"This is a known process"

  • Thread starter Thread starter CEC4
  • Start date Start date
C

CEC4

Advanced Tools, Running Processes. If the statement "this
is a known process" does not appear against an item, that
is needed, should I stop that process? How can I check
its validity? Info. under "Learn more about this
application" could possibly help me to decide.
 
There's definitely a lack of depth in the backup information about many
alerts--There've been some changes to this already in recent builds, and I
hope this will be greatly improved as the beta progresses.
 
Thanks for the update, Bill. The reason for my query
concerns two .exe files which are the same and relate to
my computer's monitor produced by ATI Technologies (ATI
Radeon 9000, on a Dell D600 laptop). I am new to this
computer and still not au fait with software running the
componentry, but can say, at this stage, the only way I
have of recognizing current software to older software is
by the icon appearing against the file name. The
two .exe files are older software. Of course, will check
with Dell about this, too, to make sure I don't have
something I shouldn't have. Cheers!
 
I've got a Dell Inspiron 600M laptop, with Radeon 9000 chipset.

I haven't seen any alerts that I can recall. Can you tell me more about
what files are involved--and what the versions are for your video drivers?

There was a false positive in definition set 5743 for ATI Catalyst drivers.
While looking into that, I tried to figure out whether the Catalyst drivers
were compatible with my laptop, and concluded that they weren't--therefore I
didn't have an "in-house" repro for the issue.

This false positive was fixed with th 5745 definitions. So--I'd be
interested to see whether you are still seeing alerts for (apparently)
ATI-related files with the 5745 definitions.

And, if you are, let me know more about the files involved--I think I
should have the same ones here.

--
 
Dell make a great little computer, Bill, and I'm enjoying
using mine. I must remind you, however, of my original
query, as listed right at the bottom of this message
thread. If a running process does not have the
statement "this is a known process" against the item,
should I turn it off; how can I check the process'
validity before turning it off? I never said I had had
any MSAS alerts about the two .exe files relating to ATI
processes that I referred to.

I am finding out that there are so many ways in Windows
XP to find information about the system, each one
becoming more detailed. As a new XP user, it can be a
challenge! In the meantime, have looked at those .exe
files to gain further info, including a third related
file, and find that it is a current required process.
And I guess repetitive file names can be much like the
svchost.exe files one also has running (6 on my machine)
that all have the same name, it makes it hard to
differentiate until one looks elsewhere that provides
more detail.

I don't envy the developers of MSAS who have the huge job
of identifying computer components and the software
required to run them, to be able to know all possible
permutations and combinations and their many
manufacturers, so that the information can be included in
just one aspect of an application like MSAS, such as the
Running Processes. And to have people such as yourself
who know stuff to be able to respond to posts such as
these is incredible! Thanks!
 
CEC4 said:
If a running process does not have the
statement "this is a known process" against the item,
should I turn it off;
Click to expand...

No: just because the process is unknown to the authors of an anti-spyware
application does not necessarily make the process malicious. Microsoft
AntiSpyware will flag up "known good" and "known bad" objects. You should
make no assumptions about objects that are not on either list. In the
majority of circumstances, on a well-maintainted system, objects on neither
list will be benign.
how can I check the process'
validity before turning it off?
Click to expand...

There is no fail-safe rule for determining whether a process is malicious or
not, other than running it, monitoring what it does, and reaching a
judgement about it. This is what the anti-virus and anti-spyware labs do.

There are a number of indicators that might lead to some assumptions:

1. Look at the "Version" information in "Properties" of the exe file - do
they look convincing? Absence of all "Version" information would be a bad
sign. But "Version" information can be faked, so exercise caution.
2. Does the exe file have a valid Digital Signature? If so, who was the
publisher? Do you trust them?
3. Was the executable "packed"? This can be a bad sign, as most
malware-writers encrypt and pack their exectables to make it more difficult
to figure out what they are doing. But then some commercial applications
are "packed" for good reasons.
 
Sorry for the misreading.

Robin Walker's given excellent guidance. There are some process-related web
sites which attempt to decode some of these things, but I don't have one to
recommend. Some of them have useful information, but often the author has
some specific axe to grind--such as eliminating "non-essential" services.
This may turn out to be fine until you install hardware or software that
expects that "non-essential" service to be available, and fails with a
cryptic error message.

If you really have a suspicion of malware, looking for oddities of naming or
paths--names resembling random strings, or names resembling, but not quite
the same as, system process--or the same as system processes but in a
non-standard location are all things to watch out for.

If you have an executable and want an opinion on it, there is a good
multi-vendor antivirus site:

http://virusscan.jotti.org

Again, a clean opinion doesn't tell you an executable is safe.

The intent of the Spynet submission process is to build a knowledge base
that will be able to provide the background info necessary to fill in those
details you mention.

I expect you've read the KB article explaining the svchost entries in XP:

http://support.microsoft.com/?kbid=314056

There is indeed an amazing amount going on under the hood in XP--I hadn't
really thought of the parallels between, say, a '57 Chevy and a current year
Toyota product, but the changes are probably somewhat similar in magnitude,
from, say, a dos/windows 3.1 perspective.

I think I'm meandering a bit much here--I agree with you that the background
info on the services needs to improve, and I hope that's something the
developers have been able to manage in the work going into beta2.

--
 
"Sorry for the misreading. ... etc"

Since the Aug postings, have been occupied with trying to tighten security
further without losing system functionality, which has included disabling or
re-setting quite a few of the network-related services shown in Computer
Management (Local), as I am not connected to any organizational network, only
the internet. Have obtained these suggestions from Windows XP Inside Out, as
well as the Symantec Online Security Check website. At present, am in
Stealth mode with NAV2005 and reasonably safe, and MSAS is working well and
has not found any threats so far (and I hope it never will).

Tks your suggestions on what to look out for re malware and the antivirus
site for checking the executables. In the meantime, have checked those two
ATI .exe files mentioned in previous posting, and they are repeats (in actual
fact, four in total). On checking Task Mgr under Processes, there is only
one listed. Due to these and other problems, will shortly be carrying out a
'clean install' of XP OS and this will get me back to a clean machine without
any of these leftovers from the previous owner's usage of this computer. At
least I've learned a lot now about quite a few things! And, Yes, I have read
the KB article on svchost.exe, too. Tks.

As an Aussie, my 'under the hood' comparison of XP with earlier versions is
that of an old Holden Kingswood (a tank) with that of a feisty, sporty Mazda
MX5, being XP. I look forward to updating to MSAS beta2 to see the changes.
Cheers!
 
CEC4 said:
As an Aussie, my 'under the hood' comparison of XP with earlier versions
is
that of an old Holden Kingswood (a tank) with that of a feisty, sporty
Mazda
MX5, being XP. I look forward to updating to MSAS beta2 to see the
changes.
Cheers!
Click to expand...

I'm not sure how we will compare beta1 to beta2--in these terms....

I'm quite certain it will be a very favorable comparison, though!
 
Back
Top