Differentiating Spyware and Viral Traffic From Legitimate TrafficLocked
We all try to run our antispyware and antivirus etc etc software to stay moderately safe, however….
When you go to the Performance Monitor or Task Manager and see network traffic you are not anticipating, what’s the best process for tracking down exactly who is sending it, what is the content, and where is it going? Like is legit, or is there some undiscovered key logger operating that the AV folks have not dicovered yet, or that managed to break the AV tools.
So far after seeing unanticipated traffic that I discover in Task Manager, I go to Performance Manager (I’m in Vista – getting used to it, finally) and expand the Network band to see the destinations.
The standard IP addresses (xxx.xx.xx.xx) are easy enough to track down with a DNS lookup utility but they usually resolve to a non descript host serving someone behind the DNS registrar. Any suggestions on how to dig deeper?
Also, I’m seeing address formats I’m not familiar with like ff0::1:5. Any idea what this address format is trying to tell us or how to find out?
From the Network Band I also get the Process ID and the name of the process generating the traffic, usually turns out to be a generic svchost process that tells me nothing.
I then go to procmon.exe then filter for the PID that was generating all the traffic. That often turns out to be running a Microsoft Process Profiling operation but Seems to be a natural byproduct of the performance monitor, but does not seem it should be sending information over the network.
BTW this machine is tied to an ATT Uverse line and there is nothing else on the network (except a Vonage VOIP access point). Ideas?
Since I can’t get a clear picture of who or what the process is generating the traffic, is there any way to glean meaningful information by getting a look at the data stream? If so, any good free/shareware utilities out there to help with this?
All thoughts welcome. Thanks!