Server Alarms

HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You can learn all these events on the console, and eliminate security risks in your assets in a timely manner.

Constraints

Servers that are not protected by HSS do not support alarm-related operations.

Supported Alarms and Events

Event Type

Alarm Name

Description

Enterprise Edition

Premium Edition

WTP Edition

Supported OS

Add to Alarm Whitelist

Manual Isolation and Killing

Automatic Isolation and Killing

Malware

Unclassified malware

Malicious programs include Trojans and web shells implanted by hackers to steal your data or control your servers.

For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability.

Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one-click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.

Y

Y

Y

Linux and Windows

Y

Y

Y

Viruses

Detect viruses in server assets, report alarms, and support automatic or manual viruses isolation and killing based on the alarms.

Y

Y

Y

Linux and Windows

Y

Y

Y

Worms

Detect and kill worms on servers and report alarms.

Y

Y

Y

Linux and Windows

Y

Y

Y

Trojans

Detect and remove Trojan and viruses on servers and report alarms.

Y

Y

Y

Linux and Windows

Y

Y

Y

Botnets

Detect and kill botnets on servers and report alarms.

Y

Y

Y

Linux and Windows

Y

Y

Y

Backdoors

Detect backdoors in servers and reports alarms.

Y

Y

Y

Linux and Windows

Y

Y

x

Rootkits

Detect server assets and report alarms for suspicious kernel modules, files, and folders.

Y

Y

Y

Linux

Y

x

x

Ransomware

Check for ransomware in web pages, software, emails, and storage media.

Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.

x

Y

Y

Linux and Windows

Y

Y (Partially supported)

Y (Partially supported)

Hacker tools

Detect and kill hacker tools on servers and reports alarms.

Y

Y

Y

Linux and Windows

Y

Y

x

Web shells

Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.

You can configure the web shell detection rule in the Web Shell Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

You need to add a protected directory in policy management. For details, see Web Shell Detection.

Y

Y

Y

Linux and Windows

Y

Y

Y (If HSS determines a Web shell file is a real threat, the file will be isolated and killed.)

x

Mining

Detect, scan, and remove mining software on servers, and report alarms.

Y

Y

Y

Linux and Windows

Y

Y

Y

Vulnerability Exploits

Remote code execution

Detect and report alarms on server intrusions that exploit vulnerabilities in real time.

Y

Y

Y

Linux and Windows

Y

x

x

Abnormal System Behavior

Reverse shells

Monitor user process behaviors in real time to report alarms on and block reverse shells caused by invalid connections.

Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

Reverse shells can be detected for protocols including TCP, UDP, and ICMP.

You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

You can also configure automatic blocking of reverse shells in the HIPS Detection rule on the Policies page.

Y

Y

Y

Linux

Y

x

x

File privilege escalations

Detect file privilege escalation behaviors and generate alarms.

Y

Y

Y

Linux

Y

x

x

Process privilege escalations

Detect the privilege escalation operations of the following processes and generate alarms:

  • Root privilege escalation by exploiting SUID program vulnerabilities

  • Root privilege escalation by exploiting kernel vulnerabilities

Y

Y

Y

Linux

Y

x

x

Important file changes

Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For details about the monitored paths, see Monitored Important File Paths.

HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes.

Y

Y

Y

Linux

Y

x

x

File/Directory changes

Monitor system files and directories in real time and generate alarms if such files are created, deleted, moved, or if their attributes or content are modified.

Y

Y

Y

Linux and Windows

Y

x

x

Abnormal process behaviors

Check the processes on servers, including their IDs, command lines, process paths, and behavior.

Send alarms on unauthorized process operations and intrusions.

The following abnormal process behavior can be detected:

  • Abnormal CPU usage

  • Processes accessing malicious IP addresses

  • Abnormal increase in concurrent process connections

Y

Y

Y

Linux and Windows

Y

Y (Partially supported)

x

High-risk command executions

You can configure what commands will trigger alarms in the High-risk Command Scan rule on the Policies page.

HSS checks executed commands in real time and generates alarms if high-risk commands are detected.

Y

Y

Y

Linux and Windows

Y

x

x

Abnormal shells

Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

You can configure the abnormal shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

Y

Y

Y

Linux

Y

x

x

Sensitive file access detection

Detect the unauthorized access to or modifications of sensitive files.

