Process details
There are the following tiles with details about the processes:
•Name—Name of the process is shown here. By clicking on the name, you are redirected to the Executable details.
•SHA-1—Hash of the executable.
By clicking the gear 
icon next to the hash, the context menu shows up, where you can use two options:
•Open the Virus Total search page that you can define in the Settings tab.
•Copy to clipboard—The hash to your clipboard for further use.
•Signer Name—If the file is signed, here you can see the signer of the file.
•Seen on—The number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with a filtered computers list.
•Signature Type—Information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown). If the value is Present, the executable is signed, but the ESET Inspect does not know the certificate's status. This is uncommon for Windows, but on MacOS, a signature is never verified by Endpoint, and as a result, the only possible states are Present and None.
•Seen on—The number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with a filtered computers list.
•File Description—The full description of the file, for example, Keyboard Driver for AT-Style Keyboards.
•First Seen—When an executable was first seen on any computer in a monitored network.
•Last Executed—When an executable was last executed on any computer in a monitored network.
LiveGrid®
•Reputation (LiveGrid®)—Is a number from 1 to 9, indicating how safe the file is. 1–2 Red is malicious, 3–7 Yellow is suspicious, 8–9 Green is safe.
•Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.
•First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.
Popularity |
On how many computers it was seen in LiveGrid® |
Color |
Description |
|---|---|---|---|
0 |
0 |
red |
Not seen |
1 |
1–9 |
red |
Low |
2 |
10–99 |
yellow |
Medium |
3 |
100–999 |
yellow |
Medium |
4 |
1 000–9 999 |
yellow |
Medium |
5 |
10 000–99 999 |
green |
High |
6 |
100 000–999 999 |
green |
High |
7 |
1 000 000–9 999 999 |
green |
High |
8 |
10 000 000–99 999 999 |
green |
High |
9 |
100 000 000–999 999 999 |
green |
High |
10 |
1 000 000 000–9 999 999 999 |
green |
High |
11 |
10 000 000 000–99 999 999 999 |
green |
High |
Events
•File—How many file modifications were made by this executable.
•Registry—How many registry modifications were made by this executable.
•Network—How many network connections were made by this executable.
Computer
Shows the name of the computer where the detection triggered. Click the computer name, you are redirected to Computer details. You can also click View detections on this computer open the Computer detection list of this specific computer.
•Parent Group—The name of a group of computers where this specific computer is assigned. The computer’s group can be changed in the ESET PROTECT.
•Last connected—Permanent connection created to listen on notification about blocked hashes, requests to download some file, kill the process, etc. The refresh interval is 90 seconds.
•Last event—The timestamp of the last event is sent to the server. This event occurred on the computer, not when it was sent to the ESET Inspect Server.
•ESET Inspect Connector version—Version of the ESET Inspect Connector, deployed on the specific computer.
•OS Name—The operating system's name running on the specific computer.
•OS Version—The name of the OS running on this specific computer
•Process—The name and the ID of the process. After clicking the executable name, you are redirected to the Executable details
•Command line—A command line command that executes this process.
•Path—Path on the disk where the executable is located.
•Started—The time when the process was executed.
•Ended—The time when the process was executed.
•Parent process—The process that created this child process. After clicking its name, you are redirected to the Process details of that specific process
•First dropper—The first recorded process that has dropped (created on disk) module(executable file) of a given process on a given computer (that given process was run). By clicking it, you are redirected to the Process details of that process.
•Compromised—If available shows if the process is compromised.
•LnkPath—The string contains a path to a shortcut execution.
•Note—Add the note by clicking the Set note.
•Executable—The name of the executable dropped by the first dropper and the one that started the process.
Integrity Level
Represented by the arrow in the process tree, the grid of Detections tab, and everywhere where the process name is present. These levels are present:
•Untrusted—blue arrow down
. Blocks most write access to a majority of objects.
•Low—blue arrow down. Blocks most write access to registry keys and file objects.
•Medium—no icon. This is the default setting for most processes when UAC has been enabled on the system.
•High—red icon up
. Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator.
•System—red icon up. This is a setting reserved for system level components.
•Protected process—red icon up. Is used by some anti-malware services, only allows trusted, signed code to load, and has a built-in defense against code injection attacks.
Username
The name of the user/account that was logged in when the detection was raised.
•Full name—User's full name, if available from Active Directory.
•Job Position—User's job position, if available from Active Directory.
•User Department—User's department, if available from Active Directory.
•User Description—User's description, if available from Active Directory.
|
To display the user details, you need to define the following parameters for user in Active Directory:
Then run synchronization task to update user information. |
Comments
Add an optional comment to recognize the detection easily.
Audit Log
You see actions that were taken on this detection. At the moment, Resolved, Unresolved, Commented, and Priority Changed.
The process tree on the right side
The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes that are on the left are orphans, and their parent has exited.
Process details action buttons:
•Incident—Create an incident report, add to currently active, or add to (last 3 incidents).
•Download file—To download the executable file for further investigation.
•Kill process—Kill the process, if it is still active in the operation memory.
•Submit to ESET LiveGuard—Manually submitting file to the ESET LiveGuard analysis.
|
Do not Block or Kill any process or executable of any Windows system processes and files. (for example, svchost.exe) Otherwise, this may cause a crash of the Operating system. |
