Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EEDR: Why do queries and watchlists using child negation still showing hits with parents with the negated child processes?

EEDR: Why do queries and watchlists using child negation still showing hits with parents with the negated child processes?

Environment

  • Enterprise EDR Console

Question

Why do queries and watchlists using child negation still showing hits with parents and with the negated child processes?

Answer

The watchlist only searches within a one-hour time window for the child process search condition to be met. This can result in what looks to be inaccurate hits when long-lived processes are searched on. The one-hour window and these search results also applies to long-lived processes and searching with multiple conditions.


 

Additional Notes

  • For example, the following query might be interpreted to mean "find any process named spoolsv.exe which does NOT have a child process named "splwow64.exe":
    (process_name:spoolsv.exe childproc_count:[1 TO *] -childproc_name:splwow64.exe)
  • In this example, a hit may be reported for a spoolsv.exe with a child process splwow64.exe child process that occurred days ago. In actuality, its correctly considered a hit since there was no splwow64.exe child process within the one-hour window.
  • Process search windows are typically longer and vary in length

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
831
Contributors