Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Security Service Virtual Machine aSEC Deployment Steps VM Security
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","VM Security")}}

VM Security

{{ $t('productDocDetail.updateTime') }}: 2025-12-22

aSecurity displays all HCI VMs and their basic and security information for asset management in an easy and unified manner.

aSecurity allows you to deliver security scan tasks to specific VMs and provides virus fixing solutions to fix, trust, recover, untrust, or ignore security events.

aSecurity supports one-click fixing of security events with a full-stack guide covering network isolation and snapshot fallback.

aSecurity features the ransomware recovery capability based on a full-process guide covering emergency isolation and recovery without expert intervention.

aSecurity provides cyber attack protection capability and Layer 7 network protection for business systems within the cloud.

Asset Management

Function Description

The asset management feature automatically obtains the basic and security information of VMs, including risk level, running status, VM name, IP address, operating system, application, VM protection status, and security events.

Precautions

The intervals for reporting basic, security, and application information are 1 minute, 5 minutes, and 4 hours, respectively.

Steps

  1. Go to VM Security and manage platform assets by category.

Ransomware: Display the list of VMs with pending suspected ransomware events.

Protection Compromised: Display the list of compromised VMs. When the security component of a VM is compromised, the security status of the VM is displayed as Protection Compromised.

Security Events Detected: Display the list of VMs with pending security events.

Unprotected: Display the list of unprotected VMs.

Quarantined: View the list of quarantined VMs.

  1. Go to aSecurity > VM Security > all VMs to view the running status and information of all HCI VMs.

Severity levels include Critical, High, Medium, Low, and Secure.

Critical: VMs affected by ransomware attacks or intrusions. Security issues on these VMs must be addressed immediately.

High: VMs affected by high-severity viruses or critical or high-severity attacks. Security issues on these VMs must be addressed immediately.

Medium: VMs affected by medium-severity viruses, high or medium-severity attacks, brute-force attacks, or high-severity vulnerabilities. Addressing security issues is recommended.

Low: VMs affected by low-severity viruses or medium or low-severity vulnerabilities. Addressing security issues on these VMs is recommended.

Secure: VMs without security issues.

Running status includes On, Suspended, and Off.

Security Events/Vulns:

: The sum of virus events, brute-force attacks, and cyber attacks

: The sum of Windows/Linux vulnerability events and application vulnerability events.

In the Operation column you can select Console, Quarantine, End Quarantine, View Details, Ransomware Recovery, Configure Protection Plan, Enable and Cyber Attack Passthrough Mode.

  1. Click filter to filter VMs by category. It includes Severity, Protection Status, Security Events/Vulns, Quarantine Status, Group and you can also check Only search VMs in the selected group.

Virus/Vulnerability Scan

Function Description

aSecurity leverages Sangfor Engine Zero, Gene Analysis Engine, Behavioral Analysis Engine, and Cloud-Based Engine to issue virus or vulnerability scan tasks to VMs and perform fixing.

Precautions

  1. You can scan up to 100 VMs for viruses at a time.
  2. Only the scan records of the last 30 days are retained.
  3. We recommend that you perform virus scans during off-peak hours, as they occupy certain CPU and memory resources.
  4. Currently, Windows vulnerabilities can be fixed, and Linux and application vulnerabilities can be prevented through virtual patching.
  5. If virtual patching is enabled for a VM, the platform applies the virtual patch to all VMs with the same vulnerability by default.

Steps

I. Virus Scan

  1. On the VM Security page, select the target VM and select Virus Scan from the Scans drop-down list.
  2. Select the scan method and click OK.

Quick Scan: Scan critical system directories and registry items, memory, and running system processes, which takes a short period of time.

Full Scan: Scan system memory, running system processes, critical registry items, and all disk partitions, which take a long period of time.

  1. After the scan is completed, select Vuln Scan History from the More drop-down list.
  2. On the page that is displayed, click Details in the Operation column of the VM and choose to fix, trust, recover, untrust, or ignore the security event.

