04-11-2018 07:34 AM
I configured a HIP check for a non-running process, but the GP doesn't detect it.
Have someone got it working?
04-11-2018 12:43 PM
To check if a service is installed on a system you have to use the registry: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-serv...
Another solution does not exist as a non-running process simply is an executable somewhere on the filesystem. So GP would have to search the drives for an executable name that you have specified and this could easily be spoofed.
04-11-2018 12:51 PM
It is supported by PaloAlto:
Process List | To check the host system for a specific process, click Add and then enter the process name. By default, the agent checks for running processes; if you just want to see if a specific process is present on the system even if not running, clear the Running selection. |
04-11-2018 01:10 PM
I might be wrong, but I think the description in that documentarion is not very clear and the comment on that page writes something about suspended processed. But a not-running process simply is an executable somewhere on the filesystem, so I am back at my first comment here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
