You can use the Kill remediation action on a process, which terminates all instances of the selected CLIs for that process with the associated network connections. The Kill action applies to all behaviors for the corresponding process and selected CLIs in the Protected Mode. You can trigger the Kill remediation action either manually for one time on a specific CLI or automatically on processes which trigger critical alerts. AppDefense finds all instances of the CLI, Process Hash, and the Process Path combination on the specified VM and then successfully kills all those instances. This feature is supported only on version 188.8.131.52 or later for the AppDefense Appliance, AppDefense Guest Module, and AppDefense Host Module. If version for any of the components is not 184.108.40.206 or later, you get a Version incompatible error message.
Kill Process Using Blacklist
Blacklisted processes are processes you never want to be added to the allowed behavior. Process Blacklisting occurs at an organization level, so the rules are applied to all service members. Blacklisting prevents the hash from learning and ensures that the process always appears with the Critical severity. If the automatic remediation is set to Kill, then that process with the Critical severity always gets killed automatically, anytime when the process executes.
Remediation Action: Kill Versus Block
|Kill Action||Block Action|
|Kill action terminates the process after the process is executed.||Block action prevents the process from executing. So blocking happens before execution of a process.|
|AppDefense uses the alert classification engine to determine when a process that is being executed can be killed automatically.||Block action does not use the AppDefense alert classification engine.|
|Kill action occurs over multiple connections. After detecting the unique CLI, Hash, and Path combination, Kill remediation action terminates the entire CLI execution.||Block action occurs per connection.|
|Any user role can trigger the Kill remediation action. No special permissions are required.||Any user role can trigger the Block remediation action. No special permissions are required.|
|The Kill action can be triggered manually.||The Block action can only be triggered as an automatic remediation.|