Agents Administration - Tests
 

Configuration of ScrtySuspPrcsChcksTest

The ScrtySuspPrcsChcksTest monitors all the processes, isolates the process patterns that are configured as suspicious processes and reports the number of suspicious processes. Any unusual increase in the number of suspicious processes clearly indicates malicious activity. Therefore, by using this test, administrators are promptly alerted to any sudden increase in the number of suspicious processes. This will help proactively detect and resolve any suspicious activity before it becomes a potential security risk. The detailed diagnosis offered by this test helps administrators to find more details of the process such as the process name, identified time, and process ID.

The default parameters associated with this test are:

  • The TEST PERIOD list box helps the user to decide how often this test needs to be executed.

  • In the HOST text box, specify the host for which the test is to be configured.

  • In the PORT text box, specify the port at which the server is listening. By default, it is given as NULL.

  • The process patterns that need to be considered as suspicious processes for monitoring will have to be provided in a comma-separated list in the SUSPICIOUS PROCESS PATTERNS text box. The pattern configuration should be in the following format: *ssvc*, *abc*, *contains*.

  • The DD FREQUENCY parameter refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD FREQUENCY parameter.

  • To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

    The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

    • The eG manager license should allow the detailed diagnosis capability
    • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.

  • If multiple components of the same component type are awaiting configuration, then an APPLY TO OTHER COMPONENTS button will appear in this page. Clicking on this button will allow you to apply the configuration to all/selected components of that type.

  • Once the necessary values have been provided, clicking on the UPDATE button will register the changes made.

When changing the configuration for specific servers, a “*” beside the text box corresponding to the parameter signifies that these values have to be manually configured by the user. The parameter values that require to be configured will typically be prefixed with a “$” or contain a series of “*”. A value of “none” in the parameter value indicates that the corresponding parameter value can be changed if required.