Support Center > Search Results > SecureKnowledge Details
Terminating/Killing processes using Endpoint's Push Operation Technical Level
Solution
After identifying a suspicious or malicious process running on an endpoint, you can terminate the process using SmartEndpoint.

Configuration

Use Custom Push Operation with Type 108
 

Operation parameters are specified as json string

{
   "name":"notepad.exe"
}

Notes:
  • If only name is set, the operation will try to kill the first process found with a matching name.
  • To kill all matching processes, set the killall parameter to "true":

    {
       "name":"notepad.exe",
       "killall":true
    }
  • To kill a specific process, specify its pid:

    {
       "name":"notepad.exe",
       "pid":12345
    }

Protected Processes

Processes that are monitored by Client Watchdog are protected and cannot be killed. 

Installation adds a path to watchdog.xml under the  key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\DeviceAuxiliaryFramework as a ProtectedProcesses entry.

Before trying to terminate a process, its image path is searched for in watchdog.xml. If its image path is found, the process is treated as protected, and the operation is cancelled with a "Cannot kill protected process" error message.

Operation results

If all matching processes are successfully terminated, the operation status is set to "success". If at least one process could not be terminated, the operation status is set to "failed". The operation status may contain the following error descriptions:
  • "Failed to read operation parameters" - may indicate failure to parse Actions xml wrapping operation parameters, failure to read json, missing required parameters in json
  • "Cannot kill protected process" - request to kill process that is found in watchdog.xml
  • "Cannot access process" - failed to open handle with terminate access rights, or failed to read image path for process with matching name
  • "Cannot terminate process" - TerminateProcess API call failed
  • "No process found" - Could not find any process matching the filter parameters.
  • "Operation partially succeeded. Terminated x of y" - Found "y" processes matching the criterion, but only "x" were successfully terminated
If the list of processes to terminate was successfully created, the Operation Output is filled with a json containing information about each process matching the criterion.

For example:
{
    "name":"cptrayUI.exe",
    "killall":"true",
    "processes": [
        {
            "PID": "6668",
            "path": "C:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\UIFramework\\Bin\\cptrayUI.exe",
            "result": "Cannot kill protected process"
        }
        {
            "PID": "12040",
            "path": "C:\\Users\\admin\\Desktop\\cptrayUI.exe",
            "result": "Operation completed successfully"
        }
    ]
}

 

In the Endpoint Security Management the result is shown like this:
 

Log Events

In the logs, the operation progress can be monitored based on the following events

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment