How to Detect Mouse Jigglers and Activity-Mimicking Tools in ActivTrak

Workforce analytics can be skewed when activity-mimicking tools like mouse jigglers are used to imitate active work sessions through fake keyboard or mouse interactions. Whether these fake interactions are created by software apps or hardware devices, ActivTrak has built-in detection tools to help you identify them.


Out-of-the-box alarms in the Alarm Configuration page

All ActivTrak paid plans have access to the out-of-the-box Potential Mouse Jigger or False Activity alarm. This pre-configured alarm is turned off by default. To enable it, visit the Alarms Configuration page (Alarms > Configuration) and toggle it on to be alerted to mouse jigglers or other activity-mimicking tool usage. Learn more about ActivTrak's out-of-the-box alarms here. Read the sections below to learn more about mouse jiggler and activity-mimicking detection.

Automatic Detection

ActivTrak can identify and alert you to potential mouse jiggler and activity mimicking activity via two automatic detection features:

1. A list of known applications and other tools.

Our team constantly catalogs and updates the list of known activity-mimicking tools that can be automatically detected in ActivTrak. Once detected, an entry is created in the Activity Log labeled POTENTIAL FALSE ACTIVITY, as reflected in the screenshot below. The recorded activity time, however, does not automatically change from Active to Passive. Please note you will need to use the filter in the top left of the Activity Log to sort by "Computer" to see the POTENTIAL FALSE ACTIVITY entry as it will not be present if filtered by "User".

Availability: Windows and macOS Agents version 8.2.16 and later

Note: If you would like to request a new tool be added to our list of known activity-mimicking tools, please reach out to Support.

Image 11-1-23 at 10.04 AM.jpeg

Activity Log entry detail for detected mimicked activity

2. Regular interaction patterns.

ActivTrak can automatically recognize and flag software or hardware-based mimicked activity through interaction patterns consistent with the use of these tools. Once detected, ActivTrak will end the Active state of the activity and begin recording it as Passive Time in the Activity Log. As of Windows Agent version 8.4.0, an entry labeled POTENTIAL FALSE ACTIVITY is generated in the Activity Log for this feature as well.

Availability: Windows Agents version 8.2.16 and later

Note: Due to the ongoing evolution of these tools, some mimicked activities may not be detected.


Tip: To ensure Admins are immediately alerted of potential false activity and the detection of activity-mimicking tools in your account, create a new Alarm with the condition "Description Contains artificial input".

Comparison of the two automatic detection features:

1. Known application
2. Input pattern
Agent version required

Windows 8.2.16+

macOS 8.2.16+

Windows 8.2.16 (Activity Log entry 8.4.0+)


Software explicitly on ActivTrak watch list

Regular input patterns from hardware or software

Activity Log Title (requires SD addon)



Activity Log Description

"POTENTIAL FALSE ACTIVITY artificial input app: [app name]"


Changes current activity state from Active to Passive?



Computer identified?



User identified?

No (unclear whether user or system/admin launched process)



Other Detection Methods

To strengthen the detection of activity-mimicking devices and software in your account, please consider these additional safeguards:

  • Create new alarms triggered by identified executables. An example of what the alarm conditions/triggers for activity-mimicking tool executables may look like is reflected in the screenshot below. Learn more.


An example of Alarm conditions for an activity-mimicking executable

  • Create an activity duration alarm to help identify potentially suspicious scenarios that may not have been caught by our automatic detection features. For example, it is very rare to record single activities of more than 30 minutes to 1 hour that are uninterrupted. An example of what this condition may look like is included in the screenshot below. Note: The value is entered in seconds, so '1800' = 30 minutes.


Conditions of an activity duration alarm to detect potential mimicked activity

  • Adjust your Active Time Settings. Set a custom maximum time threshold for single activity reporting with ActivTrak’s Active Time Settings. The Active Time Setting defaults to 60 minutes but can be configured to any number between 30 and 120 minutes. To adjust your account’s Active Time maximum time threshold, navigate to Settings > Account Configuration and scroll to “Active Time Settings”. Update the time in minutes and click “Save” to apply changes. 

active time settings new.png

The Active Time Settings

Learn more:

Was this article helpful?

13 out of 19 found this helpful


No comments