Skip to main content

Threats

The Threats tab runs an on-demand, read-only heuristic scan that scores each running process for signs of attack, data theft, persistence or coin-mining. It weighs process metadata, command line, network connections, the Authenticode signature and autostart entries into a 0–100 risk score with per-rule findings.

It flags, it never kills

A high score is a prompt to investigate, not proof of malware. Heuristics produce false positives — a legitimate tool can trip several rules. Nothing here terminates a process; use the Processes tab if you decide to act.

Press Scan threats (or Tools › Scan Threats) to run it. Results are sorted by score, highest first.

Columns

ColumnMeaning
PIDProcess id
ProcessProcess name
RiskSeverity band derived from the score — Critical · High · Medium · Low
ScoreWeighted risk score, 0–100
Signaturesigned · trusted-dir · unsigned · unknown
NetworkExternal connections · ⚠ suspicious ports · listeners
FindingsThe heuristic rules this process tripped
PathExecutable path

What the heuristics look at

  • Location — executables running from Temp, Downloads or other unusual directories.
  • Masquerading — a name that mimics a system binary from the wrong path.
  • Encoded / obfuscated command lines — e.g. base64-encoded PowerShell.
  • Command-and-control ports — connections or listeners on ports commonly used by malware.
  • Persistence — autostart (Run/RunOnce) registration.
  • Mining — patterns associated with coin-miners.
  • Signature — unsigned binaries outside trusted directories weigh higher.

Working with results

  • Filter to focus (e.g. critical, a PID, or a rule keyword).
  • Right-click → Copy findings to copy a formatted summary of a row (PID, name, score, risk and each rule it tripped) — handy for a report or an issue.
  • Right-click → Open in Explorer to locate the executable.

Reading the score

BandRough meaning
CriticalMultiple strong indicators — investigate first
HighSeveral indicators or one strong one
MediumWorth a look; often benign
LowMinor signal; usually noise

Investigate before acting. Cross-check the executable path, the signature and the findings against what you expect that program to do.