Process Analysis
The Process Analysis module is a component of BitNinja’s security stack that monitors and inspects running processes on a server to detect suspicious activity, malicious scripts, or anomalous execution behaviors. It acts as a behavioral monitoring layer complementing signature-based and file-based malware detection.
-
Enable:
bitninjacli --module=ProcessAnalysis --enabled
-
Disable:
bitninjacli --module=ProcessAnalysis --disabled
Overview
It analyzes real-time process execution patterns, detecting abnormal or potentially malicious operations.
Main goals:
- Identify malware execution patterns even if files have been obfuscated or renamed.
- Detect PHP CLI misuse (e.g.
php -r
inline code execution). - Catch binary payload executions.
- Support exclusions for trusted processes and users to reduce false positives.
- Enable configuration through CloudConfig for centralized control.
Logs
The logs can be located under the following path:
/var/log/bitninja-process-analysis/process_analysis.log
Configuration File
The configuration file can be found at:
/etc/bitninja/ProcessAnalysis/config.ini
Default configuration example:
[core]
excluded_commands[]='magento .*cron:run'
excluded_commands[]='php.*artisan '
excluded_commands[]='wp-cron.php'
excluded_commands[]='wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'
excluded_users[]='bitninja'
excluded_users[]='psaadm'
excluded_users[]='root'
excluded_users[]='wp-toolkit'
is_enabled_auditd=1
module_enabled=0
process_names[]='/bin/php'
process_names[]='/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php54/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php54/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php55/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php55/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php56/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php56/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php70/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php70/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php71/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php71/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php72/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php72/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php73/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php73/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php74/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php74/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php80/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php80/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php81/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php81/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php82/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php82/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php83/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php83/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php84/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php84/root/usr/bin/php-cgi'
process_names[]='/opt/plesk/php/5.3/bin/php'
process_names[]='/opt/plesk/php/5.4/bin/php'
process_names[]='/opt/plesk/php/5.5/bin/php'
process_names[]='/opt/plesk/php/5.6/bin/php'
process_names[]='/opt/plesk/php/7.0/bin/php'
process_names[]='/opt/plesk/php/7.1/bin/php'
process_names[]='/opt/plesk/php/7.2/bin/php'
process_names[]='/opt/plesk/php/7.3/bin/php'
process_names[]='/opt/plesk/php/7.4/bin/php'
process_names[]='/opt/plesk/php/8.0/bin/php'
process_names[]='/opt/plesk/php/8.1/bin/php'
process_names[]='/opt/plesk/php/8.2/bin/php'
process_names[]='/opt/plesk/php/8.3/bin/php'
process_names[]='/opt/plesk/php/8.4/bin/php'
process_names[]='/usr/bin/lsphp'
process_names[]='/usr/bin/php'
process_names[]='/usr/bin/php-cgi'
process_names[]='/usr/bin/php5.3'
process_names[]='/usr/bin/php5.4'
process_names[]='/usr/bin/php5.5'
process_names[]='/usr/bin/php5.6'
process_names[]='/usr/bin/php7.0'
process_names[]='/usr/bin/php7.1'
process_names[]='/usr/bin/php7.2'
process_names[]='/usr/bin/php7.3'
process_names[]='/usr/bin/php7.4'
process_names[]='/usr/bin/php8.0'
process_names[]='/usr/bin/php8.1'
process_names[]='/usr/bin/php8.2'
process_names[]='/usr/bin/php8.3'
process_names[]='/usr/bin/php8.4'
process_names[]='/usr/local/bin/lsphp'
process_names[]='/usr/local/bin/php'
process_names[]='/usr/local/bin/php-cgi'
process_names[]='/usr/local/cpanel/3rdparty/perl/536/bin/perl'
process_names[]='/usr/local/lsws/lsphp53/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp54/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp55/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp56/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp70/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp71/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp72/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp73/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp74/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp80/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp81/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp82/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp83/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp84/bin/lsphp'
process_names[]='/usr/local/php5.3/bin/php'
process_names[]='/usr/local/php5.4/bin/php'
process_names[]='/usr/local/php5.5/bin/php'
process_names[]='/usr/local/php5.6/bin/php'
process_names[]='/usr/local/php7.0/bin/php'
process_names[]='/usr/local/php7.1/bin/php'
process_names[]='/usr/local/php7.2/bin/php'
process_names[]='/usr/local/php7.3/bin/php'
process_names[]='/usr/local/php7.4/bin/php'
process_names[]='/usr/local/php8.0/bin/php'
process_names[]='/usr/local/php8.1/bin/php'
process_names[]='/usr/local/php8.2/bin/php'
process_names[]='/usr/local/php8.3/bin/php'
process_names[]='/usr/local/php8.4/bin/php'
process_names[]='/usr/sbin/php'
process_names[]='/usr/sbin/php-cgi'