II. Vulnerability Scan

  1. On the VM Security page, select the target VM and select Vulnerability Scan from the Scans drop-down list.
  2. On the Vulnerability Scan page, add or delete a VM, and click OK.
  3. After the scan is completed, select Vuln Scan History from the More drop-down list.
  4. On the page that is displayed, click Details in the Operation column of a VM and process the vulnerabilities that are detected. For Windows vulnerabilities, you can select Marked as Fixed, Ignore, or Fix. For Linux or application vulnerabilities, you can select Marked as Fixed, Ignore, or Apply Virtual Patch.

Quarantine Operations

Function Description:

When virus damage occurs, the aSecurity center provides the ability to quarantine to prevent the virus from spreading. For assets that have been encrypted, the quarantine can be completed in seconds to ensure that the virus will not spread again.

Precautions:

  1. The quarantine will completely disconnect the virtual machine network, resulting in an interruption of services. For essential services, you can go to the Distributed Firewall to configure policies to avoid interrupting services and isolating risks.
  2. The virtual machine for emergency isolation will be added to the aSecurity quarantine policy. The policy will not take effect if the virtual machine is directly connected to the physical edge.

Steps:

In the VM Security list, select the virtual machines at risk of spreading the virus, and click Quarantine Operations > Quarantine.

After the quarantine is complete, the virtual machine will be in the Quarantined state.

When the isolated virtual machine eliminates the risk and can be released from isolation, click Quarantine Operations > End Quarantine.

Ransomware Recovery

Function Description:

  1. The aSecurity center provides a guided ransomware recovery process, which can quickly and safely restore business without expert intervention.
  2. The aSecurity center uses linked clones for business verification, which can be created in seconds. No additional storage space is occupied during the process, the environment is completely independent, and the virus will not spread when the virus is restored during the process.
  3. After the recovery point is determined and the recovery is performed, the entire process is strictly isolated from encrypted assets and other assets. The isolation is released after the recovery is completed and safe.

Precautions:

There is a time difference between the snapshot data of the recovery from ransomware and the current data. Rolling back the snapshot will cause data loss. In an actual business scenario, please evaluate the impact of ransomware and decide whether to roll back the snapshot.

Steps:

  1. In the VM Security list, select the virtual machine with ransomware virus, and click Ransomware Recovery.
  2. First, it is necessary to conduct quarantine operations on the virtual machine to prevent the further spread of ransomware. Click the Quarantine button, and after completing the isolation, click Next.
  3. Before performing ransomware recovery, click the Create Snapshot button to take a snapshot of the virtual machine. After the recovery is complete, you can try to retrieve the encrypted data through this snapshot.
  4. After the snapshot is created, click Next to restore the virtual machine. All snapshots of the virtual machine will be shown here. When the platform detects that the asset security protection component is abnormal and is suspected of being ransomware, it will automatically trigger a snapshot, creates a snapshot named TakeSnapshotWhenRansomwareOccurs, click the Preview button, and the platform will create a new linked-clone virtual machine. After cloning is complete, click the Console button to enter the virtual machine, and you can check whether the virtual machine is encrypted. If it is not encrypted, click Start Recovery and enter the admin password to recover.
  5. After clicking the OK button, the platform will automatically delete all linked-clone virtual machines created in the previous preview and restore the selected virtual machine snapshot.
  6. After restoring the snapshot, click Next to enter the virus scanning page. It is recommended to perform a full scan on the restored virtual machine again. If a security event is found, it can be dealt with immediately.
  7. You can click the Fix/Trust/Ignore buttons for the scanned security events to handle the security events. After all security events have been dealt with, click Next to enter network recovery.
  8. Before restoring the network, since the current virtual machine data has been restored, it is recommended to check and confirm the security status of other connected virtual machines and then click the Restore Network button to avoid secondary infection. After the network is restored, the virtual machine will exit the isolation mode.