Executables

The executables table represents an entire repository of all of the discovered executables (and DLLs) within the network monitored by ESET Inspect.

For each executable granular statistics are provided, such as Reputation/popularity in LiveGrid®, First seen by LiveGrid®, on how many computers it was seen/executed. How many file operations, established network connections, what modifications it made, and further metadata, which is helpful to identify the potentially suspicious behavior of any executable.

The most data-dense view in ESET Inspect. It enables the most powerful customization options from the perspective of displayed columns and filtering. You can see details about how many detections each executable triggered and what the highest severity of a triggered detection was.

You can check the details of every executable, including the statistical data mentioned above and the detections of the executable triggered, the origin of the executable, and registry entries. All information will help you with the investigation based on what behavior the executable was evaluated as malicious.

You can also drill down to aggregated/raw events to examine them to figure out any activity that might be violating the company policy. It is also possible to perform remediation action - download executable for further investigation, add it to a block list (by hash) and kill a specific process.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear gear_icon icon for table options to manage the main table.

OS type (filter icons) - Click an icon to hide items. Filter by Operating System platform to see or hide the executables for icon_os_win Windows, icon_os_macos macOS or icon_os_linux Linux.

Executable type (filter icons) - Click to see only icon_exe EXE or icon_dll DLL files, or both simultaneously.

Blocked and Safe - You can filter executables to only see Exec_Blocked Blocked or Exec_Safe Safe or both types of files.

 

The Executables details window consists of the following parts:

Details

Click the name of the executable to display comprehensive details.

 

Statistics

Statistical information about a specific executable or executable with the same file checksum is listed here.

Seen on - Number of computers on which the executable occurred.

Executed on - Number of computers on which the executable executed.

Executions count - Total number of executions of the executable.

Sent bytes - Total number of bytes sent by the file, from all computers, for all processes.

Network connections - Number of network connections made by the file.

File modifications - Number of files were modified (written to, deleted, renamed).

Registry modifications - Number of registry entries that were modified.

Executable drops - Number of dropped executables made by this executable.

HTTP Events - Number of HTTP events made by this executable.

DNS Events - Number of DNS events made by this executable.

Events/24H - Number of events made by this executable within 24 hours.

 

Detections

This tab provides the same options as the main Detections, but only detections triggered by this specific executable. After clicking on a Detection, you are redirected to its Detection details.

 

Seen on

List of all computers on which the executable or executables with the same file checksum was seen.

 

Sources

List of dropped executables and additional information.

 

Click an executable name to take further actions:

Details

Go to the Executable details tab.

Detections

Go to the Detections tab.

Statistics

Go to the Statistics tab.

Seen On

Go to the Seen On tab.

Sources

Go to the Sources tab.

Events Filters

Go to the Create event storage filter.

Mark as Safe

Safe state, many rules determine the risk. Mark as Safe does have an impact on detections. Mark as Safe does not necessarily guarantee that a specific module will never be included in detections. There are a few hundred rules, and some raise detections, regardless of which module executed the suspicious action. For example, a popular instance, trusted modules such as PowerShell can do it. Other rules try to evaluate risk based on the module. Such rules consider the “safe” flag. This flag means that the user analyzed the module, and it is unlikely that the module is malicious, so rules assume that the risk is earlier during the evaluation.

Mark as Unsafe

If you marked as safe some executable by mistake, you could use this to unmark it.

Block

Go to the Block hashes tab.

Unblock

Hash from Blocked hash section is removed.

Mark as Inspected

Does not have an impact on detections. The module can be marked this way if the Security Admin / Reviewer checks them, knows the module's source and what it does, is still unsure whether the module is safe.

Mark as Uninspected

Will mark the executable as uninspected by the logged user.

Download File

The download window for the affected DLL appears.

Tags

Assign tag(s) to an executable from the list of existing, or create a new custom tag(s).

Filter

Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).