View excepted behaviors (Excepted List)

Prev Next

Available in VPC

The Excepted List menu allows you to view web shell behaviors that have been excepted based on exception rules.
In this menu, you can view detailed information including server information where web shell behaviors were detected, detection time, process information, and suspicious attacker IP information, as well as check suspicious files and suspicious attacker IPs. You can also search for exception rules applied to excepted items or cancel exceptions.

View details of excepted behaviors

You can view the details of excepted web shell behaviors.

To view details of excepted behaviors:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > Excepted List.
  3. Click the excepted behavior item you'd like to check.
    • Details of the excepted behaviors are displayed.

The interface of the list of excepted behaviors includes the following components:
wbd-wbdexcepted-detail-vpc-ko

Component Description
Detection time Filter items based on time of detection.
② Search bar Set search conditions and click [Search] to search for items.
③ Excepted behavior item View excepted behavior information, and use buttons of related features.
Details View details of excepted behaviors.

View suspicious files

You can check the list of files suspicious to be web shells related to the excepted behaviors, and isolate files judged to be web shells or restore the isolated files.

To view files suspicious to be web shells:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.

  2. Navigate to Detection List > Excepted List.

  3. In the Suspicious files area of the item to check, click [View].

  4. Click the file from the list popup to see the file details.
    wbd-wbdwebshell-file-vpc-ko

  5. If the detected behavior is determined to be a web shell, click the [Isolate file] next to Isolate/Restore to isolate the file.

    • The file is isolated in the same path with a name that will be difficult for attackers to guess.
      (Example: /var/www/html/uploads/webshell.php.webshell_20200320012000.BC98D127F4)
    • The web shell behavior item is processed as checked (with gray icon and text), and the isolated file is added to the list of suspicious files (Quarantine).
    • When a file is isolated, the [Isolate file] button is changed to [Restore file] which allows you to restore the file if required. When you restore an isolated file, you can't isolate or restore other files anymore from that page.
Caution

Proceed with caution since the isolation of normal files may cause a service failure.

Note

There may not actually be any web shells in the list of suspicious files. See Track web shell files for conditions and circumstances to check or consider when looking for web shell files.

View suspicious IPs

You can view a list of suspicious attacker IPs related to excepted web shell behaviors.

To view the list of suspicious IPs:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.

  2. Navigate to Detection List > Excepted List.

  3. In the Suspicious IPs area of the item to check, click [View].

  4. Check the suspicious IP information from the list popup.
    wbd-wbdwebshell-ip-vpc-ko

Note

The web shell attacker's IP may not be displayed in the list of suspicious IPs. See Track web shell attacker IP for conditions and circumstances to check or consider when looking for web shell attacker IPs.

View exception rules

You can view all exception rules applied to excepted web shell behaviors items.

To view exception rules:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > Excepted List.
  3. In the Exception rules area of the item to check, click [View].
  4. View the exception rules in the information popup and click [OK].

Cancel exception

You can cancel the exception for excepted web shell behaviors.

To cancel the exception:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > Excepted List.
  3. In the Cancel exception area of the item to cancel exception for, click [Cancel].
  4. View the exception rules in the information popup and click [Cancel exception].
    • You can view all exception rules applied to the item.
  5. In the confirmation popup, click [Yes].
    • The item is moved to the web shell behavior list, and all the exception rules applied to it are deleted.
Note

When an exception rule is deleted, only the selected item will be reclassified into the web shell behavior list; other items that were excepted by the deleted rule will not be reclassified.

Add memo

You can add memos to excepted web shell behaviors, such as a brief description or additional information.

To add a memo:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > Excepted List.
  3. Click the item to add a memo to, then click the [Edit] button next to Memo in the details area.
  4. Enter the memo and click [Save].