Process execution details appear in the panel to the right of the Process Tree on the Process Analysis page.

process_execution_details

If the process is an executable, the following information is displayed:

Field

Description

Process

The name of the process executable file.

PID

The Process Identification (PID) number of the process.

OS Type

The operating system on which the process was executed.

Path

The physical path from which the process was executed.

Username

The name of the user who executed the process.

MD5

The MD5 hash value of the process.

SHA-256

The SHA-256 hash value of the process.

Note: Availability of SHA-256 hash data is dependent upon sensor capabilities. The macOS sensor version 6.2.4, which is packaged with Carbon Black EDR Server version 6.3, sends SHA-256 hashes to the server. Check VMware Carbon Black Support for information about other sensors that can generate SHA-256 hashes.

For files that were originally discovered by a sensor that did not provide SHA-256 hashes, process information for new executions show SHA-256 hashes, but binary entries show SHA-256 as (unknown) until they appear as new files on a sensor that supports SHA-256.

Start Time

The date and time of the process execution.

Interface IP

The IP address of the network adapter on the sensor.

Pre-5.1 sensors do not report an Interface IP.

Server Comms IP

The IP address from which the server recognizes the sensor that is reporting data.

If the sensor is communicating through a Proxy or NAT, the address is for the Proxy or NAT.