- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Security Dashboard
- Asset Overview
- Server List
- Asset Fingerprint
- Vulnerability Management
- Baseline Management
- Malicious File Scan
- Unusual Login
- Password Cracking
- Malicious Requests
- High-risk Commands
- Local Privilege Escalation
- Reverse Shell
- Java Webshell
- Critical File Monitor
- Network Attack
- A Ransomware Defense
- Log Analysis
- License Management
- Cloud Access Management
- Hybrid Cloud Installation Guide
- FAQs for Beginners
- Cloud Workload Protection Description
- Practical Tutorial
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Intrusion Detection APIs
- TrustMalwares
- RecoverMalwares
- MisAlarmNonlocalLoginPlaces
- DescribeNonlocalLoginPlaces
- DescribeMalwares
- DescribeBruteAttacks
- DeleteMalwares
- UntrustMalwares
- SeparateMalwares
- UntrustMaliciousRequest
- TrustMaliciousRequest
- ExportMaliciousRequests
- DescribeMaliciousRequests
- DeleteMaliciousRequests
- ModifyLoginWhiteList
- ExportNonlocalLoginPlaces
- ExportMalwares
- ExportBruteAttacks
- DescribeLoginWhiteList
- DeleteLoginWhiteList
- AddLoginWhiteList
- Overview Statistics-Related APIs
- Vulnerability Management-Related APIs
- Setting Center-Related APIs
- Asset Management APIs
- DescribeProcesses
- DescribeProcessTaskStatus
- DescribeProcessStatistics
- DescribeHistoryAccounts
- DescribeComponents
- DescribeComponentStatistics
- DescribeComponentInfo
- DescribeAccounts
- DescribeAccountStatistics
- CreateProcessTask
- EditTags
- DescribeTags
- DescribeTagMachines
- DescribeOpenPortTaskStatus
- DeleteMachineTag
- AddMachineTag
- CreateOpenPortTask
- Other APIs
- DescribeUsualLoginPlaces
- DeleteUsualLoginPlaces
- DeleteNonlocalLoginPlaces
- DeleteMachine
- DeleteBruteAttacks
- CreateUsualLoginPlaces
- CloseProVersion
- DescribeWeeklyReports
- DescribeWeeklyReportVuls
- DescribeWeeklyReportNonlocalLoginPlaces
- DescribeWeeklyReportMalwares
- DescribeWeeklyReportInfo
- DescribeWeeklyReportBruteAttacks
- DescribeOpenPorts
- DescribeOpenPortStatistics
- RenewProVersion
- OpenProVersionPrepaid
- ModifyProVersionRenewFlag
- InquiryPriceOpenProVersionPrepaid
- OpenProVersion
- Data Types
- Error Codes
- FAQs
- Agreements
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Security Dashboard
- Asset Overview
- Server List
- Asset Fingerprint
- Vulnerability Management
- Baseline Management
- Malicious File Scan
- Unusual Login
- Password Cracking
- Malicious Requests
- High-risk Commands
- Local Privilege Escalation
- Reverse Shell
- Java Webshell
- Critical File Monitor
- Network Attack
- A Ransomware Defense
- Log Analysis
- License Management
- Cloud Access Management
- Hybrid Cloud Installation Guide
- FAQs for Beginners
- Cloud Workload Protection Description
- Practical Tutorial
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Intrusion Detection APIs
- TrustMalwares
- RecoverMalwares
- MisAlarmNonlocalLoginPlaces
- DescribeNonlocalLoginPlaces
- DescribeMalwares
- DescribeBruteAttacks
- DeleteMalwares
- UntrustMalwares
- SeparateMalwares
- UntrustMaliciousRequest
- TrustMaliciousRequest
- ExportMaliciousRequests
- DescribeMaliciousRequests
- DeleteMaliciousRequests
- ModifyLoginWhiteList
- ExportNonlocalLoginPlaces
- ExportMalwares
- ExportBruteAttacks
- DescribeLoginWhiteList
- DeleteLoginWhiteList
- AddLoginWhiteList
- Overview Statistics-Related APIs
- Vulnerability Management-Related APIs
- Setting Center-Related APIs
- Asset Management APIs
- DescribeProcesses
- DescribeProcessTaskStatus
- DescribeProcessStatistics
- DescribeHistoryAccounts
- DescribeComponents
- DescribeComponentStatistics
- DescribeComponentInfo
- DescribeAccounts
- DescribeAccountStatistics
- CreateProcessTask
- EditTags
- DescribeTags
- DescribeTagMachines
