Skip to content
Last update: 2022-05-13

Automated Response: stopping a process


You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.

For the policies that support stop responses specify responseAction: stop. Sophos Linux Sensor performs a stop response action by sending the SIGSTOP signal to a process.

The following example demonstrates this applied to a program policy:

Enforced Wget Blocklist:
  policy: program
  responseAction: stop
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  - match programName == "/usr/bin/wget"
  - default ignore

Stop responses can fail. For example, the process in question may no longer be running by the time the signal is sent to it. The following JSON is a truncated example alert for this configuration in a case where the process couldn't be stopped:

"notifications": [
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy. The stop response action was not successful.",
      "message_fields": {}
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "unable to stop process 2745: no such process",
      "message_fields": {
        "action_type": "stop",
        "action_target_type": "process",
        "action_result": "not successful",
        "action_result_details": "no such process"
Back to top