Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
From the Suspicious Activity screen, you can click either the number of rules triggered or the magnifying glass icon to view the Suspicious Activity Details screen.
This screen shows specific details of the chosen Suspicious Activity to help you better understand the activities of this file or process. These details can help you make an educated decision on what action you should perform on the item. This article provides an overview of the Suspicious Activity Details screen.
Suspicious Activity records
The tile at the top of the Suspicious Activity Details screen shows a list of files Malwarebytes found suspicious as well as any files or processes that spawned from the primary file or process. Click on the (+) button next to a triggered rule to expand details. Here you can see all the detection rules involved in making the overall suspicious activity.
The detection rules are color coded based on severity:
- Red: high severity
- Yellow: medium severity
- Blue: low severity
Each color-coded rule can be clicked to reveal details about the specific detection rule. Some suspicious activities may trigger many rules. Click the ellipsis (...) on the right side of the tile to view all of them. When you click a rule, a window appears to show a description of the rule and context. Below shows an example ransomware activity.
Process Graph
The tile under the Suspicious Activity records is the Process Graph, which shows a visual representation of the files or processes touched by the suspicious activity, including any files or processes spawned from the original file or process.
The Process Graph is made up of nodes representing files or processes with links representing the relationships between files or processes. These could be executed, spawned or touched files or processes. The Process Graph has several display controls in the upper right of the graph allowing you to zoom in/out or re-position the graph. Click the Print PDF button above the Process Graph if you to print copies of the graph.
Node details
Click on a node to see deeper details on that specific file or process. The available information differs depending on the color of the node selected. Green nodes are typically benign files or processes and red nodes represent actual suspicious files or processes.
Node details show the following information:
- Last activity Date
- Creation Date
- full Path
- process ID
- MD5 Hash
- Activities
- Command line parameters
Some nodes contain raw activities performed by the file or process. Next to the Activities there is typically a number associated with the File Write, File Read or Reg set Value. Click this number to reveal a comprehensive list of raw activities executed by the file or process.
Raw activities can be:
- File Writes: When the file or process attempted to write to the file system, including renaming of files common during a ransomware attack.
- Read Files: When the file or process attempts to read other files within the file system.
- Reg Set Values: When the file or process attempts to make changes to the Windows Registry.