Help Center/ Host Security Service/ User Guide/ Server Protection/ Ransomware Prevention/ Viewing and Handling Ransomware Protection Events
Updated on 2024-10-28 GMT+08:00

Viewing and Handling Ransomware Protection Events

After ransomware protection is enabled, if a ransomware attack event occurs on the server, the event will be recorded and displayed in the ransomware event list. You can handle the events based on your service requirements.

Prerequisites

You have enabled HSS premium, WTP, or container edition.

Constraints

After ransomware protection is enabled, you need to handle ransomware alarms and fix the vulnerabilities in your systems and middleware in a timely manner.

Viewing and Handling Ransomware Prevention Events

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. Choose Server Protection > Ransomware Prevention.

    If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

  4. Click the Events tab and check events.

    To check alarm details, click an alarm name.

    Figure 1 Viewing protection events

  5. After confirming the severity of an event, click Handle in the Operation column of the target event to handle the event.

    You can also select multiple events and click Batch Handle above the list to handle events in batches.

  6. In the Handle Event dialog box, select an action. For details, see Table 1.

    Figure 2 Selecting an action
    Table 1 Alarm handling methods

    Parameter

    Description

    Action

    • Mark as handled

      For a manually handled event, you can add remarks to record the details about the event.

    • Ignore

      Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.

    • Add to Alarm Whitelist

      Add false alarmed items to the login whitelist.

      HSS will no longer report alarm on the whitelisted items. A whitelisted alarm will not trigger alarms.

      After adding an alarm to the alarm whitelist, you can customize a whitelist rule. The custom rule types vary depending on the alarm types, including the file path, process path, process command line, remote IP address, and user name. By default, HSS automatically fills in the rule based on the alarm summary. You can modify the rule as required. If a detected alarm event hit the rule you specified, HSS does not generate an alarm.

    • Isolate and kill

      If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.

      You can click Isolated Files on the upper right corner to check the files. For details, see Managing Isolated Files.

      NOTE:

      When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any).

    Batch Handle

    If this option is selected, the same alarms triggered at different time are handled in batches. If no duplicate alarm is displayed after you select it, it indicates no duplicate alarms have been generated.

    Remarks

    You can add remarks for convenient backtracking.

  1. Click OK.