The Process Behavior details page provides information about the file-executed system changes that occurred on an endpoint in sequential order. Symantec Endpoint Detection and Response also provides the attributes that are associated with each system change. A Process Behavior details page is only available when a process occurs on an endpoint and one or more events in the process are malicious.

See About analyzing the process behaviors that occurred on endpoints.

To view detailed information about a process behavior

To the right of the graphic is the following information:

SHA256

The file's 256-bit secure hash value. Hover over this field to see the full hash value.

FILE NAME

The name of the file as it appears on the host computer.

MD5

The MD5 hash that is associated with this file's SHA256 hash.

HOST NAME

The host name of computer on which this file resides.

LAST IP ADDRESS

The last IP address for the endpoint that SEP reported.

Process Behavior

A process is represented by a group of system changes. Each process has a separate date/time range. Symantec EDR shows the processes that were executed on the endpoint in sequential order. To view the attributes that are associated with the system change (the dynamic file attributes), click the down arrow to the right of the row. The dynamic file attribute data that appears is unique to that process. Different processes contain different attributes, depending the information that is available to Symantec EDR. To collapse the details, click the up arrow at the far right of the row.

Symantec EDR lets you filter processes so that you can narrow the list. Click Show Filters to reveal the filters. Select the process that you want to filter by. (Results immediately begin to appear.) Click Hide Filters to hide the filters view. Symantec EDR maintains your filter selections until you reset the filter criteria or refresh the page.

The Process Behavior table contains the following information:

Type

Processes are grouped by the following types:

  • Registry

  • File

  • Internet Explorer

  • Windows Settings

  • Process

  • Load point

Description

The process description is written as follows:

<Actor> <Action> <Target>

where <Actor> is the object that is taking the action. This could be a file or a process. <Action> is the task that the actor is performing. Actions include: created, deleted, renamed, updated, disabled, loaded, executed, initiated, and modified. And <Target> is the object that has been acted upon.

Date

The date and time of the event in UTC.

See Process behavior example

Legacy ID: v117055294_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation