Actions
IPS ResponseActions that can be taken when an IPS rule matches an event.
Available Actions
Record the event in the Alerts tab. No notification, no blocking. Use for monitoring without disruption.
Record the event and show a desktop notification. The action is allowed to proceed. Use for awareness without blocking.
Prevent the action from completing. The specific behavior depends on the event type (see below).
Terminate the process that triggered the event. Use with caution as this can disrupt system operation.
Block Behavior by Event Type
| Event Type | Block Effect |
|---|---|
| Process Create | Prevent process from starting |
| Registry SetValue | Deny the registry write |
| File Create/Write | Deny the file operation |
| Network Connection | Drop the connection |
| Image Load | Prevent DLL from loading |
| Injection | Deny the handle/thread operation |
Use Block and Kill Carefully
Blocking or killing system processes can cause system instability. Always test rules with Log or Alert first before enabling Block or Kill.
Action Priority
When multiple rules could match, only the first matching rule's action is taken:
Rule 1: powershell.exe from Temp → Block Rule 2: powershell.exe → Log If powershell.exe runs from Temp: → Rule 1 matches first → Block (Rule 2 not evaluated)
Notifications
Alert and Block actions show desktop notifications:
- • Alert — Yellow notification with rule name
- • Block — Red notification with blocked action
- • Kill — Red notification with terminated process
Notifications can be disabled in Settings → Notifications.
Recommended Approach
- Start with Log to observe what matches
- Review logged events to confirm rule accuracy
- Upgrade to Alert for awareness
- Only use Block when confident in the rule
- Reserve Kill for critical threats only