Response Type Settings and Alert Generation

How Response Type Settings Effect Alert Generation

A key feature in ZeroLock's Alert functionality are Configuration Profiles which allow the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints.  Using Configuration Profiles, administrators can fine-tune settings for Ransomware, Cryptojacking, Tampering, and HASH protection.

A key setting in determining how ZeroLock responds to suspected malware is Response Type. As shown below, there are four (4) possible Response Types.

CP_ESXi Response Type

  • Do Nothing – ZeroLock will take no action other than generating an alert that possible malware was detected.
  • Suspend – ZeroLock suspends the processes generated by the malware.
  • Kill – ZeroLock will terminate the process and any child processes associated with the malware.
  • Remediate –ZeroLock removes any files created by the malware, removes the malware file(s), restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes.

Note: In the following section, depending on your screen resolution, you may only see a Kill and Remediate button and a single ACTIONS button. The ACTIONS button is a drop-down menu with the options Kill (without remediating) or Release.


The status is DETECTED and only the ACTIONS button is visible.    

DoNothing Detected Actions 2.0.1

Selecting the ACTIONS button presents the options Kill or Release.  Kill will stop the processes associated with the malware. Release is selected if the alert is determined not to be malicious or is a false positive and allows the associated processes to continue executing.  No further alerts will be generated for this process.

In this example Kill is selected.  On selection of ‘Kill’, the processes associated with the malware are terminated and the REMEDIATE button appears.

Killed Remediate 2.0.1

Clicking the REMEDIATE button results in the remediation of all impacted files and changes the alert status to REMEDIATED.

Remediated 2.0.1


The status is SUSPENDED, and two (2) buttons appear:  Kill & Remediate and ACTIONS (Kill or Release).  Clicking Kill & Remediate will perform the functions described above.

Suspended KillandRemediate 2.0.1-1

On selecting ACTIONS and then ‘Kill’, the processes associated with the malware are stopped and the REMEDIATE button appears.   

Centos_Killed Remediate 2.0.1

Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

centos_Remediated 2.0.1


On detection, the malware processes are automatically terminated, the status will be KILLED, and the REMEDIATE button will be visible.  

Ubuntu Killed 2.0.1

Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

Ubuntu Remediated 2.0.1


With this setting, as soon as the malware is detected it is terminated and remediated, requiring no user intervention.

Centos_Remediate_Remediated 2.0.1