When a container initiates an outbound request to a malicious domain name or IP, TCSS will detect such behavior and provide you with real-time alarms. If it is discovered that the container is accessing a malicious domain name/IP, your container may have already been compromised, as the malicious domain name/IP could be a hacker's remote control server, malicious software download source, and mining pool address. You need to promptly troubleshoot as the following:
1. Check the malicious processes and illegal ports within the container, and delete suspicious startup items and scheduled tasks.
2. Troubleshoot the risks existing in the container, such as performing vulnerability scans and Trojan scans.
3. Harden the images used by the container and replace the running containers.
Event List
Event Overview
1. Log in to the TCSS console. In the left sidebar, click Runtime Security > Outbound Malware to enter the event list page by default. 2. In the event overview on the event list page , the number of pending outbound malware events and the affected containers will be reported in real-time based on the security events reported by the system.
Event List
In the event list, the outbound malware events from the last 7 days are displayed by default. To view more events, you can adjust the query duration. The fields displayed in the list are as shown in the table below.
|
Event Type | Malicious Domain Requests |
Request Domain/IP | Domain Details of the Triggered Security Event |
Container Name/ID/Running Status/Isolation | Displays information related to container assets such as name, ID, and running status. If the customer believes that the security event is valid, meaning the container may have been compromised, they can click to isolate the container to prevent the risk from spreading within the private network. |
Image Name/ID | The source mirror of the container that triggered the security event can be viewed by clicking Image ID for details such as image security risks, component information, and build history. |
Host Name/IP | The CVM node where the container that triggered the security event is located. Displays the node's name and private/public IP address information. |
First Occurred | The time when this security event first occurred. |
Last Occurred | The time when this security event most recently occurred. |
Requests | The system aggregates and displays pending security events by container ID, domain name, process path, and process startup user. The aggregation cycle is every day. |
Status | Including pending, processed, ignored, and allowlisted. |
Operation | Click Details to view event details. Details include event details, asset information (such as associated container, image, and host), risk description, solution, requested domain name details, and Layer-3 process information. Click Process to process security events. This includes adding to allowlist, marking as processed, isolating the container, ignoring, and deleting records. |
Viewing Details
In the event list, click Details to enter the event details. This page displays event details, associating assets (such as container, image, and host), risk description, solution, requested domain name details, and Layer-3 process information.
Handling the Events
1. In the event list, click Process to select actions like adding to allowlist, marking as processed, isolating the container, ignoring, and deleting records. Click OK.
2. In the secondary confirmation window, perform the following operations:
Add to allowlist: Enter the allowlist domain name and remarks, and click Confirm. When users add to the allowlist, the system automatically fills in the requested domain name based on the allowlisted source event. If necessary, it can be manually adjusted to the parent domain name. At the same time, you can check Batch Process Similar Events (batch allowlist events triggered by the same domain name). After you have checked and confirmed, the system will batch allowlist security events generated by the same domain name.
Note:
If you confirm that the domain name request is a normal behavior, you can add the domain name to the allowlist allow rules. When the same domain name request appears again, it will be allowed directly without interception/alert. Proceed with caution.
Mark as processed: It is recommended to process the event risk by following the solutions in the event details, and click Confirm. After processing, you can mark the event as processed.
Isolate the container: If you confirm to isolate the container, the system will disable its network communication and mark the event as processed. Proceed with caution. Click Confirm to isolate. After isolation, you can remove the isolation from more operations or the container asset list.
Ignore: Click Confirm to ignore only this alarm event. If the same event occurs again, an alarm will still be triggered.
Delete: Click Delete to delete the selected event record. It will no longer be displayed in the console and cannot be recovered. Proceed with caution.
Allowlist/Blocklist Management
Aside from the system blocklist provided by the TCSS products, customers can also have their custom domain name blocklist and domain name allowlist. The priority of effectiveness is: allowlist > blocklist.
Blocklist: When the container initiates an outbound request to a domain name on the list, the system will determine it as the outbound malware, generating a real-time alarm. You can view it in the event list. Allowlist: When the container initiates an outbound request to a domain name on the allowlist, the system will allow it directly without triggering an alarm.
Blocklist Management
1. Log in to the TCSS console. In the left sidebar, click Runtime Security > Outbound Malware > Blocklist/Allowlist management. 2. On the blocklist tab, click Add to blocklist.
3. In the add to blocklist window, you can batch add multiple custom blocklist domain names. When you enter domain names, wildcard domain names with empty prefixes are supported, e.g., *.tencent.com;
. All subdomain names under a wildcard domain name will trigger alarms.
4. Click Confirm, and the list will generate records based on the entered domain names. If multiple domain names are entered, multiple records will be generated.
Allowlist Management
1. Log in to the TCSS console. In the left sidebar, click Runtime Security > Outbound Malware > Blocklist/Allowlist management. 2. On the allowlist tab, click Add to allowlist.
3. In the add to allowlist window, you can batch add multiple custom allowlist domain names. When you enter domain names, wildcard domain names with empty prefixes are supported, e.g., *.tencent.com;
. All subdomain names under a wildcard domain name will be allowed and will not trigger alarms.
4. Click Confirm, and the list will generate records based on the entered domain names. If multiple domain names are entered, multiple records will be generated.
Was this page helpful?