions in the dynamic link library (DLL) and report alarms. Supported OSs: Linux. |
||
Memory file process |
Scan for the behaviors of creating an anonymous malicious file that exists only in the RAM through the memfd_create system call and executing the file, and report alarms on such behaviors. Supported OSs: Linux. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot