Login
      Contents x
      Webshell Behavior Detector overview
        • Print
        • PDF
        Contents

        Webshell Behavior Detector overview

          • Print
          • PDF
          Article Summary

          Available in VPC

          Webshell Behavior Detector is a service that allows for a quick response to suspicious web shell behaviors by detecting them in real time and providing notifications.

          security-17-100_en(1)

          Note

          A web shell is malware created intentionally for the purpose of performing malicious behaviors such as system destruction and data breaches. It is code for server side-scripting that allows the attacker to use the features of a shell, which can execute system commands, on a website.

          Webshell Behavior Detector's features

          The Webshell Behavior Detector service has the following features.

          • Powerful detection feature: Web shell has various concealment technologies applied to avoid being detected, such as new patterns, types, obfuscation, encrypted communication, etc. It is one of the attacks that are very difficult to detect. However, Webshell Behavior Detector uses a powerful behavior-based detection technique to disable such concealment technologies, enabling detection of both existing and new types of web shells.

          • Real-time detection and notification transmission: Instead of detecting at a regular interval, it detects web shell behaviors in real time and sends notifications to the designated contacts to respond quickly. You can set notification intervals to prevent excessive notifications from being sent out.

          • Simple settings: Other than the rules set by default, users can set exception rules manually. In addition to detailed settings, you can also easily customize settings based on detection history.

          • Easy and convenient response: When users receive notifications about suspicious web shell behaviors that have been detected, they can isolate suspicious web shell files easily and quickly on the console page of NAVER Cloud Platform without having to directly access the server.

          • Adaptation to server environment: Certain intentional tasks such as batch work by WAS or operations by CI software may be flagged as suspicious as they are similar to web shells although they are being executed in the server environment. These behaviors could be detected in the early stage of using the service. You can set the service to exclude them from detection using the exception handling feature. Through the adaptation period by setting exceptions, it becomes customized to your server environment to only detect web shell behaviors.

          Various features provided by Webshell Behavior Detector

          Webshell Behavior Detector provides a variety of features as described below.

          • Real-time detection of web shells based on behavior: It can analyze various data in web servers and assess the web shell behaviors in real time.
          • Detection of unknown web shells: It has overcome the limitations of existing web shell detection solutions, which couldn't effectively detect web shells with slight edits such as function names or argument values, with encrypted packets, or in SSL-applied environments. It is even able to detect completely new types of web shells.
          • Management of information and history regarding suspicious web shell behaviors: It provides various information, such as the server where web shell was detected, time, command executed, path of the web shell, and the attacker's IP. Customers can establish more detailed response strategies by referring to the information, and can manage their history easily by adding information such as response methods.
          • File isolation/restoration: You can isolate or restore suspected web shell files with a click in NAVER Cloud Platform's console without directly accessing the server.
          • Provision of a list of suspicious web shell files: It provides a list of suspicious files to enable quick response upon detection of web shell behaviors. Also, it provides additional information on files suspected to be web shells, such as creation time, file permissions, owners, groups, file paths, and size.
          • Provision of a list of suspicious attacker's IPs: It provides the information of suspicious attacker IPs and their country so you can analyze the behaviors attempted by the attacker and block their IPs.
          • Exception rule settings: It provides detailed exception rule settings for you to customize the service for various web service environments.
          • Notification feature: When it detects a web shell behavior, it sends a notification to notification recipients using the selected method (via email or text message). In addition, a notification interval settings feature is provided to prevent it from sending too many notifications.
          • Remote management of agent: It provides a remote control feature to easily enable and disable the agent's detection process from NAVER Cloud Platform's console without accessing the server.
          • Server group settings: If you have many web servers to apply detection for, then the server group settings feature is provided for you to use the service more conveniently.

          Webshell Behavior Detector Guide information

          Webshell Behavior Detector Guide has a total of 9 topics. The content that readers can view in each topic are as follows.

          NAVER Cloud Platform provides a variety of related resources as well as guides to help customers better understand Webshell Behavior Detector. If you are a developer or marketer in need of detailed information while you are considering adopting Webshell Behavior Detector for your company or establishing data related policies, then please make good use of the resources below.

          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout