We help IT Professionals succeed at work.

What to look for in Process Monitor to see if an apps is sending data to another location

We are starting to use Process Monitor to monitor apps being installed.  There is a lot of data.  We look for "http:" for remote web location, but we also know that it can use IPs or anything else we as regular users may not know.  What should we look for to know if an apps is sending to other locations, websites, IPs or drive locations.
Comment
Watch Question

Distinguished Expert 2019

Commented:
Not sure process monitor is suitable for that. I think it lets you see what local resources are used and where. They are.
Wireshark or ms network monitor is the tool to capture packets .
Hi,
here are some tools you can use.
1) Process monitor:- In this you can see established connections through TCP network button and send/receive packets.
2) Cports:-  It will also show you connections made by applications.
http://www.nirsoft.net/utils/cports.html
3) Free Comodo firewall have best tool to see which app is going outside. It shows live activity. I never found individual tool like that. Active view tab in this firewall show you live activity.
4) you can also use wireshark. But it will not show you application name if you found traffic going outside. You have to analyze on the basis of protocols and port number.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
For reviewing internet traffic from one location to another, I use Comm View. This is an excellent packet sniffer but not free. Tamosoft.net.

Wire Shark is another packet sniffer. It is free, but not as flexible as Comm View.

Author

Commented:
So Process Monitor will not monitor an installation apps if its sending data to another location?

If PM cannot do this, then how can we setup Wire Shark to check out an installation apps ift sending data to the internet.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Process Monitor is for monitoring internal computer activity. Comm View is for monitoring internet activity.
Distinguished Expert 2019

Commented:
Each tool covers what it covers, what you are looking at is using multiple tools to capture the data each can capture .
What is it you are looking to learn?

Author

Commented:
We want to monitor installation process of programs to see if they send data outside the PC and what do they access within the PC.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You need a packet sniffer to see what happens once installed. That is how I do it.

Author

Commented:
We during the process of installation.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can have a packet sniffer running while installing and you can get your answers.

I have hundreds of applications on my computer. None of them are particularly interesting to watch install. The vast majority of them run home to mom looking for updates. They do not do anything nefarious.

What are you looking for?

Author

Commented:
Just got a call from one of the techs; said that Fiddler does this task, monitor an installation can capture if they are sending data outside the PC.  By any chance you guys know anything anything Fiddler? (don't want to install an apps an have my PC messed up)

Author

Commented:
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC.  We have to install a series of apps for other types of testing and wanted to know what they actually do.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Fiddler is a web debugging program.

http://www.telerik.com/fiddler

It is probably more interesting to see what it does AFTER it is installed.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC  <-- This will happen AFTER installation, not during.
Distinguished Expert 2019

Commented:
Often, install offline will not impair the install proving that network access is not essential.  Running the program offline will let you know whether it needs to be activated and if so how (I.e. Entering an activation code) as John pointed out. When starting the program for the first time it wants to activate and one option it is using is through Internet access back home ......

Author

Commented:
understands on both entries, but if we need to monitor an installation process, what the apps is accessing/sending, what app(s) or steps do you guys recommend?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I see no need to monitor an installation process. Nothing interesting there. What you need AFTER installation is a packet sniffer for what you want.

Author

Commented:
I'm with on this but our assign task is to check what the apps is doing during the installation.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Some installations are done in 15 seconds or 30 seconds. What are you looking for. An install puts files into Program Files, entries into the registry, and maybe calls home to mother. A running packet sniffer will pick up the latter with no trouble.

Why do you need to know what is written to the registry? Process Monitor is the tool for this, but you could go blind and nuts trying to figure it all out.

Beyond packet sniffing (use a packet sniffer) what are you looking for?
Distinguished Expert 2019

Commented:
As John pointed out, only applications that require internet/external connection to install would fall into the category that it will be useful to monitor with whom they communicate at the time. Often the install has an option to auto active at the conclusion of the install.

In regards to your question process monitor is the tool to use to determine what file system objects it is accessing and which registry settings it is accessing.
You would use a sniffer (MS network monitor tool or wireshark) to capture network traffic.
In wireshark, to minimize the amount of data, you would need to make sure to limit as much as possible your network application (mapped shared drives, iscsi resources unless you can limit the interface if iscsi has its own dedicated network, etc.)
Distinguished Expert 2019

Commented:
Why not eliminate one that is easily handled, install while offline. no matter if it would send something, it will not be able to and procman might reflect the "attempt access to a network resource"
In your case what I always do, I configure firewall such as Comodo, zone alarm pro. Then I make one rule on firewall that is Block all traffic and log it. If any application tries to go outside then it shows in logs where it was trying to go. That is easy to know.

Do the following :-
1) Close all unnecessary services and application first
2) then install comodo firewall which is free. This is Second best application firewall after ZoneAlarm for home users.
3) Remove all pre-configured rules then make one rule for All applications and exe files. That is Block all traffic for any IP protocol, TCP and UDP with log enabled. Now, Firewall will stop every traffic and will show in the logs.
 
Other thing is If you want to trace all changes during any software installation then you can use following tools.
1) process monitor
2) Microsoft attack surface analyzer(Required Dotnet 4.5)
3) InCtrl5

Fiddler and Burp tool both are dedicated to monitor only web traffic and These are best tools till now for web traffic troubleshooting, monitoring, testing and analysis.

Author

Commented:
Ashok Dewan, that is what we want, exactly what you say "...want to trace all changes during any software installation ...".  You include as #1, Process Monitor.  Which brings me back to our original question "What to look for in Process Monitor to see if an apps is sending data to another location".  In other words, beside "http:" or "www" or "\\", what else can tell us that the apps is accessing outside the PC installed?
Untitled.jpg
Check images attached by me
My steam.exe going outside
My PC ip address is 192.168.1.6    ---going outside---> 103.28.54.10 at port no. 27019
27019 is game server port number for csgo game

below is the tutorial of process monitor if you need


Untitled.jpghttps://mariadb.com/kb/en/mariadb/how-to-use-procmon-to-trace-mysqldexe-filesystem-access/
Whenever you install any software then during installation following things happen :-
1) registry changes, queries, new key creations, deletions,
2) File and folder creations, file changes, DLL files creations,injections, queries  and etc...
During this process if your suspect software tries to go outside then firewall will block it and log it for you to watch it and also you can see logs in process monitor.
By this way you would determine the behavior of any software.
And you can also kept using above tools in background if you want such as wireshark, MS network monitor.

Author

Commented:
Hey Thanx!  Worked!  When exporting the entire file we saw IPs by looking for UDP Receive/Send.