Custom exit codes supply granular insights per test
Security tooling usually requires an experienced engineer to contextualize results so a decision can be made. Do you patch a system now or later? Do you contact a vendor because an attack vector slipped through? This can make it difficult to understand security posture at scale, as engineers contextualize differently.
Detect results are standardized against a lookup table (below) that attaches a code to every test response.
When a test finishes, it uses an exit code to specify if it was PROTECTED or UNPROTECTED. The current exit code options are shown below.
The operating system includes many codes by default, which are not outlined in the table.
|0||PROTECTED||The test was removed before execution|
|1||ERROR||The test encountered an unexpected error|
|2||ERROR||The test was malformed|
|9||PROTECTED||The test process was force killed|
|15||PROTECTED||The test process was killed gracefully|
|100||PROTECTED||The test completed normally|
|101||UNPROTECTED||The test completed normally but should have been blocked|
|102||ERROR||The test stopped itself because it ran too long|
|103||ERROR||The test failed to clean up|
|104||PROTECTED||The test is not relevant to the endpoint|
|105||PROTECTED||The test extracted a file which was quarantined|
|106||PROTECTED||Outbound connection was blocked|
|107||PROTECTED||The test completed normally but the host is not vulnerable|
|126||PROTECTED||The endpoint is blocking execution of test|
|127||PROTECTED||The test binary was quarantined|
|137||PROTECTED||The test received a SIGKILL signal|
|256||ERROR||There was an unexpected execution error|
Updated 17 days ago