Y

Y

Y

Linux and Windows

Y

x

x

Suspicious crontab tasks

Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.

x

Y

Y

Linux and Windows

Y

x

x

System protection disabling

Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately.

Y

Y

Y

Windows

Y

x

x

Backup deletion

Detect the preparations for ransomware encryption: Delete backup files or files in the Backup folder. Once backup deletion is detected, an alarm is reported immediately.

Y

Y

Y

Windows

Y

x

x

Suspicious registry operations

Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected.

Y

Y

Y

Windows

Y

x

x

System log deletions

An alarm is generated when a command or tool is used to clear system logs.

Y

Y

Y

Windows

Y

x

x

Suspicious command executions

  • Check whether a scheduled task or an automated startup task is created or deleted by running commands or tools.

  • Detect suspicious remote command execution.

Y

Y

Y

Windows

Y

x

x

Suspicious process execution

Detect and report alarms on unauthenticated or unauthorized application processes.

Y

Y

Y

Linux and Windows

Y

x

x

Suspicious process file access

Detect and report alarms on the unauthenticated or unauthorized application processes accessing specific directories.

Y

Y

Y

Linux and Windows

Y

x

x

Abnormal User Behavior

Brute-force attacks

If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks.

Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.

  • If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked. The default blocking duration is 12 hours.

  • You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Y

Y

Y

Linux and Windows

Y

x

x

Abnormal logins

Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.

  • Check and handle remote logins.

    You can check the blocked login IP addresses, and who used them to log in to which server at what time.

    If a user's login location is not any common login location, an alarm will be triggered.

  • Trigger an alarm if a user logs in to the server by a brute-force attack.

Y

Y

Y

Linux and Windows

Y

x

x

Invalid accounts

Hackers can probably crack unsafe accounts on your servers and control the servers.

HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them.

Y

Y

Y

Linux and Windows

Y

x

x

User account added

Detect the commands used to create hidden accounts. Hidden accounts cannot be found in the user interaction interface or be queried by commands.

Y

Y

Y

Windows

Y

x

x

Password theft

Detect the abnormal obtaining of system accounts and password hashes on servers and report alarms.

Y

Y

Y

Windows

Y

x

x

Abnormal Network Access

Unknown network access

Detect access to ports that are not listened by the server.

Y

Y

Y

Windows

Y

x

x

Abnormal outbound connection

Report alarms on suspicious IP addresses that initiate outbound connections.

Y

Y

Y

Linux

Y

x

x

Port forwarding

Report alarms on port forwarding performed using suspicious tools.

Y

Y

Y

Linux

Y

x

x

Suspicious download request

An alarm is generated when a suspicious HTTP request that uses system tools to download programs is detected.

Y

Y

Y

Windows

Y

x

x

Suspicious HTTP requests

An alarm is generated when a suspicious HTTP request that uses a system tool or process to execute a remote hosting script is detected.

Y

Y

Y

Windows

Y

x

x

Reconnaissance

Port scan

Detect scanning or sniffing on specified ports and report alarms.

x

Y

Y

Linux

x

x

x

Host scan

Detect the network scan activities based on server rules (including ICMP, ARP, and nbtscan) and report alarms.

x

Y

Y

Linux

Y

x

x

Security Alarm Severities

HSS alarm severities indicate alarm impact on service systems. It can be Critical, High, Medium, or Low. For details, see Table 1.

Table 1 Security alarm severities

Alarm Severity

Description

Critical

A critical alarm indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alarms are generated if ransomware encryption behaviors or malicious programs are detected. You are advised to handle the alarms immediately to avoid severe system damage.

High

A high-risk alarm indicates that the system may be under an attack that has not caused serious damage. For example, such alarms are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You are advised to investigate and take measures in a timely manner to prevent attacks from spreading.

Medium

A medium-risk alarm indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You are advised to further analyze and take proper preventive measures to enhance system security.

Low

A low-risk alarm indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alarms are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alarms do not require immediate emergency measures. If you have high requirements on asset security, pay attention to the security alarms of this level.

Monitored Important File Paths

Type

Linux

bin

/bin/ls

/bin/ps

/bin/bash

/bin/login

usr

/usr/bin/ls

/usr/bin/ps

/usr/bin/bash

/usr/bin/login

/usr/bin/passwd

/usr/bin/top

/usr/bin/killall

/usr/bin/ssh

/usr/bin/wget

/usr/bin/curl