Skip to content
Last update: 2022-05-13

Automated response: Killing a Process


You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.


If you're changing the response action for one of Sophos Linux Sensor's (SLS) detections, please refer to Adjusting default detections for instructions. If you're editing a custom policy or writing a new one, keep reading below.

A kill response action is performed by sending the SIGKILL signal to a process. This causes the process to exit immediately. It doesn't wait until the process has exited. This doesn't kill any other processes the target process may have started.

The following example demonstrates this applied to a program:

Enforced Wget Blocklist:
  policy: program
    - alert
    - kill
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  - match programName == "/usr/bin/wget"
  - default ignore

Kill responses can fail. For example, the process in question may no longer be running by the time the signal is sent. The following JSON is a truncated example alert for this configuration in a case where the process could not be killed:

"notifications": [
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy.",
      "message_fields": {}
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "unable to stop process 2745: no such process",
      "message_fields": {
        "action_type": "kill",
        "action_target_type": "process",
        "action_result": "not successful",
        "action_result_details": "no such process"
Back to top