You can now monitor and evaluate processes from the AppDefense plug-in. Processes are the standard executable of an application. svchost.exe is a standard executable of a Microsoft service.

  • In the left navigation pane, click the AppDefense icon.
  • On the AppDefense plug-in dashboard Summary tab, you can view the Process Reputation widget and the Windows ML Analysis widget.

Process Reputation

The Process Reputation section displays the reputation details for all virtual machines (VMs) with AppDefense installed. The hash is investigated and the process reputation is displayed as Trusted, Suspicious, or Unknown.
  • Hash Trusted (Green): Hash is trusted based on reputation feeds.
  • Hash Suspicious (Red): Hash is not trusted based on reputation feeds.
  • Hash Unknown (Gray): No data for hash is available from reputation feeds.
  • To view suspicious processes, click the red color.
  • To view the list of all processes, click View All.

Windows ML Analysis

The Windows ML Analysis section tracks the core process behavior analyzed by the AppDefense Machine Learning (ML) engine. This view is applicable only for the Windows VMs with AppDefense installed.
  • ML Analysis Verified (Green): Process, CLI, and behavior are modeled and the behavior matches the model.
  • ML Analysis Unverified (Red): Process, CLI, and behavior are modeled and the behavior does not match the model. The Unverified processes are shown at the top of the list. You must further investigate the Unverified processes.
  • ML Analysis Unknown (Gray): Process, CLI, or behavior is not modeled.

The table next to the chart lists the number of instances for each modeled process, CLI, and behavior. The table lists only the verified and unverified behaviors.

  • To view processes at risk, click the red color on the donut chart.
  • To view the list of all processes, click View All.

Processes Tab

On the AppDefense plug-in dashboard, click the Processes tab.

You can filter processes by risk, process name, or number of instances. Risk is calculated combining the process reputation and behavior analysis.

Click the process and view the details in the Instances by Virtual Machine panel at the bottom of the page. Clicking the VM name takes you to the Monitor > AppDefense > Guest Monitoring tab of the virtual machine.

Risk is calculated after verifying process reputation and behavior analysis both together.

  • Red: Process Reputation is Suspicious (Red) or ML Behavior Analysis is Unverified (Red). When one of the analyses is in Red category, the risk is displayed as Red. For example:
    • The behavior analysis is Unverified (Red), and process reputation is Unknown (Gray), the risk is displayed as Red.
    • The behavior analysis is Verified (Green), and process reputation is Suspicious (Red), the risk is displayed as Red.
  • Green: Process Reputation is Trusted (Green) or ML Behavior Analysis is Verified (Green). If one of the analyses is in Gray category, and other is Green, the risk is displayed as Green. For Green, none of the scores is Red and at least one of the scores is Green. For example:
    • The behavior analysis is Verified (Green), and process reputation is Unknown (Gray), the risk is displayed as Green.
    • The behavior analysis is Unknown (Gray), and process reputation is Trusted (Green), the risk is displayed as Green.
  • Gray: Both Process Reputation and ML Behavior Analysis are Unknown (Gray).

Monitoring Processes of a Virtual Machine

You can monitor processes of a virtual machine. A process can run on multiple machines. In the virtual machine Monitor > AppDefense > Guest Monitoring tab, you can view the process details. To view process details, click the row.

Select the required CLI from the list and view details for that process execution.

  • Processes are the standard executable of an application. svchost.exe is a standard executable of a Microsoft service.
  • Behaviors: Process executions (CLIs) and network activities (inbound and outbound connections) exhibited within a service. To view the details, click the required CLI. A process can have multiple CLIs. When any single CLI in the process is red, the process is displayed as Red.
  • Outbound and Inbound Connections: These sections provide information on what ports and IP addresses are being listened to and communicated across.

When connected with AppDefense Service (SaaS), you can easily navigate to AppDefense Manager by clicking Open AppDefense. You can take the remediation action on the required process using AppDefense Manager. For more details, refer to AppDefense Getting Started.

If VM is assigned to a scope in AppDefense Manager, you can view the name of the scope at the top of the page. In the AppDefense Manager, the behavior is at a service level, so the behavior is applied to all VMs within that service. As there is no organization and services in AppDefense plug-in, the behavior can appear for only one of the multiple VMs that actually have the same behavior.