Process details

There are the following tiles with details about the processes:

Name - Name of the process is shown here. By clicking on the name, you are redirected to the Executable details.

SHA-1 - Hash of the executable.

By clicking the down arrow next to the hash, the context menu shows up, where you can use two options:

Open the Virus Total search page that you can define in the Settings tab.

Copy to clipboard - The hash to your clipboard for further use.

Signer Name - If the file is signed, here you can see the signer of the file

Seen on - The number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with a filtered computers list.

Signature Type - Information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown).

Signer Name - If the file is signed, here you can see the signer of the file.

Seen on - The number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with a filtered computers list.

File Description - The full description of the file, for example, Keyboard Driver for AT-Style Keyboards.

First Seen - When an executable was first seen on any computer in a monitored network.

Last Executed - When an executable was last executed on any computer in a monitored network.

LiveGrid®

Reputation (LiveGrid®) - Is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe.

Popularity (LiveGrid®) - How many computers reported an executable to LiveGrid®.

First Seen (LiveGrid®) - When an executable was first seen on any computer connected to LiveGrid®.

Popularity

On how many computers it was seen in LiveGrid®

Color

Description

0

0

red

Not seen

1

1 - 9

red

Low

2

10 - 99

yellow

Medium

3

100 - 999

yellow

Medium

4

1 000 - 9 999

yellow

Medium

5

10 000 - 99 999

green

High

6

100 000 - 999 999

green

High

7

1 000 000 - 9 999 999

green

High

8

10 000 000 - 99 999 999

green

High

9

100 000 000 - 999 999 999

green

High

10

1 000 000 000 - 9 999 999 999

green

High

11

10 000 000 000 - 99 999 999 999

green

High

Events

File - How many file modifications were made by this process

Registry - How many registry modifications were made by this process

Network - How many network connections were made by this process

Computer

Shows the name of the computer where the detection triggered. Click the computer name, you are redirected to Computer details. You can also click View detections on this computer open the Computer detection list of this specific computer.

Parent Group - The name of a group of computers where this specific computer is assigned. The computer’s group can be changed in the ESET PROTECT.

Last connected - Permanent connection created to listen on notification about blocked hashes, requests to download some file, kill the process, etc. The refresh interval is 90 seconds.

Last event - The timestamp of the last event is sent to the server. This event occurred on the computer, not when it was sent to the ESET Inspect Server.

ESET Inspect Connector version - Version of the ESET Inspect Connector, deployed on the specific computer.

OS Name - The operating system's name running on the specific computer.

OS Version - The name of the OS running on this specific computer.

Process - The name and the ID of the process. After clicking the executable name, you are redirected to the Executable details

Command line - A command line command that executes this process.

Path - Path on the disk where the executable is located.

Started - The time when the process was executed.

Ended - The time when the process was executed.

Parent process - The process that created this child process. After clicking its name, you are redirected to the Process details of that specific process

First dropper - The first recorded process that has dropped (created on disk) module(executable file) of a given process on a given computer (that given process was run). By clicking it, you are redirected to the Process details of that process.

Compromised - If available shows if the process is compromised.

LnkPath - The string contains a path to a shortcut execution.

Note - Add the note by clicking the Set note.

Executable - The name of the executable dropped by the first dropper and the one that started the process.

Integrity Level

Represented by the arrow in the process tree, the grid of Detections tab, and everywhere where the process name is present. These levels are present:

Untrusted - blue arrow downIntegrity_blue. Blocks most write access to a majority of objects.

Low - blue arrow downIntegrity_blue. Blocks most write access to registry keys and file objects.

Medium - no icon. This is the default setting for most processes when UAC has been enabled on the system.

High - red icon upIntegrity_red. Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator.

System - red icon upIntegrity_red. This is a setting reserved for system level components.

Protected process - red icon upIntegrity_red. Is used by some anti-malware services, only allows trusted, signed code to load, and has a built-in defense against code injection attacks.

Username

The name of the user/account that was logged in when the detection was raised.

Full name - User's full name, if available from Active Directory.

Job Position - User's job position, if available from Active Directory.

User Department - User's department, if available from Active Directory.

User Description - User's description, if available from Active Directory.

Comments

Add an optional comment to recognize the detection easily.

Audit Log

You see actions that were taken on this detection. At the moment, Resolved, Unresolved, Commented, and Priority Changed.

The process tree on the right side

The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes that are on the left are orphans, and their parent has exited.

Process details action buttons:

Incident - Create an incident report, or add to an existing incident (currently active).

Download file - To download the executable file for further investigation.

Kill process - Kill the process, if it is still active in the operation memory.