tencent cloud

Feedback

Virus Scanning

Last updated: 2024-01-23 15:44:44
    The virus scanning feature scans files in the container for viruses and trojans in real time or on schedule.

    Viewing the Risk Trend

    1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar.
    2. The Virus Scanning page displays the pending risks, number of affected containers, and trend.
    Pending risks: It displays the trend of pending risks in the last 7 days and the comparison with the previous day. Hover over the trend to display the number of pending risks of a certain day.
    Affected containers: It displays the trend of affected containers in the last 7 days and the comparison with the previous day. Hover over the trend to display the number of affected containers of a certain day.
    

    Setting the Risk Check

    On the Virus Scanning page, the risk check module allows you to set the scheduled check and real-time monitoring.
    Note:
    Real-time monitoring applies to the incremental files in the configured path.
    Scheduled check applies to all files in the configured path.
    

    Setting scheduled check

    1. In the risk check module, click
    
    on the right of Scheduled check.
    2. On the Scheduled check settings page, click
    
    to enable scheduled check and set the check time, path to check, and scope of check.
    
    Parameter description:
    Scheduled check: Toggle on or off the switch to enable or disable the feature.
    Checked at
    Check cycle: It can be Every day, Every 3 days, or Every 7 days.
    Check start time: Configure when to start the scheduled check task.
    Timeout period: When the time consumed reaches the timeout period, the check task will end. The default value is five hours.
    Path to check
    All paths: Check all file paths in the container.
    Specified paths: Check specified file paths in the container.
    Scope of check
    Nodes: You can select All servers or Specified servers. The latter option allows you to filter servers by server name/IP for scheduled scan.
    Containers: You can select All containers or Specified containers. The latter option allows you to filter containers by container name/ID for scheduled scan.
    3. Click Save settings.

    Setting real-time monitoring

    1. In the risk check module, click
    
    on the right of Real-time monitoring.
    2. On the Real-time monitoring settings page, click
    
    to enable real-time monitoring and configure parameters.
    
    Parameter description:
    Real-time monitoring: Click
    
    or
    
    to enable or disable the feature.
    Path to check
    All paths: Check all file paths in the container.
    Specified paths: Check specified file paths in the container.
    Select a path: Select Check the following paths or Check all paths except the following as needed. Click
    
    to add up to 30 paths.
    3. Click Save settings.

    Setting quick check

    1. In the risk check module, click Quick check.
    2. On the Quick check page, select the path to check and scope of check and set the timeout period.
    
    Parameter description:
    Path to check:
    All paths: Check all file paths in the container.
    Specified paths: Check specified file paths in the container.
    Scope of check:
    Nodes: You can select All servers or Specified servers. The latter option allows you to filter servers by server name/IP for scheduled scan.
    Containers: You can select All containers or Specified containers. The latter option allows you to filter containers by container name/ID for scheduled scan.
    Timeout settings: When the time consumed reaches the timeout period, the check task will end. The default value is five hours.
    3. Click Start check.

    Viewing the last check result

    In the risk check module, click Last check result to view the details.
    
    Check details:
    Overview
    Numbers of suspicious files, containers in risk, and scanned containers if suspicious files are found in the last scan.
    Start time and end time of the last scan task.
    Check details list: Displays the overview of suspicious files found in the last scan and aggregates them by container.
    The fields in the list include the container name/ID, image name/ID, node name/IP, check status, time consumption, number of risks, and operation items.
    You can check again or stop a running task.
    You can search by server name/IP, container name/ID, or image name/ID.
    Click
    
    to view the name and path of the suspicious file, the virus name, and the View details button. Click View details to view the details of the suspicious file.

    Viewing the Event List

    On the Virus Scanning page, the event list module displays the virus and trojan check results.

    Filtering events

    In the event list module, filter events in either of the following methods:
    Click the search box and search for virus and trojan events by keyword such as filename, file path, virus name, or container name.
    
    Click Container status or
    
    on the right to search for virus and trojan events by container status or event status.
    

    Viewing details

    In the event list module, click View details to pop up the drawer on the right, which displays the basic information of the virus file, event details, event description, and process information. The process information is displayed only in the details of events reported by the real-time monitoring feature.
    

    Processing an event

    In the event list module, click Process now to add an event to the allowlist or isolate (recommended), ignore, or delete it and then click OK.
    
    Parameter description:
    Add to allowlist: If you are sure that the file is not malicious and add it to the allowlist, the file will no longer be checked.
    Isolate (recommended): An isolated virus file cannot be launched again by a hacker. This makes it easy for you to locate and remove the virus file.
    Ignore: Only ignore this alert event. If the same event occurs again, an alert will be sent again.
    Delete: The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

    Automatic File Isolation

    TCSS adds the automatic trojan isolation feature, which automatically isolates files found to be in the system blocklist and custom malicious files.

    Automatic file isolation

    TCSS automatically isolates files found to be in the system blocklist. Some malicious files still need to be manually confirmed and isolated. We recommend you check all the security events in the virus scanning list to ensure that all files are processed. You can recover the files isolated by mistake from the list of isolated files.
    1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar.
    2. On the Virus Scanning page, click Detection settings in the top-right corner.
    
    3. In the Detection settings pop-up window, click Isolate files automatically.
    4. In the automatic file isolation module, click
    
    to enable or disable automatic isolation. You can also isolate and end processes involving malicious files.
    Note:
    Blocked system files: This list is provided by Tencent Cloud security experts. Files in the list are automatically isolated.
    The Auto isolation switch is toggled off by default and can be toggled on as needed. When enabling automatic isolation, you can specify whether to isolate and end processes involving malicious files.
    When automatic isolation is enabled, it takes effect for both the system blocklist and custom blocklist.
    When automatic isolation is disabled, it takes effect for both the system blocklist and custom blocklist, and malicious files associated with the alert will not be automatically isolated.
    

    Custom isolated files

    You can customize and view the list of custom isolated files and enable or disable automatic isolation for the files.
    1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar.
    2. On the Virus Scanning page, click Detection settings in the top-right corner.
    
    3. In the Detection settings pop-up window, click Isolate files automatically.
    4. In the Custom isolated files module, toggle on or off the Auto isolation switch, view the details, and download the files.
    
    Instructions:
    Toggle on or off the Auto isolation switch to enable or disable the feature.
    Click Details to view the basic information of the malicious file, description, and fix suggestion.
    Click Download to download the malicious file.

    List of isolated files

    In the event list on the Virus Scanning page, when you manually isolate a malicious file and select "Automatically isolate next time", the MD5 value of the file will be recorded in the list of custom isolated files, and the Auto isolation switch will be on. Then, the system will automatically isolate similar files. When the option is deselected, the record will be deleted from the list, and automatic isolation will no longer take effect.
    
    In the event list on the Virus Scanning page, when you manually isolate a malicious file and don't select "Automatically isolate next time", the MD5 value of the file will be recorded in the list of custom isolated files, and the Auto isolation switch will be off.
    Note:
    To make the automatic isolation of custom isolated files effective, you need to toggle on the Auto isolation switch; otherwise, no automatic isolation will be performed even if you have selected "Automatically isolate next time" when processing security events.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support