Tencent Cloud

Recent Pages

Malicious File Scan

Last updated: 2024-08-13 16:29:49
This document will introduce how to handle Trojan files in the CWPP console.
Malicious File Detection Settings
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > File Scanning.
2. On the malicious file scan page, click Detection settings at the top right. A settings page will pop up on the right side where you can configure the detection mode.
Note:
This feature is part of the Pro/Ultimate Edition. You can purchase protection authorization and bind your host to upgrade to the Pro/Ultimate Edition.
Malicious file detection supports Trojan file detection. All machines can cumulatively detect up to 5 malicious file security events for free. Beyond this limit, detection will stop. You can upgrade to the Pro or Ultimate Edition of CWPP to remove the limit. There are two common types of Trojan file detection:
Webshell detection: Provides common detection for web site script-based backdoor Trojans, including those written in scripting languages such as ASP, PHP, JSP, and Python.
Binary detection: Provides detection for binary executable viruses and Trojans, such as DDoS Trojans, remote control software, and mining software on .exe, .dll, and .bin files, and sends alarms to users.
﻿
3. On the malicious file detection settings page, you can set scheduled detection, real-time monitoring, and auto isolation.
Scheduled detection: Click Enable Scheduled Scanning, set the detection mode, cycle, and detection range, then click Save. You can regularly scan Trojan virus files on hosts to enhance security.
﻿
Detection mode: Includes quick detection mode and full-disk detection mode. It can detect running processes, critical directories, and driver loading. The duration of full disk detection is related to the number of server disk files. It is recommended to choose a detection cycle of more than 4 hours to avoid incomplete detections or timeouts.
Quick detection: For Linux systems, it will detect running processes, critical directories, and driver loading. For Windows, it will scan the C drive.
Full-disk detection: For Linux systems, it will also detect all system partitions in addition to the quick detection range. For Windows, it will scan the C, D, E, and F drives.
Abnormal process detection: Deeply detects abnormal processes in memory, which may cause a certain degree of increased resource occupancy rate. Choose with caution.
Detection period: You can choose a detection cycle of daily, every 3 days, or every 7 days.
Scope of check: Includes all Pro Edition servers and self-selected servers.
Real-Time monitoring: Click Enable Real-Time Monitoring, choose the monitoring mode, and then click Save. You can monitor web directories, system critical directories, scan and remove Trojan virus files in real-time.
﻿
Note:
Monitoring mode is divided into standard and recommendation modes.
Standard: Monitors and scans for incremental files under common directories.
Deep: Monitors and scans for incremental files under all directories.
Auto isolation: Click Enable auto-isolation > Save to automatically isolate detected malicious files. Some malicious files still require manual confirmation to isolate. It is recommended to check all security events in the malicious file detection list to ensure they are all processed.
Note:
If false isolation occurs, recover the file from the isolated list. Configuring to enable or disable automatic isolation may take a few minutes to take effect.
﻿
Detection Settings Overview
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > File Scanning.
2. On the malicious file scan page, click Scan now to start setting up manual detection mode.
﻿
3. On the one-click scan settings page, after the target detection mode, host range, and timeout period are configured, the detection might take a long time due to a large number of files and directories to scan. You can set a single scan duration, and if it exceeds the time, it will be considered a scan failure.
﻿
4. Click Start Detection and follow the detection settings to perform the detection. You can click View Details to see the detailed detection information.
﻿
    The detection detail list includes the following field descriptions:
Affected Server: The target server's IP and name.
Operating System: The operating system of the target server.
Detection Status: The status of the target server's detection, including detection completed, under detection, and detection failed. The possible reason for the failed detection could be a timeout error on the target server. It is recommended to increase the timeout duration and retry. Also, the possible reason for the failed detection could be due to the client being offline. It is recommended to restart or reinstall the client and then retry the detection.
Pending Risks: The number of risk files detected on the target server that need to be addressed.
Detection Start Time: The start time of this detection.
Detection End Time: The end time of the target server's detection.
Operations:
Re-detect: If you want to re-detect a target server with a detection status of detection completed, detection stopped, or detection failed, you can click Re-detect.
Disable detection: If you want to stop detecting a target server with an under detection status, you can click Stop Scan.
Note:
The chosen server will not be detected and potential risks will not generate alarm notifications. Proceed with caution.
View details: If you want to view the detection result details of a target server, you can click View details.
Viewing the Event List
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > File Scanning.
2. On the malicious file scan page, you can view the Trojan file detection status of the currently protected servers, as shown below:
﻿
The event list includes the following fields:
Server IP/name: The IP and name of the currently detected target server.
Path: The file path of the target risk file. Click 
﻿
 to copy the path information. Click 
﻿
 to download the target risk file.
Virus name/Detection engine: The name of the virus affecting the target risk file.
First detected: When the target risk file was first detected.
Latest detection time: When the target risk file was most recently detected.
Processing status: The status of the target risk file. Events in pending status will indicate the presence of the file and processes from the latest detection.
Operations:
Isolation: If confirmed malicious, you can isolate a single file or batch choose files for one-click isolation. Upon successful isolation, the original malicious file will be encrypted and isolated. You can later filter Isolated files for recovery.
Trust: If the file is non-malicious, you can choose the trust operation. Trusted files will no longer be scanned by CWPP. You can manage trusted files by filtering Trusted Files.
Delete the record: This action only deletes log records, rather than the file. Once it is deleted, the log information cannot be recovered. It is recommended to select Isolate or Trust first, or locate the file in the path and delete it manually.
Details: If you want to view the detection result details of the target risky file, you can click View Details.
FAQs
Why Did the Trojan File Isolation Fail?
Trojan file isolation usually fails because the Trojan file resists security software. It is recommended to manually delete the alarm file from the server first. If the issue persists, you can submit a ticket to contact us for assistance. You can also try using Tencent PC Manager on Windows systems to remove it.
Subsequent Steps
For a Linux intrusion troubleshooting guide, refer to intrusions on Linux.
For a Windows intrusion troubleshooting guide, refer to intrusions on Windows.