Suspicious Processes Check Test
Some process are not commonly seen and are only used by malicious software. These processes are called suspicious processes. Often, to gain entry into the target host, malware will try to mask itself by imitating legitimate Windows system processes. These suspicious processes pose a potential security threat because they may steal valuable data or encrypt files and also can drain resources leading to slowing down computers. Thus, it is very essential to identify the suspicious processes before it takes control over the system.
This test monitors all the processes ,isolates the process patterns that are configured as suspicious processes and reports the number of suspicious processes. Any unusual increase in the number of suspicious processes clearly indicates malicious activity. Therefore, by using this test, administrators are promptly alerted to any sudden increase in the number of suspicious processes. This will help proactively detect and resolve any suspicious activity before it becomes a potential security risk.. The detailed diagnosis offered by this test helps administrators to find more details of the process such as the process name, identified time, and process ID.
Target of the test : A Windows host
Agent deploying the test : An internal agent
Outputs of the test : One set of results for the Windows host being monitored
| Parameter | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Port |
The port on which the server is listening. By default, it is given as NULL. |
|
Suspicious Process Patterns |
The process patterns that need to be considered as suspicious processes for monitoring will have to be provided in a comma-separated list in the Suspicious Process Patterns text box. The pattern configuration should be in the following format: *ssvc*, *abc*, *contains*. |
|
DD Frequency |
Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Suspicious processes |
Indicates the number of suspicious process during the last measurement period. |
Number |
Use the detailed diagnosis of this measure to identify the process name, identified time, Process ID, and Image path with arguments. |
