Video Screencast Help
As we strive to continually improve your experience on our site, please help us by taking this survey and tell us about your satisfaction level using Symantec Connect. One lucky winner will receive 500 Connect points! * Take the survey.

Using Process Monitor to filter on suspicious processes

Created: 13 Dec 2010 • Updated: 29 Dec 2010 | 1 comment
ℬrίαη's picture
+7 7 Votes
Login to vote

Process Monitor is part of the Sysinternals Suite and can be downloaded from here:

http://download.sysinternals.com/Files/ProcessMoni...

It is a very useful tool that shows all file system, registry, and process/thread activity taking place on a computer in real time.

It can be especially helpful in the initial investigation of a malware infection. Let's look at some of the possibilities:

First, you notice in Task Manager that a suspicious process is running:

Let's run Process Monitor to see what activity is generated by our suspicious process:

We can see that our suspicious executable is querying a registry key, creating files, and loading a DLL

In order to see all activity by this suspicious process, we can filter by process name.

In order to do this, right-click on the process's (QQukQS.exe) name and go to Include >> Process Name

Now we will get a better idea of the activity taking place by this process. We can see that it created a total of 4,120 events before terminating:

Now, the process of going through the log begins in order to determine if this process is truly malicious or not.

I can tell you that this particular process was malicious. It was a new variant of InfoStealer.Gampass that caused minor problems on our network for about 36 hours. By using process monitor, we were able to create a custom removal tool to aid in the removal process.

Comments 1 CommentJump to latest comment

AjinBabu's picture

HI, 

That is a nice tool.

Reagrds

Ajin

+1
Login to vote