Disclaimer, BDS is owned by my son. https://www.binarydefense.com/vision/
Very small agent, maybe 40mb ram and <1 percent cpu as it runs. It sits on every box...servers and desktops. It watches for typical attacker behavior, connections to bad ips, exe drops, pass the hash, lateral movement between boxes, event logs. It also builds little honeypots on all your boxes. Tons of stuff it does. If it triggers it phones home to his SOC where it is watched 24/7. They evaluate and then escalate to me. I believe it can also be run completely on prem. It's very quiet so when it yells, I listen. So imagine it yelling at me last night about a couple of odd outbound connections and then I find notepad.exe running on all my servers. I was freaking out for a bit there. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Wednesday, July 6, 2016 2:22 PM To: ntsysadm Subject: Re: [NTSysADM] Notepad suspended. link? My feeble attempts at search revealed entirely too much, none of it seemingly relevant. Kurt On Wed, Jul 6, 2016 at 10:44 AM, Kennedy, Jim <[email protected]> wrote: > It's Vision, my on box IDS system. It fires it up for certain secret things. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Wednesday, July 6, 2016 1:12 PM > To: ntsysadm > Subject: Re: [NTSysADM] Notepad suspended. > > Not on my machines. > > Running notepad in my server admin context, it shows as running, not > suspended. > > Kurt > > On Wed, Jul 6, 2016 at 5:35 AM, Kennedy, Jim > <[email protected]> wrote: >> I am seeing Notepad.exe showing up on 2012 R2 servers in task manager >> as ‘suspended’. Even after a reboot and running as system. I have >> not noticed that before. Is that the norm? > >
