How to Detect Mouse Jigglers and Activity-Mimicking Tools in ActivTrak

Workforce analytics can be skewed when activity-mimicking tools like mouse jigglers are used to imitate active work sessions through fake keyboard or mouse interactions. Whether these fake interactions are created by software apps or hardware devices, ActivTrak has built-in detection tools to help you identify them.

Review the steps below or watch an on-demand webcast tutorial.

Automatic Detection

ActivTrak can identify and alert you to potential mouse jiggler and activity mimicking activity via two automatic detection features:

1. A list of known applications and other tools.

Our team constantly catalogs and updates the list of known activity-mimicking tools that can be automatically detected in ActivTrak. Once detected, an entry is created in the Activity Log labeled POTENTIAL FALSE ACTIVITY, as reflected in the screenshot below. The recorded activity time, however, does not automatically change from Active to Passive. Please note you will need to use the filter in the top left of the Activity Log to sort by "Computer" to see the POTENTIAL FALSE ACTIVITY entry as it will not be present if filtered by "User".

Availability: Windows and macOS Agents version 8.2.16 and later

Note: If you would like to request a new tool be added to our list of known activity-mimicking tools, please reach out to Support.

Image 11-1-23 at 10.04 AM.jpeg

Activity Log entry detail for detected mimicked activity

2. Regular interaction patterns.

ActivTrak can automatically recognize and flag software or hardware-based mimicked activity through interaction patterns consistent with the use of these tools. Once detected, ActivTrak will end the Active state of the activity and begin recording it as Passive Time in the Activity Log

Availability: Windows Agents version 8.2.16 and later

Note: Due to the ongoing evolution of these tools, some mimicked activities may not be detected.

 

Tip: To ensure Admins are immediately alerted of potential false activity and the detection of activity-mimicking tools in your account, create a new Alarm with the condition "Description Contains POTENTIAL FALSE ACTIVITY" or "Titlebar Contains POTENTIAL FALSE ACTIVITY" (if you have the Screen Details add-on).

Comparison of the two automatic detection features:

 
1. Known application
2. Input pattern
Agent version required

Windows 8.2.16+

macOS 8.2.16+

Windows 8.2.16 

Trigger

Software explicitly on ActivTrak watch list

Regular input patterns from hardware or software

Activity Log Title (requires SD addon)

"POTENTIAL FALSE ACTIVITY"

N/A

Activity Log Description

"POTENTIAL FALSE ACTIVITY artificial input app: [app name]"

N/A

Changes current activity state from Active to Passive?

No

Yes

Computer identified?

Yes

Yes

User identified?

No (unclear whether user or system/admin launched process)

Yes

 

Other Detection Methods

To strengthen the detection of activity-mimicking devices and software in your account, please consider these additional safeguards:

  • Create new alarms triggered by identified executables. An example of what the alarm conditions/triggers for activity-mimicking tool executables may look like is reflected in the screenshot below. Learn more.

jigglerKB.PNG

An example of Alarm conditions for an activity-mimicking executable

  • Create an activity duration alarm to help identify potentially suspicious scenarios that may not have been caught by our automatic detection features. For example, it is very rare to record single activities of more than 30 minutes to 1 hour that are uninterrupted. An example of what this condition may look like is included in the screenshot below. Note: The value is entered in seconds, so '1800' = 30 minutes.

jigglerKB2.PNG

Conditions of an activity duration alarm to detect potential mimicked activity

  • Adjust your Active Time Settings. Set a custom maximum time threshold for single activity reporting with ActivTrak’s Active Time Settings. The Active Time Setting defaults to 60 minutes but can be configured to any number between 30 and 120 minutes. To adjust your account’s Active Time maximum time threshold, navigate to Settings > Account Configuration and scroll to “Active Time Settings”. Update the time in minutes and click “Save” to apply changes. 

active time settings new.png

The Active Time Settings

Learn more:

Was this article helpful?

13 out of 16 found this helpful

Comments

No comments