|
The section is absent in reports for Android packages.
|
The section contains information about suspicious processes registered on a virtual machine. The data is represented as an interactive graph with an explanatory unit for each process.
To open the graph in a new tab, click the Process graph title. To zoom in or zoom out, click or . You can also zoom in by double-clicking the graph.
Conventions
Convention
|
Comment
|
|
Process or resource maliciousness. Measured on a scale from 0 to 100:
|
Less than 20.
|
|
Less than 40.
|
|
Less than 60.
|
|
Less than 80.
|
|
Less than 100.
|
|
|
Process. The unit color corresponds to the process maliciousness.
|
|
Network resource with remote access. The cloud color corresponds to the resource maliciousness.
The protocol level and the IP address of the remote resource are displayed inside the cloud.
2 clouds are displayed if a process connects to the resource 2–5 times. 3 clouds are displayed if a process connects to the resource 6 times or more. In these cases, a number of connections is also displayed inside the cloud.
|
|
Sample. The sign is used to mark the first running process.
|
|
Known threat that is contained in the Dr.Web virus databases. The sign is used to mark a process if a threat is detected in its dump.
|
|
Known threat that is contained in the Dr.Web virus databases and that is detected in a dump of a loaded module. The sign is used to mark a process that a malicious module is loaded into. If threats are detected in both process and module dumps, the process is marked only with the sign.
|
|
Process creation.
|
|
Injection into another process.
|
|
Web query.
|
|
RPC request.
|
Description
Click a process unit to show the information about a process in the description part.
Process parameters
Parameter
|
Description
|
PID
|
Process unique ID.
|
Full path
|
The path in which the process is run.
|
Run parameters
|
Special parameters for the process running. Optional field.
|
Behavior
|
The rules corresponding to tags about suspicious behavior of a process.
|
View the process activity
|
A link to the API log. Data in the log is filtered by process. To learn more about this feature, refer to API Log.
|
Download the dump file
|
Link for downloading the dump of the process.
|
Network resource parameters
Parameter
|
Description
|
Address
|
IP address of the network resource.
|
Port
|
Port number.
|
Protocol level
|
Protocol level of the OSI network model used for data transferring:
•Transport
•Application
|
If the analyzer fails to determine the application level protocol, the following information will be displayed in this field:
Application: UNK
Unknown data:
{16,03,01,00,41,45…06,00,13,00,00,63,01,00}
|
|
Query
|
This field is displayed if Protocol level is determined as Application: DNS.
|
URL
|
This field is displayed if Protocol level is determined as Application: HTTP.
|
|