مرکز آموزش

SysLock AI-Based WAF Protection – Operational Overview and Security Layers

SysLock AI-based WAF protection is a multi-layer security solution that combines machine learning with multiple, stacked protection modules. Its goal is to automatically detect and block common web threats (such as large-scale brute-force attempts, known and unknown web exploits, and malicious file and database injections), and, when necessary, quarantine or clean affected files.

1) Multi-Layer Protection – Main Components and How They Work

The strength of SysLock AI-based WAF protection is that it does not rely on a single “antivirus”-type function, but on several complementary layers. The most important ones include:

1.1. Malware Scanning – Real-Time and Scheduled Malware Detection

The system supports real-time and on-demand scanning, checking files against malware signatures, backdoor patterns, and other malicious indicators. A key element is scanning CMS databases (e.g., in WordPress/Joomla environments), as well as detecting malicious cron entries, since these are common “persistence” techniques after a compromise.

In practice, this means that web content on the server, uploads, and typical entry points are scanned in multiple stages:

• regular, scheduled scans across the entire hosting space or user accounts,

• manually triggered checks during incidents,

• depending on configuration, fast near-real-time scanning of suspicious file operations.

1.2. Malware Cleanup – Automated Cleaning and Quarantine

After detection, it can perform automatic malware removal (cleanup), or—if cleaning is unsafe or not feasible—place the infected file into quarantine. “Neutralization” can happen in multiple ways (for example, rendering the file harmless, emptying it, or removing it—depending on configuration).

This delivers two important benefits:

1. reduced manual intervention time for compromised websites,

2. lower chance of infection spread, because the system immediately takes the harmful element “out of circulation.”

1.3. Malware Database Scanner (MDS) – Handling Database-Level Infections

In web compromises, it is common that not only files are modified, but malicious JavaScript/iframes, spam links, or admin-account manipulation are injected into the database. This is addressed by the Malware Database Scanner (MDS), which, according to the documentation, can scan supported CMS databases, clean them, and, if needed, provide restore for data segments affected during cleanup (based on a saved file/backup).

1.4. Proactive Defense – Runtime (Behavior-Based) PHP Protection

One of the “signature” features of SysLock AI-based WAF protection is Proactive Defense, which analyzes behavior while PHP scripts are running and blocks malicious execution, even if the pattern is not present in a classic signature database. We position this specifically as a response to zero-day-type attacks.

In day-to-day operations, this typically looks like:

• suspicious actions (e.g., typical webshell behavior, code-injection patterns, file manipulations) are identified during execution,

• the event is logged as an “incident” (e.g., a “Script blocked”-type event),

1.5. WAF / WebShield – Application-Layer Traffic Filtering and Anti-Bot Protection

SysLock’s AI-based WAF includes a Layer 7 (application-layer) WAF approach that filters web requests (HTTP/HTTPS) using rule sets. The documentation and related materials also cover managing, disabling, and fine-tuning WAF/ModSecurity rules.

The WebShield/anti-bot line also includes Greylist + CAPTCHA/Anti-bot Challenge logic: if an IP shows policy-violating behavior (for example, brute-force-like attempts), the system temporarily places it on a greylist and may present a CAPTCHA on web access; if the challenge is not successfully completed, the IP may be moved to the blacklist.

An operational consideration is that behind a CDN (for example, when using Cloudflare), WebShield can determine real client IPs based on the appropriate headers, and “known proxies” support can be configured in a documented way.

1.6. Firewall – IP Lists, Port Blocking, and Country-Level Blocks

In practice, the SysLock AI-based WAF module provides a manageable White/Gray/Black list system, supplemented with port-blocking options and, in some cases, country-level blocking. The graylist operates automatically, and the system starts with a large database of potentially risky IPs; in addition, administrator(s) can be temporarily auto-whitelisted.

The operating logic here is typically:

• White list: an exception list meaning “never block,”

• Gray list: temporary restriction and CAPTCHA for suspicious, automated/abusive behavior,

• Black list: persistent blocking.

1.7. IDS/IPS – Blocking Known Attack Patterns

SysLock AI-based WAF also provides Intrusion Detection/Prevention System (IDS/IPS) capabilities, blocking well-known attack patterns using “deny policy”-type rules. It should be treated as an additional line of defense: while the WAF focuses on application-layer requests, IDS/IPS aims to filter and prevent a broad range of attack patterns.

1.8. Reputation Management – Monitoring Domain/IP Reputation and Blacklists

Reputation Management can check daily whether domains hosted on the server have been blacklisted (for example, by search engines or spam/RBL lists) and provide notifications. In practice, this enables faster response: instead of discovering a reputation problem weeks later via customer complaints, it appears proactively in the interface.

2) Typical Operational Flow in the Event of a Compromise

A typical incident path looks like this:

1. Detection: the malware scanner returns a hit (file or database), WAF/IDS raises an alert, or Proactive Defense blocks an attempt during execution.

2. Mitigation: the attacker IP may be added to the Gray/Black list, an anti-bot challenge may be activated, and the exploit attempt is stopped by a WAF rule.

3. Infection handling: automatic cleanup or quarantine, with manual intervention if necessary.

4. Recovery: database cleanup (MDS) or restore steps from backup.

5. Prevention: rule tuning, patching affected components (kernel patch management), reputation checks, and, longer term, optimizing Proactive Defense/WAF rules.

3) Summary

In summary, SysLock AI-based WAF protection does not rely on a single security technology, but uses a layered approach. Classic malware scanning and cleanup are complemented by runtime, behavior-based PHP protection (Proactive Defense), application-layer traffic filtering (WAF/WebShield), list-based firewall logic (White/Gray/Black list + port blocking), an IDS/IPS-style ruleset, reputation monitoring, and kernel patch management.