Unknown Process(es)

by Josef Weiss
June 17, 2014

This dashboard displays unknown processes, Microsoft Windows autoruns, gray area processes, and known installed software across a series of components. Using the Regular Expressions (regex) vulnerability Text searched, a new feature released in SecurityCenter 4.8.1, the dashboard utilizes the plugin 70768, Reputation of Windows Executables: Unknown Process(es).   The unknown process plugin reports on the count of unknown process counts and can also report on the unknown processes in the “TMP” folders. 

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags “regex” and “unknown”. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.6

Unknown Process - Windows Unknown Process Count Indicator: This component utilizes regex patterns to categorize and indicate the total number of unknown process counts reported in plugin 70768.  The plugin 70768 Reputation of Windows Executables: Unknown Process(es) identifies one or more running processes on the remote Windows host not present in a database of 'known good' or 'known bad' software. There are 6 indicators for ranges from less than 50 to over 10,000 on each component. The indicator for the less than 50 range will turn orange when a pattern is matched, and the indicator for more than 10,000 will turn purple when matched.  All other indicators will turn red.  Orange indicators signify the system should monitored, red implies a high risk and system should have a detailed reviewed completed.  A purple indicator means there is most likely a severe compromise and an immediate investigation should be started.

Unknown Process - Microsoft Windows Autoruns: This indicator component triggers on each one of the 18 autorun active Nessus plugins. The indicator will turn green when a match if found.

Unknown Process - Known Installed Software: This component utilizes the List Software tool in SecurityCenter to provide a table of known installed software.

Unknown Process - Windows Temp Unknown Process Count Indicator: The component utilizes regex patterns to categorize and indicate the total number of unknown process running from the TMP folder reported in plugin 70768.  The plugin 70768 Reputation of Windows Executables: Unknown Process(es) identifies one or more running processes on the remote Windows host not present in a database of 'known good' or 'known bad' software. There are 6 indicators for ranges from less than 50 to over 10,000 on each component. The indicator for the less than 50 range will turn orange when a pattern is matched, and the indicator for more than 10,000 will turn purple when matched.  All other indicators will turn red.  Orange indicators signify that the system should monitored, red implies a high risk and the system should have a detailed review completed.  A purple indicator means there is most likely a severe compromise and an immediate investigation should be started.

Unknown Process - Number of Systems and Locations/Types of Unknown Files: This component uses output from plugin ID 70768, as well as key word indicators, to display a count in regard to the number of devices and locations and types of unknown files.

Unknown Process - Systems with Gray Area Processes: This component presents a table that contains the detailed vulnerability list of running processes that are not present in a database of 'known good' or 'known bad' software.