2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
|
p.name,
|
|
|
|
|
p.path,
|
2022-09-29 19:42:27 +00:00
|
|
|
p.pid,
|
2022-09-24 15:12:23 +00:00
|
|
|
p.cmdline,
|
|
|
|
|
p.on_disk,
|
|
|
|
|
p.parent,
|
|
|
|
|
p.start_time,
|
|
|
|
|
hash.sha256,
|
|
|
|
|
p.disk_bytes_written,
|
|
|
|
|
p.cwd,
|
2022-10-03 20:27:56 +00:00
|
|
|
(strftime("%s", "now") - start_time) AS age,
|
|
|
|
|
disk_bytes_written / (strftime("%s", "now") - start_time) AS bytes_per_second
|
2022-09-24 15:12:23 +00:00
|
|
|
FROM
|
|
|
|
|
processes p
|
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
|
|
|
WHERE
|
|
|
|
|
bytes_per_second > 2000000
|
|
|
|
|
AND age > 120
|
2022-10-03 20:27:56 +00:00
|
|
|
AND pid > 2
|
2022-09-24 15:12:23 +00:00
|
|
|
AND p.path NOT IN (
|
2022-10-03 20:27:56 +00:00
|
|
|
"/bin/bash",
|
|
|
|
|
"/usr/bin/aptd",
|
|
|
|
|
"/usr/bin/bash",
|
|
|
|
|
"/usr/bin/bwrap",
|
|
|
|
|
"/usr/bin/curl",
|
|
|
|
|
"/usr/bin/fish",
|
|
|
|
|
"/usr/bin/gnome-shell",
|
|
|
|
|
"/usr/bin/qemu-system-x86_64",
|
|
|
|
|
"/usr/bin/yay",
|
|
|
|
|
"/usr/bin/zsh",
|
|
|
|
|
"/usr/lib/flatpak-system-helper",
|
|
|
|
|
"/usr/lib/systemd/systemd-journald",
|
|
|
|
|
"/usr/lib/systemd/systemd",
|
|
|
|
|
"/usr/lib64/thunderbird/thunderbird",
|
|
|
|
|
"/usr/libexec/coreduetd",
|
|
|
|
|
"/usr/libexec/coreduetd",
|
|
|
|
|
"/usr/libexec/packagekitd",
|
|
|
|
|
"/usr/libexec/rosetta/oahd",
|
|
|
|
|
"/usr/libexec/secd",
|
|
|
|
|
"/usr/libexec/sharingd",
|
|
|
|
|
"/usr/sbin/screencapture"
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
name LIKE "jbd%/dm-%"
|
|
|
|
|
AND on_disk = -1
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "bindfs"
|
|
|
|
|
AND cmdline LIKE "bindfs -f -o fsname=%"
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "btrfs-transaction"
|
2022-09-24 15:12:23 +00:00
|
|
|
AND on_disk = -1
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "kernel_task"
|
|
|
|
|
AND p.path = ""
|
2022-09-24 15:12:23 +00:00
|
|
|
AND parent IN (0, 1)
|
|
|
|
|
AND on_disk = -1
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "launchd"
|
|
|
|
|
AND p.path = "/sbin/launchd"
|
2022-09-24 15:12:23 +00:00
|
|
|
AND parent = 0
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "logd"
|
|
|
|
|
AND cmdline = "/usr/libexec/logd"
|
2022-09-24 15:12:23 +00:00
|
|
|
AND parent = 1
|
2022-09-29 19:42:27 +00:00
|
|
|
)
|
2022-10-12 01:53:36 +00:00
|
|
|
AND NOT (
|
2022-10-03 20:27:56 +00:00
|
|
|
name = "aptd"
|
|
|
|
|
AND cmdline = "/usr/bin/python3 /usr/sbin/aptd"
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
|
AND NOT name IN (
|
2022-10-03 20:27:56 +00:00
|
|
|
"chrome",
|
|
|
|
|
"com.apple.MobileSoftwareUpdate.UpdateBrainService",
|
|
|
|
|
"containerd",
|
|
|
|
|
"esbuild",
|
|
|
|
|
"firefox",
|
|
|
|
|
"go",
|
|
|
|
|
"goland",
|
|
|
|
|
"java",
|
|
|
|
|
"launcher",
|
|
|
|
|
"gopls",
|
|
|
|
|
"jetbrains-toolb",
|
|
|
|
|
"slack",
|
|
|
|
|
"slack",
|
|
|
|
|
"wineserver"
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-10-03 20:27:56 +00:00
|
|
|
AND p.path NOT LIKE "/Applications/%.app/Contents/%"
|
|
|
|
|
AND p.path NOT LIKE "/home/%/.local/share/Steam"
|
|
|
|
|
AND p.path NOT LIKE "/nix/store/%/bin/%sh"
|
|
|
|
|
AND p.path NOT LIKE "/nix/store/%/bin/nix"
|
|
|
|
|
AND p.path NOT LIKE "/System/Applications/%"
|
|
|
|
|
AND p.path NOT LIKE "/System/Library/%"
|
|
|
|
|
AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
|
2022-10-12 01:53:36 +00:00
|
|
|
AND p.path NOT LIKE "/nix/store/%kolide-launcher-%/bin/launcher"
|
