Showing results for 
Show  only  | Search instead for 
Did you mean: 

AR Reaction: Kill Process

No ratings

The most basic reaction is to kill a running process by name.  This would often be used to help eradicate a threat, or remove remaining traces after the fact.  In this note we'll walk through all the steps necessary to create this reaction.  For your convenience, you might also like to simply import the fully configured reaction (download attached document, then import into the Active Response Catalog).

Creating Kill Process Reaction

  1. Open the Active Response Catalog and select the Reactions tab.  Click New Reaction.
  2. Next enter a name and a description for this Reaction
  3. For Reaction Content, select "Execute OS Command" and enter the following lines:
    taskkill /F /IM {{processname}} /T

    The switches on this command are interpreted as follows:
        /F:Forceful process shutdown
        /IM: Specified process image name. 
        /T: Specifies kill on entire process tree, including all child processes of the specified process

  4. Finally, we need to configure the argument for this reaction. This reaction will take in a single argument, the full name of the process to be terminated.
    Note that the name of the argument matches the token {{processname}} in the Reaction Content.  When the Reaction is triggered on the endpoint, the value passed in for the file argument will be substituted into the specified commands before they are executed.
  5. Click the Save button at the top of the screen.

Testing the Kill Process Reaction

Once defined, your reaction will be immediately distributed to your endpoints via the DXL.  Next lets do a simple test of the Reaction.

  1. Log into a system with Active Response installed, and launch calc.exe (Start/Run/calc).  You'll see the Windows calculator open on your desktop.
  2. Open  Active Response Search and execute a search for running instances of calc.exe.
  3. Highlight the name of the process (calc.exe) and copy it into your paste buffer.
  4. Click the checkbox next to your calc instance, and then select "Execute Reaction" from the Actions menu
  5. Select your Reaction and provide the paste in the full name and path that you copied earlier.
  6. Acknowledge the action you are taking.
  7. Monitor your test system.  Within a second or two you should see the calc instance disappear from the desktop.

Going Further

For some additional thoughts on using Reactions within Active Response, see

Tags (1)
Version history
Revision #:
1 of 1
Last update:
‎08-05-2015 07:36 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community