Find out if a process is malicious
You see lots of processes when you start the operating system's task manager: svchost.exe, csrss.exe, winlogon.exe and many more that may run on the system. You can start the Task Manager with the shortcut Ctrl-Shift-Esc.
Update: Microsoft changed the start page of the Task Manager on Windows 10. You need to click on the "more details" link on first run to display the classic interface that lists all running processes and information.
A user who never dealt with these processes before may have a hard time figuring out which are safe and which may be malicious because more often than not you cannot really determine which program or service launched a process.
A question like "Is svchost.exe a virus, or is it safe?" is normal and can be answered using the methods described below.
Find out if a process is malicious
One way to look up additional information is to use a program like Process Explorer which displays more information about all processes currently running on your system. Process Explorer adds a description and company tab which reveals some information about the process.
The program displays processes in a tree hierarchy on top of that so that you see parent and child processes on first glance. This makes it easier to understand how a particular process was launched, especially if it is a child process.
You can configure Process Explorer to replace the task manager. Still, while you may have information about the company and a description, you may not have all information required to come to a final conclusion.
Update: Newer versions of Process Explorer come with Virustotal integration. You may use it to check each running process on Virustotal to find out whether it is flagged as malicious by one or more antivirus engines used by the security scanning service.
What if there is no description but a company name like CMCEI. Would you be suspicious about it? I definitely would be and now we come to websites that contain process lists of nearly every process running on Windows machines.
I would like to start with the list of websites that are not spam and offer a good amount of information that you can work with. Many process libraries on the Internet either do not offer valuable information at all, or instead try to sell you a product that they claim will help you out.
Two of the following sites have buttons to purchase products but they contain valuable information that make up for that. Don't click on those buttons and you have nothing to fear.
- Process Library
- Windows Process and Task List
- Removed
- Removed
All but one of the websites mentioned above have a site search - simply enter a filename that you don't know about and they will display the information they have about it. It is a very good idea to cross-check the results before you take action.
If the information states that the file could be a virus, trojan or worm you should take appropriate measures.
The first is to download an anti-virus program like Free AV (AVG Antivirus, Avast) and scan your system using that tool. Make sure the antivirus software is up to date. You might also want to take a look at my article about free online scan websites, most require Internet Explorer but some work in Firefox and other browsers as well.
You should also download and run anti-spyware programs like Spybot Search and Destroy or Adaware. I've published the guide "how to detect and remove spyware" which might be helpful as well.
To sum it up
- Download Process Explorer
- Use the websites mentioned above to find out more about the process in question
- Scan your system with antivirus software
- Scan your system with anti-spyware software
Tips
- Some programs, like SlimCleaner rate processes that run on your system. They usually do not have information about them all but may provide you with information about popular ones.
- The Windows Task Manager in Windows 7 and Windows 8 hides system processes and processes running for all users from view by default. Click on show processes from all users to get a list of all processes running on your system.
The problem lies in the fact that these sites expect
users to go through 50-100 processes just to decide if their “safe” which in itself is difficult when there are multiple definitions for quite a few of the processes, especially those used by the system.
Yeah, this is a great one, I’m using it shortly. Saves a lot of work(time).
http://www.processlibrary.com/quickaccess/
There is a Plug-in Program called UNIBLUE QUICK ACCESS which will attach itself to the Task Manager in Windows which will take you directly to the Process Library where you can determine the nature of the Process that is running on your Computer. I always make it a habit each and every day to use this Process identifier together with PROCESS EXPLOYER to see what is running,like I said it is a habit and a good one at that.