How to tell if your computer has malware that's phoning home
One of the more reliable tells that a computer is infected is the network. Many malware families "phone home" — beaconing to a command-and-control (C2) server or quietly exfiltrating data — so an unexpected outbound connection can be a genuinely useful early signal. But a signal is not proof: normal software talks to servers worldwide, and some real infections leave no obvious network trace. Here's how to look at your own outbound traffic, what a red flag actually looks like, and what to do if you find one.
The honest short version
Watching your outbound connections is a smart habit — the built-in checks below cost nothing, and they can catch malware that a quick scan misses. Network behavior is one indicator of compromise, not a verdict.
NetGlobe is used in the examples below because it makes those connections easy to see, geolocate, and inspect. It is a visibility and diagnostics tool — it is not antivirus, it does not block traffic, and it does not remove malware. Think of it as the lens that helps you spot something worth acting on.
Network red flags.
No single item below proves an infection. It's the combination — an odd connection plus an odd process plus a threat-feed hit — that should get your attention.
Where and how it's connecting
- Connections to countries or networks you have no reason to be talking to.
- Endpoints that match a threat-intel feed — FireHOL, Spamhaus DROP/EDROP, ThreatFox — or a Tor exit node.
- Beaconing — the same destination hit at regular, repeated intervals even when you're idle.
What's doing the connecting
- An unsigned or unknown process making network calls, especially from a temp or download folder.
- A connection launched by something that shouldn't be online — a document, a script, or an installer that already finished.
- A process with a low trust score — no code-signing, an odd parent process, or a brand-new file in an unusual location.
How to check, step by step.
Start with the free tools already on your computer — they cost nothing and are a good habit. Then, if you want the same picture faster and in plain language, NetGlobe does the mapping, lookups, and threat-feed checks for you.
See who's connected out with netstat
Open Command Prompt or PowerShell and list every active connection together with the process ID (PID) that owns it:
netstat -ano :: all connections + owning PID
netstat -ano | findstr ESTABLISHED :: only live outbound sessions
Note the foreign address and the PID in the last column of anything you don't recognize.
Map each PID to a real program
Open Task Manager, go to the Details tab, and match the PID column to a name. If a PID belongs to something you can't explain — or to a process running from a temp folder — that's your candidate to investigate.
List open connections with lsof
Open Terminal and list the processes that currently have network connections open:
lsof -i -P # processes with open sockets, numeric ports
lsof -i TCP -s TCP:ESTABLISHED # only established TCP sessions
Cross-reference with the Network tab in Activity Monitor to see which apps are sending and receiving data.
Watch it live in NetGlobe
Open NetGlobe and your outbound connections appear geolocated on a live map and 3D globe. Instead of reading raw IPs, you see where traffic is actually going — so a connection to a country you've never dealt with jumps out immediately.
Click a suspicious connection and read the evidence
Selecting a connection opens the Endpoint Focus panel: the process behind it and its trust score (code-signing, parent process, file age and location), the network owner via WHOIS/RDAP, the TLS certificate, reverse DNS, and any hits across FireHOL, Spamhaus, ThreatFox, or the Tor exit list. That's usually enough to tell "unfamiliar but fine" from "worth acting on."
You found strong signs. Now what?
If several red flags line up — an unknown, unsigned process beaconing to a known-bad address, say — treat it as a possible infection and act calmly. Seeing the problem is not the same as fixing it, and this is the point where NetGlobe's job ends and real remediation begins.
A sensible order of operations
1. Disconnect from the network. Turn off Wi-Fi or pull the cable to stop any exfiltration or C2 traffic while you work.
2. Run a reputable antivirus / anti-malware scan. Use a well-known security product to detect and remove the infection. This is the step that actually cleans the machine — NetGlobe does not.
3. Change important passwords from a different, clean device. Don't reset credentials on a machine you suspect is compromised; use your phone or another computer, and enable two-factor authentication where you can.
4. Get professional help if the stakes are high. For a work device, or anything holding financial or sensitive data, involve IT or a security professional — and in some cases a clean reinstall is the safest path.
To be completely clear: NetGlobe is not a replacement for antivirus. It helps you see and diagnose what your computer is doing on the network so you can catch something early and understand it — but detection and removal of malware is the job of dedicated security software.
Malware & network — FAQ
Can NetGlobe detect malware?
NetGlobe is not antivirus and it doesn't scan files for signatures. What it does is surface suspicious network behavior — every outbound connection geolocated in real time, a trust score for the process behind it, and matches against threat-intel feeds like FireHOL, Spamhaus DROP/EDROP, ThreatFox, and the Tor exit list. That can help you spot a connection worth worrying about, but a network sign is one clue, not a diagnosis. Confirm and remove with a reputable scanner.
What does it mean if my computer connects to a strange IP?
Usually nothing bad. Apps, operating systems, CDNs, and cloud services talk to servers worldwide, so an unfamiliar IP or country is common. It becomes a red flag when it lines up with other signs — an unsigned or unknown process, a document or script opening a connection, regular beaconing, or a match against a known-bad range or Tor exit. NetGlobe helps you tell those apart by showing the process, network owner, and any threat-feed hits behind each connection.
Does NetGlobe remove viruses?
No. NetGlobe does not remove viruses or malware, and it does not block connections. It's a visibility and diagnostics tool that helps you see and understand what your computer is doing on the network. To actually remove an infection, run a reputable antivirus or anti-malware product — and consider professional help if the machine holds sensitive data.
Is NetGlobe antivirus?
No. NetGlobe is real-time network intelligence and diagnostics, not antivirus. It complements security software rather than replacing it: keep your antivirus for detection and removal, and use NetGlobe to see, geolocate, and inspect the connections your machine is making.
How much is NetGlobe?
NetGlobe is a one-time $18.99 purchase on both platforms — on the Microsoft Store for Windows and as a direct download for Mac. There's no subscription, no account, and no telemetry; it runs entirely on your device.
This guide is for informational purposes and does not guarantee detection or removal of any malware. NetGlobe is a network-visibility and diagnostics tool, not antivirus, and is not a substitute for dedicated security software or professional incident response. Built-in tools such as netstat, lsof, Task Manager, and Activity Monitor are provided by Microsoft and Apple respectively.
Related
See what your computer is really talking to.
Spot suspicious outbound connections in real time — geolocated, threat-checked, and traced back to the process. A one-time $18.99 on the Microsoft Store for Windows, or a direct download for Mac.
No account. Runs entirely on your device. See the full feature list or the FAQ.