The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.

Malicious Requests

Last updated: 2025-11-14 18:42:22

This document will introduce how to view and operate the malicious request alarm list and policy configuration.

Background

The Anti-Malicious Requests feature provides the ability to monitor and process external requests in real time, effectively identifying malicious requests. If a host initiates a request to a malicious domain, it will be identified and recorded. When such malicious requests are detected, the system will provide you with real-time alarms.

Explanation

Malicious request monitoring supports Professional Version and flagship edition hosts.
Malicious request interception only supports flagship edition hosts with linux system, and only supports intercepting DNS queries made by the server, not traffic forwarding.

Alarm List

1. Log in to the CWPP Console, select Intrusion Detection > Anti-Malicious Requests from the left sidebar to enter the Malicious Requests page.
2. On the Malicious Requests page, you can view the list of malicious request alarms and perform related operations.

Filter: Supports filtering by hit policy type, status, recent request time, and searching by hostname, Instance ID, ip, or malicious request for domain name.
Custom display column: Click

to set the field display for the alarm list.
Export: Click

to export detailed information of the alarm list.
Field Description:
Hostname/Instance ID: The hostname and Instance ID of the host that initiated the request to the malicious domain name
IP Address: The IP address of the host that initiated the request to the malicious domain name
Hit Policy Type:
System Policy: System policies are rules configured by Tencent's CWPP operation experts and algorithm experts based on multiple models and are suitable for detecting most malicious requests.
User-defined Policy: Users set alarm/block/allow actions for related domain names based on business conditions.
Hit Policy: The name of the policy hit by the host's request to the malicious domain name.
Malicious Request Domain: Domain name or IP address
Request Count: Number of requests from the host
Damage Description: Potential damage caused by requesting the malicious domain name.
Recent Request Time: The most recent time the malicious domain name was requested.
Status: Pending, Allowlisted, Processed, Ignored, Blocked.
Information: You can view the details of the malicious request event, including risk host information, malicious request details, danger description, and remediation suggestion.



Handle: Tag as processed, add to allowlist, create blocking policy, ignore, delete record.




Policy Configuration

Managing a Policy

On the Malicious Requests page, select Policy Configuration at the top to enter the policy configuration page.



Filter: You can filter by policy type, execution action, effective status, and keyword.
Custom display column: Click

to set the field display for the policy list.
Export: Click

to export detailed information of the policy list.
Field Description:
Policy Name: The fixed names for system policies are: System Rule (Critical Protection), System Rule (Standard); user-defined policies are named by the user.
Policy Type: System policy, user-defined policy.
Blocklist/Allowlist: This policy belongs to the allowlist/blocklist.
Domain Detail: IP/domain name or wildcard domain name.
Effective Host: The range of hosts where the policy is effective.
Update Time: The most recent time the policy was updated.
Execution Action: The action automatically executed when the policy is hit upon a request to access the domain name (allow/alarm/block).
Effective Status: Whether the policy is effective.
Edit: Edit the policy.
Deletion: Delete the policy.
Create Policy:
Blocklist: When the host requests a domain name in the blocklist, an alarm/block action will be executed.
Allowlist: When the host requests a domain name in the allowlist, an allow action will be executed.



Note:
System policies are built-in policies that cannot be added, edited, or deleted, and only support switching.
It is recommended to keep the system policy (standard) enabled, and enable the system policy (important protection) as needed during important protection periods.
In user-defined policies, interception policies only apply to flagship edition hosts.

System Auto Block Rules

The Anti-Malicious Requests feature adds automatic interception rules. Once enabled, it supports automatic interception of detected black domains and black IPs, while some content still requires manual policy configuration.
System blocklist domain names and IPs: Domain names and IPs curated by host security operation experts and algorithm experts, which can be automatically intercepted.
Interception principle explanation: A malicious request refers to terminating the access process to a rule domain/IP. It does not end the process but terminates the access request.
Note:
If you find any false interceptions, you can create a custom policy for allowlist processing or Contact Us.
System automatic interception rules are only available to flagship edition users.
1. Log in to the CWPP Console, select Intrusion Detection > Anti-Malicious Requests from the left sidebar.
2. On the Malicious Requests page, the system supports enabling automatic interception rules in the following two ways.
On the policy configuration page, click the activation status switch on the right side of the system automatic interception rule policy. In the execution action column, you can switch between standard mode interception and enhanced protection mode interception.
Standard mode: Integrates multiple engine detection results and automatically protects against high-confidence risks, making it more suitable for daily security operations.
Enhanced protection mode: Integrates multiple engine detection results and automatically protects against medium and high-confidence risks. There may be a risk of false interception, suitable for enhanced protection, please enable with caution.

On the alarm list page, click to enable the automatic interception switch for malicious requests.