After identifying a suspicious or malicious process running on an endpoint, you can terminate the process using SmartEndpoint.
Use Custom Push Operation with Type 108 Operation parameters are specified as
- If only name is set, the operation will try to kill the first process found with a matching name.
- To kill all matching processes, set the
killall parameter to "true":
- To kill a specific process, specify its pid:
Processes that are monitored by Client Watchdog are protected and cannot be killed.
Installation adds a path to
under the key
Before trying to terminate a process, its image path is searched for in
. If its image path is found, the process is treated as protected, and the operation is cancelled with a "Cannot kill protected process" error message.
If all matching processes are successfully terminated, the operation status is set to "success". If at least one process could not be terminated, the operation status is set to "failed". The operation status may contain the following error descriptions:
- "Failed to read operation parameters" - may indicate failure to parse Actions
xml wrapping operation parameters, failure to read
json, missing required parameters in
- "Cannot kill protected process" - request to kill process that is found in
- "Cannot access process" - failed to open handle with terminate access rights, or failed to read image path for process with matching name
- "Cannot terminate process" - TerminateProcess API call failed
- "No process found" - Could not find any process matching the filter parameters.
- "Operation partially succeeded. Terminated x of y" - Found "y" processes matching the criterion, but only "x" were successfully terminated
If the list of processes to terminate was successfully created, the Operation Output is filled with a
containing information about each process matching the criterion.
"path": "C:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\UIFramework\\Bin\\cptrayUI.exe",
"result": "Cannot kill protected process"
"result": "Operation completed successfully"
In the Endpoint Security Management the result is shown like this:
In the logs, the operation progress can be monitored based on the following events
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.