Registering a scheduled task is a popular technique to ensure that malware is always active for a number of reasons: |
1.The creation/deletion of scheduled tasks is often not monitored
2.Malicious scheduled tasks may blend in with other legitimate tasks, due to the large number of scheduled tasks installed on modern Windows systems
3.Scheduled tasks can be scheduled to run in regular intervals, not just during a reboot
4.Regular users can create (limited) scheduled tasks
EventSentry Benefits |
||
Task Scheduler Monitoring Scheduled tasks can be monitored by both Windows and EventSentry, making it possible to detect suspicious changes in near real-time. For example, EventSentry supports comprehensive monitoring of scheduled tasks:
•The creation, deletion or change of any scheduled task can be logged to the event log, generating an alert •A complete inventory of all scheduled tasks can be viewed in the Web Reports •A history of all scheduled tasks changes is available in the Web Reports |
||
It is however important to avoid alert fatigue since malware usually uses common names for its tasks in order to blend in and avoid detection, including:
•SystemUpdate
•AdobeUpdate
•JavaUpdate
•WindowsDefender
•TaskScheduler
•TaskHost
•UpdateService
•GoogleUpdate