How to supervise the activities of a process?
November 1, 2021
Sometimes you do not trust a process on your pc or suspect it, and you do not know its job. Maybe, you like to know more details about its network activities and its storage usage. You may even want to have further information about the files, which the process has accessed.
Usually, a process needs to read the files on your system to spy on it. Also, if a process wants to damage the files of a pc, it will most likely need to write on them. The bad part of the story is that security software products such as Antiviruses and Internet securities do not detect these processes. It is because you have entered them into your system intentionally!
Let us forget about how a malware product can enter your system for now. I will comprehensively explain it later in a different article. Right now, I want to explain how we can get more information about the activities of a process and ultimately find out if there is a malicious process on the system or not.
Now, it is time to introduce a helpful software called Smart Net Manager that helps you analyze the activities of your system by running it for a few days or even a few hours.
As you see in figure 1, this software gives you other information about the pc too. However, I only want to find the potential malware at this time.
So follow the steps given below: (Figure 2)
• Go to the tab [process] and then click on the button [Process History].
• On the opened window, click on the option [Duration] (You can find it at the bottom of the process list) and select the item [30 Days].
• Click on the column [Internet] to sort the processes by their internet usage.
After these steps, you can see the internet usage of the system and processes on it in the last 30 days. Either, you can find out which process products have used more internet usage. In the case shown in figure 2, the process IDMan.exe has used 17.53 Gigabytes network usage, which all this bandwidth is only for the Internet!
If you look at the column [Disk], for the process IDMan.exe, you see a heavy size. Yes, it is 58.87 Gigabytes! Do you think it is ok? Why a process has about 18 GB of internet usage and 59 GB of Disk usage in only 30 days? Let us do some investigation about this process. If you look at the address of this file, you can see this file is for a famous internet download manager. Then you can be relieved a little! However, let us make sure that there is no problem at all.
If you click on the blue address on the window [Process History] (Figure 2), another window will open. It contains the file IDMan.exe. In this case, for example. Then if you right-click on the file IDman.exe and select the item [Properties] on the opened window, another window will open again, like to figure 3.
On the signature list, you can find the signer's name. [Tonec Inc.] In this example, which is a trusted signer if you google it. Now we can make sure the producer of this process is a valid and trusted software producer. Now we can make sure there is no problem with the activities of the process IDMan.exe.
Did it finish?
Of course, NOT!
Now, Suppose after opening the window [Properties] for the file IDMan.exe, we could not find any signature info, or there was a signer name, but after searching that name on the Internet, we could not find any valid information again!
Now, what should you do?
At this time, you can get more information about the process and make a decision using them! On the window [Process History] (Figure 2), select the item IDMan.exe. Click on the button [History] at the bottom and right of the window. After opening the history window, on the tab [Activity] (Figure 4), you can see this process has had 11.66 GB inbound data usage and only 343.30 KB outbound data usage. On the other hand, the process has written 26.56 GB to the storage media and has read 12.23 GB. In the last 30 days!
Let us do further investigation. So, click on the tab [Network] and select it (Figure 5). As you see, the details of each connection of IDMan.exe exist. For example, this process has connected with IP 220.127.116.11 on port 443 (The first Item of the list). It has received 7.79 MB and has sent 23.10 KB on the day 10/24/2021 at 7:12:43 PM. For more details, you can see that IP is for a place in the United States / Chicago. You can also see its address on the map by clicking on the cell [Location] (Figure 6). Then you can access the high detailed information of every connection that you want, one by one. It is good. Is not it?
Even More? Of course.
Let us do some investigation about the details of storage usage of the process IDMan.exe. If you click on the tab [Storage] and select it, you can access this information too (Figure 7). The details of the file access are significant. Do you want to know? Please look at the horizontal red rectangle in figure 7. The process IDMan.exe has accessed the critical folder of the operating system. I mean the files of the folder c:\Windows\SysWOW64. Anyone has no permission to change these files at all. If you look at the vertical red rectangle in figure 7, it has only read these files. Then, everything is ok. You can breathe. :)
Processes do not have permission to write data to the critical folders of the operating systems. Such as c:\windows or c:\windows\system or c:\windows\SysWOW64 etc.
Have you shared your computer with others too? I mean, has your OS other users too?
If yes, you have to continue to check something yet! If a process damages your system or spy on it, you have to know who runs that process and when? Then, click on the tab [Executors] and select it to find it out (Figure 8).
As you see in figure 8, the user Administrator has executed the process IDMan.exe only. You can find out when the process has started and when it has stopped. Maybe you need to check all the users and start/stop times if your system is multi-user.
Finally, in this instance:
I believe, if an unknown process had worked on my pc with this amount of Send/Receive and Read/Write, I had removed it immediately! I think you do the same work too! However, you and I know, which IDMan.exe (Internet Download Manager) is a good software for everybody, and then we can ignore its activities :)
Perhaps, you should do this method for the software products of your computer frequently, if you want to have a safe system!