ESET Inspect On-Prem – Table of Contents

OpenProcess

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Added a new rule attribute, which triggers when a process is opened.

HIPS sends OpenProcess events only for lsass.exe and only with PROCESS_VM_WRITE and/or PROCESS_VM_READ process access only when calling OpenProcess or DuplicateHandle (when the already opened process with mentioned accesses)

Property	Type	Description	Example
AccessRight	Symbol		Possible values are: •1—PROCESS_TERMINATE •2—PROCESS_CREATE_THREAD •8—PROCESS_VM_OPERATION •16—PROCESS_VM_READ •32—PROCESS_VM_WRITE •64—PROCESS_DUP_HANDLE •128—PROCESS_CREATE_PROCESS •256—PROCESS_SET_QUOTA •512—PROCESS_SET_INFORMATION •1024—PROCESS_QUERY_INFORMATION •2048—PROCESS_SUSPEND_RESUME •4096—PROCESS_QUERY_LIMITED_INFORMATION •65536—DELETE •131072—READ_CONTROL •262144—WRITE_DAC •524288—WRITE_OWNER •1048576—SYNCHRONIZE •2097151—PROCESS_ALL_ACCESS

Property

Type

Description

Example

AccessRight

Symbol

Possible values are:

•1—PROCESS_TERMINATE

•2—PROCESS_CREATE_THREAD

•8—PROCESS_VM_OPERATION

•16—PROCESS_VM_READ

•32—PROCESS_VM_WRITE

•64—PROCESS_DUP_HANDLE

•128—PROCESS_CREATE_PROCESS

•256—PROCESS_SET_QUOTA

•512—PROCESS_SET_INFORMATION

•1024—PROCESS_QUERY_INFORMATION

•2048—PROCESS_SUSPEND_RESUME

•4096—PROCESS_QUERY_LIMITED_INFORMATION

•65536—DELETE

•131072—READ_CONTROL

•262144—WRITE_DAC

•524288—WRITE_OWNER

•1048576—SYNCHRONIZE

•2097151—PROCESS_ALL_ACCESS

Example

</operation>

</operations>

Supported operations

•OpenProcess

˄˅