Process details
This list contains all tiles with process details:
•Name—The process name is shown here. Click the name to be redirected to Executable details.
•SHA-1—The executable's hash.
Click the gear icon next to the hash to show the context menu, where you can find two options:
•Open the Virus Total search page, which you can define in the Settings tab.
•Copy to clipboard to add the hash to your clipboard.
•Signer Name—The file signer, if applicable.
•Seen on—The computers where the file was discovered. Click Seen on to be redirected to the Computers view, where you can find a filtered list.
•Signature Type—The signature type, if signed: Trusted, Valid, None, Invalid or Unknown. The executable is signed if the value is Present, but ESET Inspect On-Prem cannot identify the certificate's status. While uncommon for Windows, on MacOS, Endpoint does not verify signatures, and the only states are Present or None.
•Seen on—The computers where the file was discovered. Click Seen on to be redirected to the Computers view, where you can find a filtered list.
•File Description—The file's full description.
•First Seen—When an executable was first seen on any computer in a monitored network.
•Last Executed—When an executable was last executed on any computer in a monitored network.
LiveGrid®
•Reputation (LiveGrid®)—A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe.
•Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.
•First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.
Popularity |
No. computers affected in LiveGrid® |
Color |
Description |
---|---|---|---|
0 |
0 |
Red |
Not seen |
1 |
1–9 |
Red |
Low |
2 |
10–99 |
Yellow |
Medium |
3 |
100–999 |
Yellow |
Medium |
4 |
1 000–9 999 |
Yellow |
Medium |
5 |
10 000–99 999 |
Green |
High |
6 |
100 000–999 999 |
Green |
High |
7 |
1 000 000–9 999 999 |
Green |
High |
8 |
10 000 000–99 999 999 |
Green |
High |
9 |
100 000 000–999 999 999 |
Green |
High |
10 |
1 000 000 000–9 999 999 999 |
Green |
High |
11 |
10 000 000 000–99 999 999 999 |
Green |
High |
Events
•File—Number of file modifications the executable made.
•Registry—Number of registry modifications the executable made.
•Network—Number of network connections the executable made.
Computer
Shows the computer's name where the detection triggered. Click the computer name to find Computer details. Click View detections on this computer to open the specific computer’s detection list.
•Parent Group—A computer group's name where a specific computer is assigned. You can change the computer's group in ESET PROTECT On-Prem.
•Last connected—The permanent connection, which refreshes every 90 seconds, created for listening to blocked hash notifications, requests to download a file or kill a process.
•Last event—The last event’s timestamp that was sent to the server. This event occurred on the computer, not when it was sent to the ESET Inspect Server.
•ESET Inspect Connector version—The ESET Inspect Connector version, deployed on the computer.
•OS Name—The operating system (OS) running on the computer.
•OS Version—The OS version running on the computer.
•Process—The process' name and the ID. Click the executable name to be redirected to the Executable details.
•Command line—A command line command that executes this process.
•Path—The path on the disk where the executable is located.
•Started—The time the process started.
•Ended—The time the process finished.
•Parent process—The process that created a child process. Click the name to be redirected to the Process details.
•First dropper—The first recorded process that dropped (created on disk) a module (executable file) of a given process on a given computer. Click it to be redirected to Process details.
•Compromised—If available, shows the process is compromised.
•LnkPath—A path to a shortcut execution.
•Note—Click Set note to add a note.
•Executable—The executable's name dropped by the first dropper and the one that started the process.
Integrity Level
Represented by the arrow in the process tree, the Detections tab grid, and wherever the process name is present. The integrity levels are:
•Untrusted—Blue arrow down. Blocks most write access to a majority of objects.
•Low—Blue arrow down. Blocks most write access to registry keys and file objects.
•Medium—No icon. This is the default setting for most processes when UAC is enabled.
•High—Red arrow up. Most processes will have this setting if UAC is disabled and the administrator is the user currently logged in.
•System—Red arrow up. This setting is reserved for system-level components.
•Protected process—Red arrow up. Some antimalware services use this to load trusted, signed code, and includes a built-in defense against code injection attacks.
Username
Shows the user or account name logged in when the detection was triggered. The following details are pulled from the Active Directory:
•Full name
•Job Position
•User Department
•User Description
To display user details, you must define the following parameters in the Active Directory:
Then, run a synchronization task to update. |
Comments
Adds a comment.
Audit Log
Displays detection actions: Resolved, Unresolved, Commented and Priority Changed.
The process tree on the right side
The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes on the left are orphans, and their parent has exited.
Process details action buttons:
•Incident:
oCreate an incident report
oAdd to a current incident
oAdd to recent incident, which shows the last three incidents
oSelect incident to add to
•Download file—Download the executable file for further investigation.
•Kill process—Kill the process, if it is still active in the operation memory.
•Submit to ESET LiveGuard—Manually submit file for ESET LiveGuard analysis.
Do not Block or Kill any Windows system processes or executables, such as svchost.exe. This may cause an operating system crash. |