Netstat (Network Statistics)
Netstat (Network Statistics) is a Command Prompt command that launches NETSTAT.EXE, a TCP/IP utility found in the Windows operating system. Netstat displays all kinds of data related to network connections. In order to obtain some specific data, you can use Switches along with the netstat command in Command Prompt. These Switches can be used either one at a time, or in a combination with other switches to get desired information in one go.
Syntax: netstat –switchname(s)
One of the benefits of using Netstat is its ability to identify which programs are connected to the Internet, and transferring data. You can identify such programs by using the –b switch with the netstat command.
How to Detect Malware (Viruses) Using Netstat in Windows
Step 1: Press Windows + X keys together to open the Windows Super User Menu. Click on the Command Prompt (Admin) option to open Command Prompt with Administrative privileges.
Step 2: In the Command Prompt window, type netstat followed by a switch name. In this example, we’ll use –b. Press the Enter key. The switch –b displays the executable involved in creating each connection or listening port.
Step 3: The netstat command displays the Active Connections on your system.
The data is presented in four columns – Proto, Local Address, Foreign Address, and Status.
Proto – Displays the Network Connection Protocol.
Local Address – Displays the Address of the User’s Computer.
Foreign Address – Displays the Address of the IP Address the User’s Computer is Connected to.
Status – Displays the Current Status of the Network Connection.
There are two processes with ESTABLISHED connection here:
- WpnService
- exe
Let’s find out about them.
In order to find more information about the processes that are connected to the Internet, we need to get their PID (Process Identifier). To display the PID along with the information that we currently have, we will rerun the netstat command, but this time using a combination of two strings – b and o. The switch –o displays the PID (Process Identifier) associated with each network connection.
Step 4: In the Command Prompt window, type netstat –bo, and then press Enter.
Step 5: Now, we have a fifth column called PID as well.
Step 6: Right-click on the Taskbar, and click Task Manager.
Step 7: The PID column is hidden by default in the Windows Task Manager. Right-click on the Information bar, and click on PID to show it as a column in Task Manager.
Step 8: Sort the processes by PID.
Step 9: Now, here you can easily locate the process through its PID.
The WpnService process is Service Host: Windows Push Notifications.
The avp.exe process is Kaspersky Anti-Virus.
So, you can see how we can find out about the processes that are currently connected to the internet. If you see a program name that does not look like a familiar, you can easily track and, and block or remove it.
This way, we can detect and block malware (viruses) using the netstat command in Windows.