Threats
The Threats tab runs an on-demand, read-only heuristic scan that scores each running process for signs of attack, data theft, persistence or coin-mining. It weighs process metadata, command line, network connections, the Authenticode signature and autostart entries into a 0–100 risk score with per-rule findings.
A high score is a prompt to investigate, not proof of malware. Heuristics produce false positives — a legitimate tool can trip several rules. Nothing here terminates a process; use the Processes tab if you decide to act.
Press Scan threats (or Tools › Scan Threats) to run it. Results are sorted by score, highest first.
Columns
| Column | Meaning |
|---|---|
| PID | Process id |
| Process | Process name |
| Risk | Severity band derived from the score — Critical · High · Medium · Low |
| Score | Weighted risk score, 0–100 |
| Signature | signed · trusted-dir · unsigned · unknown |
| Network | External connections · ⚠ suspicious ports · listeners |
| Findings | The heuristic rules this process tripped |
| Path | Executable path |
What the heuristics look at
- Location — executables running from Temp, Downloads or other unusual directories.
- Masquerading — a name that mimics a system binary from the wrong path.
- Encoded / obfuscated command lines — e.g. base64-encoded PowerShell.
- Command-and-control ports — connections or listeners on ports commonly used by malware.
- Persistence — autostart (Run/RunOnce) registration.
- Mining — patterns associated with coin-miners.
- Signature — unsigned binaries outside trusted directories weigh higher.
Working with results
- Filter to focus (e.g.
critical, a PID, or a rule keyword). - Right-click → Copy findings to copy a formatted summary of a row (PID, name, score, risk and each rule it tripped) — handy for a report or an issue.
- Right-click → Open in Explorer to locate the executable.
Reading the score
| Band | Rough meaning |
|---|---|
| Critical | Multiple strong indicators — investigate first |
| High | Several indicators or one strong one |
| Medium | Worth a look; often benign |
| Low | Minor signal; usually noise |
Investigate before acting. Cross-check the executable path, the signature and the findings against what you expect that program to do.