The virus scanning feature scans files in the container for viruses and trojans in real time or on schedule.
Viewing the Risk Trend
1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar. 2. The Virus Scanning page displays the pending risks, number of affected containers, and trend.
Pending risks: It displays the trend of pending risks in the last 7 days and the comparison with the previous day. Hover over the trend to display the number of pending risks of a certain day.
Affected containers: It displays the trend of affected containers in the last 7 days and the comparison with the previous day. Hover over the trend to display the number of affected containers of a certain day.
Setting the Risk Check
On the Virus Scanning page, the risk check module allows you to set the scheduled check and real-time monitoring. Note:
Real-time monitoring applies to the incremental files in the configured path.
Scheduled check applies to all files in the configured path.
Setting scheduled check
1. In the risk check module, click on the right of Scheduled check. 2. On the Scheduled check settings page, click to enable scheduled check and set the check time, path to check, and scope of check.
Parameter description: Scheduled check: Toggle on or off the switch to enable or disable the feature.
Checked at
Check cycle: It can be Every day, Every 3 days, or Every 7 days.
Check start time: Configure when to start the scheduled check task.
Timeout period: When the time consumed reaches the timeout period, the check task will end. The default value is five hours.
Path to check
All paths: Check all file paths in the container.
Specified paths: Check specified file paths in the container.
Scope of check
Nodes: You can select All servers or Specified servers. The latter option allows you to filter servers by server name/IP for scheduled scan.
Containers: You can select All containers or Specified containers. The latter option allows you to filter containers by container name/ID for scheduled scan.
3. Click Save settings.
Setting real-time monitoring
1. In the risk check module, click on the right of Real-time monitoring. 2. On the Real-time monitoring settings page, click to enable real-time monitoring and configure parameters.
Parameter description:
Real-time monitoring: Click or to enable or disable the feature. Path to check
All paths: Check all file paths in the container.
Specified paths: Check specified file paths in the container.
Select a path: Select Check the following paths or Check all paths except the following as needed. Click to add up to 30 paths. 3. Click Save settings.
Setting quick check
1. In the risk check module, click Quick check.
2. On the Quick check page, select the path to check and scope of check and set the timeout period.
Parameter description: Path to check:
All paths: Check all file paths in the container.
Specified paths: Check specified file paths in the container.
Scope of check:
Nodes: You can select All servers or Specified servers. The latter option allows you to filter servers by server name/IP for scheduled scan.
Containers: You can select All containers or Specified containers. The latter option allows you to filter containers by container name/ID for scheduled scan.
Timeout settings: When the time consumed reaches the timeout period, the check task will end. The default value is five hours.
3. Click Start check.
Viewing the last check result
In the risk check module, click Last check result to view the details.
Check details:
Overview
Numbers of suspicious files, containers in risk, and scanned containers if suspicious files are found in the last scan.
Start time and end time of the last scan task.
Check details list: Displays the overview of suspicious files found in the last scan and aggregates them by container.
The fields in the list include the container name/ID, image name/ID, node name/IP, check status, time consumption, number of risks, and operation items.
You can check again or stop a running task.
You can search by server name/IP, container name/ID, or image name/ID.
Click to view the name and path of the suspicious file, the virus name, and the View details button. Click View details to view the details of the suspicious file. Viewing the Event List
On the Virus Scanning page, the event list module displays the virus and trojan check results. Filtering events
In the event list module, filter events in either of the following methods:
Click the search box and search for virus and trojan events by keyword such as filename, file path, virus name, or container name.
Click Container status or on the right to search for virus and trojan events by container status or event status.
Viewing details
In the event list module, click View details to pop up the drawer on the right, which displays the basic information of the virus file, event details, event description, and process information. The process information is displayed only in the details of events reported by the real-time monitoring feature.
Processing an event
In the event list module, click Process now to add an event to the allowlist or isolate (recommended), ignore, or delete it and then click OK.
Parameter description: Add to allowlist: If you are sure that the file is not malicious and add it to the allowlist, the file will no longer be checked.
Isolate (recommended): An isolated virus file cannot be launched again by a hacker. This makes it easy for you to locate and remove the virus file.
Ignore: Only ignore this alert event. If the same event occurs again, an alert will be sent again.
Delete: The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
Automatic File Isolation
TCSS adds the automatic trojan isolation feature, which automatically isolates files found to be in the system blocklist and custom malicious files.
Automatic file isolation
TCSS automatically isolates files found to be in the system blocklist. Some malicious files still need to be manually confirmed and isolated. We recommend you check all the security events in the virus scanning list to ensure that all files are processed. You can recover the files isolated by mistake from the list of isolated files.
1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar. 2. On the Virus Scanning page, click Detection settings in the top-right corner.
3. In the Detection settings pop-up window, click Isolate files automatically.
4. In the automatic file isolation module, click to enable or disable automatic isolation. You can also isolate and end processes involving malicious files. Note:
Blocked system files: This list is provided by Tencent Cloud security experts. Files in the list are automatically isolated.
The Auto isolation switch is toggled off by default and can be toggled on as needed. When enabling automatic isolation, you can specify whether to isolate and end processes involving malicious files.
When automatic isolation is enabled, it takes effect for both the system blocklist and custom blocklist.
When automatic isolation is disabled, it takes effect for both the system blocklist and custom blocklist, and malicious files associated with the alert will not be automatically isolated.
Custom isolated files
You can customize and view the list of custom isolated files and enable or disable automatic isolation for the files.
1. Log in to the TCSS console and click Runtime Security > Virus Scanning on the left sidebar. 2. On the Virus Scanning page, click Detection settings in the top-right corner.
3. In the Detection settings pop-up window, click Isolate files automatically.
4. In the Custom isolated files module, toggle on or off the Auto isolation switch, view the details, and download the files.
Instructions: Toggle on or off the Auto isolation switch to enable or disable the feature.
Click Details to view the basic information of the malicious file, description, and fix suggestion.
Click Download to download the malicious file.
List of isolated files
In the event list on the Virus Scanning page, when you manually isolate a malicious file and select "Automatically isolate next time", the MD5 value of the file will be recorded in the list of custom isolated files, and the Auto isolation switch will be on. Then, the system will automatically isolate similar files. When the option is deselected, the record will be deleted from the list, and automatic isolation will no longer take effect.
In the event list on the Virus Scanning page, when you manually isolate a malicious file and don't select "Automatically isolate next time", the MD5 value of the file will be recorded in the list of custom isolated files, and the Auto isolation switch will be off. Note:
To make the automatic isolation of custom isolated files effective, you need to toggle on the Auto isolation switch; otherwise, no automatic isolation will be performed even if you have selected "Automatically isolate next time" when processing security events.
Was this page helpful?