(imported topic written by russwm91)
Hello,
Example would be “bad process.exe” is running live on workstation and located in C:\documents and setting"current user"\temp. So this report or analyst would be able to capture what workstations in the company are running a process that originates from path C:\windows\document and setting"current user"\temp. We are seeing more and more virus/spy-ware activity that is linked to random process names but seem to always be located in the C:\documents and setting"current user"\temp path.
What we have so far which should work but can’t figure last part the relevancy statement
selects “executablepath from Win32_Process” of wmi (This works will get all running paths of all exe programs)
selects “* from win32_process where ExecutablePath =‘C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe’”) of wmi
I don’t get errors with this but I don’t get a result either.
(This is just me trying to write something that seem logical but does not work.)
Thanks,
Russ