Process Behavior details provide information about the file-executed system changes that occurred on an endpoint in sequential order. Symantec Advanced Threat Protection (ATP) also provides the attributes that are associated with each system change.
A Process Behavior details page is only available when a process occurs on an endpoint and one or more events in the process are malicious.
You can search for Process Behavior events on the Search > Database > Events. Click on the Suspicious Activity filter and select SONAR. The results appear in the Event Summary view. Select an endpoint or file in the results and go to that entity's details page. You can navigate to the Process Behavior details page in either of the following ways:
From the Endpoint details page
A Behavior option appears in the Malicious Files row for the file that was involved in the process.
To the right of the graphic is the following information:
The file's 256-bit secure hash value. Hover over this field to see the full hash value.
The name of the file as it appears on the host computer.
The MD5 hash that is associated with this file's SHA256 hash.
The host name of computer on which this file resides.
LAST IP ADDRESS
The last IP address for the endpoint that Symantec Endpoint Protection reported.
A process is represented by a group of system changes. Each process has a separate date/time range. ATP shows the processes that were executed on the endpoint in sequential order. To view the attributes that are associated with the system change (the dynamic file attributes), click the down arrow to the right of the row. The dynamic file attribute data that appears is unique to that process. Different processes contain different attributes, depending the information that is available to ATP. To collapse the details, click the up arrow at the far right of the row.
ATP lets you filter processes so that you can narrow the list. Click Show Filters to reveal the filters. Select the process that you want to filter by. (Results immediately begin to appear.) Click Hide Filters to hide the filters view. ATP maintains your filter selections until you reset the filter criteria or refresh the page.
The Process Behavior table contains the following information:
Processes are grouped by the following types:
The process description is written as follows:
<Actor> <Action> <Target>
where <Actor> is the object that is taking the action. This could be a file or a process. <Action> is the task that the actor is performing. Actions include: created, deleted, renamed, updated, disabled, loaded, executed, initiated, and modified. And <Target> is the object that has been acted upon.
The date and time of the event in UTC.
The following is an example of a process behavior as it would appear in ATP Manager:
In this example, the first thing the file did was add an application to the firewall's allow list. This behavior can indicate that the application is malicious and attempting to bypass firewall blacklist policies. Next, the file executed a keylogger function, which monitors and logs users' keystrokes. And lastly, it created a new file called trustme.doc. For any of these events, you can click the down-arrow and view the associated dynamic file attributes to learn more.
View static file attributes for this file (attributes that apply to the file regardless of any process behavior) on the File details page on the File Attributes tab.