What to look for in Process Monitor to see if an apps is sending data to another location
We are starting to use Process Monitor to monitor apps being installed. There is a lot of data. We look for "http:" for remote web location, but we also know that it can use IPs or anything else we as regular users may not know. What should we look for to know if an apps is sending to other locations, websites, IPs or drive locations.
Hi,
here are some tools you can use.
1) Process monitor:- In this you can see established connections through TCP network button and send/receive packets.
2) Cports:- It will also show you connections made by applications.
http://www.nirsoft.net/utils/cports.html
3) Free Comodo firewall have best tool to see which app is going outside. It shows live activity. I never found individual tool like that. Active view tab in this firewall show you live activity.
4) you can also use wireshark. But it will not show you application name if you found traffic going outside. You have to analyze on the basis of protocols and port number.
here are some tools you can use.
1) Process monitor:- In this you can see established connections through TCP network button and send/receive packets.
2) Cports:- It will also show you connections made by applications.
http://www.nirsoft.net/utils/cports.html
3) Free Comodo firewall have best tool to see which app is going outside. It shows live activity. I never found individual tool like that. Active view tab in this firewall show you live activity.
4) you can also use wireshark. But it will not show you application name if you found traffic going outside. You have to analyze on the basis of protocols and port number.
For reviewing internet traffic from one location to another, I use Comm View. This is an excellent packet sniffer but not free. Tamosoft.net.
Wire Shark is another packet sniffer. It is free, but not as flexible as Comm View.
Wire Shark is another packet sniffer. It is free, but not as flexible as Comm View.
ASKER
So Process Monitor will not monitor an installation apps if its sending data to another location?
If PM cannot do this, then how can we setup Wire Shark to check out an installation apps ift sending data to the internet.
If PM cannot do this, then how can we setup Wire Shark to check out an installation apps ift sending data to the internet.
Process Monitor is for monitoring internal computer activity. Comm View is for monitoring internet activity.
Each tool covers what it covers, what you are looking at is using multiple tools to capture the data each can capture .
What is it you are looking to learn?
What is it you are looking to learn?
ASKER
We want to monitor installation process of programs to see if they send data outside the PC and what do they access within the PC.
You need a packet sniffer to see what happens once installed. That is how I do it.
ASKER
We during the process of installation.
You can have a packet sniffer running while installing and you can get your answers.
I have hundreds of applications on my computer. None of them are particularly interesting to watch install. The vast majority of them run home to mom looking for updates. They do not do anything nefarious.
What are you looking for?
I have hundreds of applications on my computer. None of them are particularly interesting to watch install. The vast majority of them run home to mom looking for updates. They do not do anything nefarious.
What are you looking for?
ASKER
Just got a call from one of the techs; said that Fiddler does this task, monitor an installation can capture if they are sending data outside the PC. By any chance you guys know anything anything Fiddler? (don't want to install an apps an have my PC messed up)
ASKER
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC. We have to install a series of apps for other types of testing and wanted to know what they actually do.
Fiddler is a web debugging program.
http://www.telerik.com/fiddler
It is probably more interesting to see what it does AFTER it is installed.
http://www.telerik.com/fiddler
It is probably more interesting to see what it does AFTER it is installed.
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC <-- This will happen AFTER installation, not during.
Often, install offline will not impair the install proving that network access is not essential. Running the program offline will let you know whether it needs to be activated and if so how (I.e. Entering an activation code) as John pointed out. When starting the program for the first time it wants to activate and one option it is using is through Internet access back home ......
ASKER
understands on both entries, but if we need to monitor an installation process, what the apps is accessing/sending, what app(s) or steps do you guys recommend?
I see no need to monitor an installation process. Nothing interesting there. What you need AFTER installation is a packet sniffer for what you want.
ASKER
I'm with on this but our assign task is to check what the apps is doing during the installation.
Some installations are done in 15 seconds or 30 seconds. What are you looking for. An install puts files into Program Files, entries into the registry, and maybe calls home to mother. A running packet sniffer will pick up the latter with no trouble.
Why do you need to know what is written to the registry? Process Monitor is the tool for this, but you could go blind and nuts trying to figure it all out.
Beyond packet sniffing (use a packet sniffer) what are you looking for?
Why do you need to know what is written to the registry? Process Monitor is the tool for this, but you could go blind and nuts trying to figure it all out.
Beyond packet sniffing (use a packet sniffer) what are you looking for?
As John pointed out, only applications that require internet/external connection to install would fall into the category that it will be useful to monitor with whom they communicate at the time. Often the install has an option to auto active at the conclusion of the install.
In regards to your question process monitor is the tool to use to determine what file system objects it is accessing and which registry settings it is accessing.
You would use a sniffer (MS network monitor tool or wireshark) to capture network traffic.
In wireshark, to minimize the amount of data, you would need to make sure to limit as much as possible your network application (mapped shared drives, iscsi resources unless you can limit the interface if iscsi has its own dedicated network, etc.)
In regards to your question process monitor is the tool to use to determine what file system objects it is accessing and which registry settings it is accessing.
You would use a sniffer (MS network monitor tool or wireshark) to capture network traffic.
In wireshark, to minimize the amount of data, you would need to make sure to limit as much as possible your network application (mapped shared drives, iscsi resources unless you can limit the interface if iscsi has its own dedicated network, etc.)
Why not eliminate one that is easily handled, install while offline. no matter if it would send something, it will not be able to and procman might reflect the "attempt access to a network resource"
In your case what I always do, I configure firewall such as Comodo, zone alarm pro. Then I make one rule on firewall that is Block all traffic and log it. If any application tries to go outside then it shows in logs where it was trying to go. That is easy to know.
Do the following :-
1) Close all unnecessary services and application first
2) then install comodo firewall which is free. This is Second best application firewall after ZoneAlarm for home users.
3) Remove all pre-configured rules then make one rule for All applications and exe files. That is Block all traffic for any IP protocol, TCP and UDP with log enabled. Now, Firewall will stop every traffic and will show in the logs.
Other thing is If you want to trace all changes during any software installation then you can use following tools.
1) process monitor
2) Microsoft attack surface analyzer(Required Dotnet 4.5)
3) InCtrl5
Fiddler and Burp tool both are dedicated to monitor only web traffic and These are best tools till now for web traffic troubleshooting, monitoring, testing and analysis.
Do the following :-
1) Close all unnecessary services and application first
2) then install comodo firewall which is free. This is Second best application firewall after ZoneAlarm for home users.
3) Remove all pre-configured rules then make one rule for All applications and exe files. That is Block all traffic for any IP protocol, TCP and UDP with log enabled. Now, Firewall will stop every traffic and will show in the logs.
Other thing is If you want to trace all changes during any software installation then you can use following tools.
1) process monitor
2) Microsoft attack surface analyzer(Required Dotnet 4.5)
3) InCtrl5
Fiddler and Burp tool both are dedicated to monitor only web traffic and These are best tools till now for web traffic troubleshooting, monitoring, testing and analysis.
ASKER
Ashok Dewan, that is what we want, exactly what you say "...want to trace all changes during any software installation ...". You include as #1, Process Monitor. Which brings me back to our original question "What to look for in Process Monitor to see if an apps is sending data to another location". In other words, beside "http:" or "www" or "\\", what else can tell us that the apps is accessing outside the PC installed?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey Thanx! Worked! When exporting the entire file we saw IPs by looking for UDP Receive/Send.
Wireshark or ms network monitor is the tool to capture packets .