Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EEDR: Why do Queries and Watchlists Using Child Negation Still Show Hits With Parents Containing the Negated Child Processes?

EEDR: Why do Queries and Watchlists Using Child Negation Still Show Hits With Parents Containing the Negated Child Processes?

Environment

  • Enterprise EDR Console

Question

Why do queries and watchlists using child negation still showing hits with parents and with the negated child processes?

Answer

  • The watchlist only searches within a one-hour time window for the child process search condition to be met.
  • This can result in what looks to be inaccurate hits when long-lived processes are searched on.
  • The one-hour window and these search results also applies to long-lived processes and searching with multiple conditions.

Additional Notes

  • For example, the following query might be interpreted to mean "find any process named spoolsv.exe which does NOT have a child process named "splwow64.exe":
    (process_name:spoolsv.exe childproc_count:[1 TO *] -childproc_name:splwow64.exe)
  • In this example, a hit may be reported for a spoolsv.exe with a child process splwow64.exe child process that occurred days ago. In actuality, its correctly considered a hit since there was no splwow64.exe child process within the one-hour window.
  • Process search windows are typically longer and vary in length

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1214
Contributors