Manage Your Processes and Hashes

A process is a named, executable program that has been observed running in your environment. A process hash is a digital fingerprint of a specific version of a process executable file.

You can detect on specific processes and hashes by flagging a process or flagging a process hash.

Flag a Process

A flag on a process tells InsightIDR to generate a detection each time the process is used. If you identify a malicious process in your environment, you can flag the process and a detection will be generated with the details of where and when the process was executed.

If you flag commonly used processes, such as chrome.exe, you can expect to receive an influx of benign detections. To avoid this, we recommend that you flag only the processes that you want to generate detections for, such as a downloaded malware executable in your environment.

Process Details

When you select a process, the Process Details page provides information on process variants (hashes), a timeline of discovery, and assets that contain the file.

To flag a process:

  1. From the top Search, enter the exact name of the process you want to flag. For example, if you want to flag the chrome.exe process, search chrome.exe.
  2. On the Process Details page, switch the Flag Process toggle to on.

Flag a Process

Note: To disable a process flag, switch the toggle off.

Flag a Process Hash

Process hashes, or variants, can be used to identify potentially vulnerable versions of processes in your environment, as well as malicious programs that have the same name as common legitimate software.

For example, if you want to know if any users in your environment are using a version of chrome.exe that has a vulnerability, you can flag a specific version (hash) of the chrome.exe process to immediately receive detections if anyone is running an outdated version of Chrome.

Process Hash Details

When you select a process hash, InsightIDR provides additional information about the hash, including:

  • MD5
  • SHA1
  • Operating System
  • File Size
  • Signature Verification
  • Signers
  • File Names
  • Reputation
  • Threat Level
  • Reliability
  • First Analyzed Time
  • File Reputation Report

The File Reputation Report displays additional details from Virus Total. You can learn more about Virus total at: https://www.virustotal.com/gui/home/upload

Tip: Copy and paste the MD5 or SHA1 hashes into the top Search bar to discover if any systems on your network have been running the process's hashes.

To flag a process hash:

  1. From the top Search, enter for the exact name of the process containing the variant (hash) you want to update. For example, if you want to flag the chrome.exe process, search chrome.exe.
  2. In the Process Variants section, select the variant you want to flag.
  3. On the Process Hash Details page, switch the Flag Hash toggle to on.

Flag a Process Hash

Note: To disable a process hash flag, switch the toggle off.

Reset a process or hash flag

To reset a process or hash flag, switch the respective toggle off and then turn it back on.