- DescribeOpenPortTaskStatus
- DeleteMachineTag
- AddMachineTag
- CreateOpenPortTask
- Other APIs
- DescribeUsualLoginPlaces
- DeleteUsualLoginPlaces
- DeleteNonlocalLoginPlaces
- DeleteMachine
- DeleteBruteAttacks
- CreateUsualLoginPlaces
- CloseProVersion
- DescribeWeeklyReports
- DescribeWeeklyReportVuls
- DescribeWeeklyReportNonlocalLoginPlaces
- DescribeWeeklyReportMalwares
- DescribeWeeklyReportInfo
- DescribeWeeklyReportBruteAttacks
- DescribeOpenPorts
- DescribeOpenPortStatistics
- RenewProVersion
- OpenProVersionPrepaid
- ModifyProVersionRenewFlag
- InquiryPriceOpenProVersionPrepaid
- OpenProVersion
- Data Types
- Error Codes
- FAQs
- Agreements
- Contact Us
- Glossary
This document will introduce how to use the Java Webshell feature.
Overview
CWPP supports real-time monitoring, capturing unknown classes present in the memory of Java Web Service processes. It automatically identifies Webshells by using Tencent Cloud's offensive and defensive experiences along with expert knowledge. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.
Prerequisites
The Java Webshell feature falls under the CWPP Ultimate Edition. To use this feature, you can upgrade to Ultimate Edition.
Directions
1. Log in to the CWPP console. In the left sidebar, choose Cyber Defense > Java Webshell to enter the Java Webshell page.
2. Choose Plugin configuration. Plugin configuration is a prerequisite for detecting Java Webshell. You can enable and disable plugins on your Ultimate Edition hosts and observe their specific running status.
Note:
Once the Java Webshell plugin is enabled, CWPP will automatically scan the host for Java Web Service processes and inject detection probes into these services. Therefore, it can monitor in real-time any Java Webshells injected by hackers via vulnerabilities or shells.
Hosts with the Java Webshell plugin deployed will continuously monitor and capture unknown classes existing in the memory of Java Web Service processes. Using Tencent Cloud's offensive and defensive experiences along with expert knowledge, it will automatically identify Webshells. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.
Field Description:
Enable/Disable Plugin: The Java Webshell plugin is disabled by default. Users can manually set the switch, either for a single host or in batches for multiple hosts.
Plugin Status: All normal, has anomalies, and not enabled.
First Enabled: Indicates the first time the plugin was enabled.
Update Time: Indicates the most recent time the plugin was enabled or disabled.
Details: View the running status of the currently injected Java Webshell plugin, including process PID, main class name of process, plugin status (injecting, injection successful, plugin timeout, insertion and exit, and injection failed), and error log.
3. After enabling the Java Webshell plugin, you can choose Alert List to view detected Java Webshell events and perform related handling operations.
Field Description:
Java Webshell Type: Includes filter type, listener type, servlet type, interceptors type, agent type, and others.
Description: Summarize the overview of the Java Webshell.
First Detected: The time when the Java Webshell was first detected.
Last Checked: The last time the Java Webshell was detected.
Status: Pending, processed, and ignored.
Operation:
Click Details to view the details of the Webshell event.
Click View file in the Java Webshell details to see the decompiled Java files of the deployed file. Copying and downloading the decompiled Java files or the original class files are supported.
Click Process to perform operations such as Mark as processed, Ignore it, or Delete the record on the event. You can process the event individually or in batch.
Yes
No
Was this page helpful?