Security tooling usually requires an experienced engineer to contextualize results so a decision can be made. Do you patch a system now or later? Do you contact a vendor because an attack vector slipped through? This can make it difficult to understand security posture at scale, as engineers contextualize differently.
Detect results are standardized against a lookup table (below) that attaches a code to every test response.
Exit codesWhen a test finishes, it uses an exit code to specify if it was PROTECTED or UNPROTECTED. The current exit code options are shown below.
The operating system includes many codes by default, which are not outlined in the table.
| Code | State | Meaning |
|---|---|---|
| 1 | ERROR | The test encountered an unexpected error, run the test again, if the problem persists contact support. |
| 2 | ERROR | The test was malformed, if this is a custom test please correct the issue with the test. If this is a Prelude provided test please contact support for assistance. |
| 3 | UNREPORTED | The endpoint failed to report a result for the test. The probe may have restarted before it was able to send a result. |
| 9 | PROTECTED | The test process was force killed. This is an expected result and indicates the system defenses stopped the test. |
| 15 | PROTECTED | The test process was killed gracefully. This is an expected result and indicates the system defenses stopped the test. |
| 100 | PROTECTED | The test completed normally. This is an expected result and typically associated with a safety or health check completing as expected. |
| 101 | UNPROTECTED | The test completed normally but should have been blocked. The system defenses did not stop or block this test as expected. Investigate system and tool configuration to improve defenses. |
| 102 | ERROR | The test exceeded the timeout of 20 seconds and was killed by the Prelude probe. |
| 103 | ERROR | The test failed to clean up. |
| 104 | NOT RELEVANT | The test ran but determined it is not relevant to the endpoint. |
| 105 | PROTECTED | The test extracted a file which was quarantined. This is an expected result and indicates the system defenses stopped the test. |
| 106 | PROTECTED | The test made an outbound network connection that was blocked. This is an expected result and indicates the system defenses stopped the test. |
| 107 | PROTECTED | The test completed normally but the host is not vulnerable. This is an expected result and indicates the system defenses stopped the test. |
| 108 | NOT RELEVANT | The test is not relevant to the endpoint operating system |
| 109 | NOT RELEVANT | The test could not complete because it lacked the required permissions to perform the technique. This may occur when the user or system executing the test does not have the required privileges to perform certain actions on the endpoint. |
| 110 | UNPROTECTED | The test was blocked but it should not have been. This is an unexpected response, typically associated with a health or safety check that was improperly blocked by system defenses. |
| 126 | PROTECTED | The operating system is blocking execution of test. This is an expected result and indicates the operating system stopped the test. Example: "Access Denied" on Windows. |
| 127 | PROTECTED | The test binary was quarantined after it ran. This is an expected result and indicates the system defenses stopped the test. |
| 137 | ERROR | The test was terminated due to an out of memory condition on the system. |
| 256 | ERROR | There was an unexpected execution error. Run the test again, if the problem persists contact support |