A Windows PC under a PDoS (Permanent Denial of Service) or DoS attack will typically show sudden, severe performance drops, network disconnections, system crashes, or firmware corruption that prevents the computer from booting up properly.
Syvir Endpoint cloud service will help monitor your endpoints for PDoS, Phlashing and DoS attacks.
Watch for these specific signs that your endpoint is under attack:
1. Primary Indicators of a PDoS (Permanent Attack) Unlike temporary floods, PDoS attacks aim to physically damage or permanently disable the device by targeting its firmware or storage:
Firmware Corruption: The PC fails to initialize or boot up properly after a reboot. "Bricked" Devices: The system becomes completely unresponsive and refuses to restart, even following a hard reset. Syvir :EndPoint AntiPhlashing technology monitors BIOS/UEFI for changes that may indicate a malicious overwriting of the firmware. It’s important to check if this update was planned, if not restore the firmware to its previous version. Do this before you re-boot the endpoint.
Unexpected Shutdowns: The computer powers down or crashes for no apparent reason.
Hardware Damage: Malware used in the attack may attempt to induce hardware failures or abnormal overheating. Syvir :EndPoints AntiPDoS technology monitors key metrics through Vector Phase Sensors.
Low Level Access (LLA) monitors Kernel usage in particular hardware I/O. A Permanent Denial of Service attack will invariably create a lot of LLA kernel use. The key metrics for this Vector Phase will see elevated values when either an Attack Vector or Pseudo Attack Vector (PAV).
SC Kernel monitors Kernel usage.
A Permanent Denial of Service attack will usually create a lot of kernel use. The returned value is system calls a second.
A very high value > 50000 per second indicates increased usage of hardware through the kernel.
The key metrics for this Vector Phase will see elevated values with either an Attack Vector or Pseudo Attack Vector.
2. General DoS and Botnet Attack Indicators If your endpoint is being flooded with traffic you will notice:
Severe Network Lag: Web pages load extremely slowly, or you completely lose internet connectivity. This may indicate a denial of service attack. Syvir :Endpoint monitors packets received by the endpoint, if this number is abnormally high, it may indicate a DoS attack. At this point the DoS alarm is set to DOWN.
Resource Depletion: Opening the Windows Task Manager reveals your CPU, memory, or network bandwidth is consistently maxed out, even when you have no open applications.
Syvir :Endpoint Vector Phase Sensor PQL will monitor for high processor queue lengths, while normal, may also indicate a PDoS or DoS attack.
Overactive Hard Drive: The hard drive or network adapter LED is continuously blinking or flashing, indicating massive amounts of background data processing.
Syvir EndPoint Vector Phase Sensor Disk Time (DT).
Disk Time (DT) Monitors the % use of the main drive of the endpoint. If this Vector Phase detects higher than average use of the drive it will automatically generate a process scan and possibly a hardware scan. The cloud service will update when a sensor is set to WARNING or DOWN.
These could be false positives where hardware has naturally broken down…
This may offer some degree of a notification when a virus is trying to encrypt a hard drive.
The LLA, DT and SCK vector phases act every minute and can trigger a Process scan.
Often hardware issues will manifest over a short period of time.
Typically, hardware scans are triggered by 5-minute vector phases, these are a combination of 1 minute vector phases.
After each alert generated by a Vector Phase Sensor Syvir:Endpoint scans the internal components of the endpoint to see if any diagnostic messages appear which indicate a hardware problem.
What to do next If your system is already bricked or looping during the boot sequence, you may need to perform a physical Factory Reset or reflash the motherboard's BIOS. To check your system for lingering network-based threats, run a full system scan using the built-in Microsoft Malicious Software Removal Tool (MRT).