0

If I check the processes that are running in the Task Manager and find that only the usual process run every time I restart my PC, can I assume that my device is not compromised?

In other words, does a compromised device always show an alien process running?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jay Shah
  • 339
  • 2
  • 4
  • 10

3 Answers3

6

No.

Scenario 1: A rootkit is running, which could hide any malicious processes which are running.

Scenario 2: One of the 'usual' processes which you referred to could have been compromised, and you might not able to tell the difference.

Dan Landberg
  • 3,312
  • 12
  • 17
  • 3
    +1. Scenario 3: A malicious process could be scheduled to run by the scheduler. – mti2935 Dec 17 '20 at 14:48
  • +1 Thank you for your answer! Your answer is as good as MechMK1's, and both of you published an answer exactly at the same time, so for marking some answer as "Accepted", I chose him randomly. Thanks again! – Jay Shah Dec 17 '20 at 15:26
  • ...so if someone tries to turn on my webcam remotely (without turning on the light, (yes it's possible)), will I see my Camera app running? – Jay Shah Dec 17 '20 at 15:30
6

No.

There are plenty of techniques to migrate malicious code into "legitimate" processes. Furthermore, just because you cannot identify a process does not mean it's not legitimate.

As such, just by looking at the list of processes, you cannot tell whether a device is compromised or not.

  • Okay, so if someone tries to turn on my webcam remotely (without turning on the light, (yes it's possible)), will I see my Camera app running? – Jay Shah Dec 17 '20 at 15:30
  • @JayShah, no. There is no app related to direct camera access. It's a hardware address. – HackSlash Dec 17 '20 at 18:34
1

First of all, I fail to see how you could check how all the processes running are legitimate, even if the malicious process did show up in task manager. The list of "usual" processes would change every time you install any new software and might even change after some software updates itself. Additionally, you might have a hard time telling which processes are "usual", since any malware that has established persistence on your device would show every time you reboot, and you might mistakenly start considering it "usual" too.

Even if you could do sort out the trusted processes, any malware that leverages something as simple as "living off the land" techniques (which is basically just using preinstalled binaries like powershell, cmd.exe, mshta.exe etc to carry out malicious actions) would completely bypass your test.

Of course, there are more sophisticated techniques like which MechMK1 and Dan Landberg refer to but its actually really simple to defeat your (quite impractical) check.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • +1 So if someone tries to turn on my webcam remotely (without turning on the light, (yes it's possible)), will I see my Camera app running? – Jay Shah Dec 17 '20 at 15:32
  • Is it possible they are using my webcam to record, but Camera app is 0% in list? I guess if the hacker uses my webcam, the cam should definitely be running? – Jay Shah Dec 17 '20 at 15:33
  • @JayShah No, the camera app is not required to access the camera. In fact I don't think the camera app should appear in the list even if some legitimate process is using the camera – nobody Dec 17 '20 at 15:37
  • Why do you think that? – Jay Shah Dec 17 '20 at 15:38
  • My camera app appears (showing an above 0% number) even if I don't use it. – Jay Shah Dec 17 '20 at 15:39
  • 1
    @JayShah read again what nobody wrote: the camera app Is not required to be able to access your camera. It's just the OS's standard way of doing it. A malicious process could access the camera without the app. – schroeder Dec 17 '20 at 15:43
  • @schroeder I get it, so its just the standard way, not the only way. Can I ask you one more thing? Why do so many processes appear in the list (above 0% figure) like Cyberlink YouCam comes for a minute or 2 and then falls to 0% again. Many other processes also go up and fall back to 0%. Is this a normal thing, does this happen to your computer too? – Jay Shah Dec 17 '20 at 15:46
  • @JayShah Why do I think so? Simply because I tried accessing my camera from a website through chrome and the camera app didn't show up in task manager – nobody Dec 17 '20 at 15:47
  • @JayShah because they are there, ready to jump into action when you might need them. It's a user experience thing. It's very normal. – schroeder Dec 17 '20 at 15:48
  • @schroeder So if all processes exhibit *this* feature of going up and falling back to 0% *because they are there to jump into action anytime*, and all such processes do not go above 1%, is it a good sign that my PC is normal (not compromised)? – Jay Shah Dec 17 '20 at 15:51
  • In total, the CPU column doesn't add up to more than 7-9%. Sometimes it touches as low as 1-2%. Is this a good sign that my PC is not compromised? – Jay Shah Dec 17 '20 at 15:58
  • @nobody If you just checked that you used camera from Chrome and the app didn't show up in the Task manager, then its usage must have been reflected in the process "Chrome", is this right understanding? – Jay Shah Dec 17 '20 at 16:02
  • @schroeder Literally all processes raise to some extent and fall back to 0%. If a hacker would have turned on webcam remotely, it would make at least one process to stay above 0% for as long as they are using the webcam. Is this right understanding? – Jay Shah Dec 17 '20 at 16:08
  • No, it's not proof of a negative (i.e. that you are *not* compromised). *Active* processes meant as service processes stay at 0% until needed. And, as all the other answers have said, attackers could use legitimate processes that are always running above 0% to launch temporary processes that access the camera. This is now far beyond your question and no longer a security matter. – schroeder Dec 17 '20 at 16:16
  • @schroeder Yes, I am aware that attackers could use legitimate processes that are always above 0% to launch webcam, but on my PC, literally ALL process touch 0% at one point when I stay idle. My logic is that if someone were using my webcam right now, there should have been at least one legitimate process that never touches zero. But since all processes touch zero at one point in time on my PC, it is unlikely that the webcam is turned on, as that would require at least 1 legitimate process to keep flying. How is this logic wrong? – Jay Shah Dec 17 '20 at 16:24