Process protection leverages kernel-mode driver technology to enforce granular controls on process creation, network traffic, and file system access.

For example: It prohibits PHP from launching external DDoS attacks, protects against Redis amplification attacks, and restricts FTP to only accessing website paths, etc.

1. Workflow

First, check whether the process object is within the "protected path". If it is, proceed to inspect the following procedures:

1) If the process is initiating, check whether there is a rule set to "prohibit initiation". If so, block the initiation.

2) If the process engages in network communication, check whether the communication method and the communication partner are within the restricted scope. If they are, block the communication.

3) If the process accesses files, check whether the accessed objects and operations are within the restricted scope. If they are, block the access.

2. Filling Instructions

1) Basic Settings

Process Path:

Please enter the path of the process that requires protection. Both full and partial paths are accepted, with partial paths requiring the use of an asterisk (*).

Detailed rules: http://www.magiaegis.com/supports/defense/159.html

Filling Examples:

*\bin* :  Represents processes whose paths contain \bin, such as d:\bin\mysql.exe.

*\php-cgi.exe : Represents the php-cgi.exe process.

d:\software* : Represents all processes under d:\software, such as d:\software\mysqld.exe.

d:\software\mysql\mysqld.exe : Represents the specific process d:\software\mysql\mysqld.exe.

Prohibit Initiation:

Prevent processes within the protected path from starting.

Whitelist:

Enter the paths of processes that require exceptions. Both full and partial paths are supported, with partial paths requiring the use of an asterisk (*).

Detailed rules: http://www.magiaegis.com/supports/defense/159.html

Filling Examples:

*\bin* : Represents processes whose paths contain \bin, such as d:\bin\mysql.exe.

*\php-cgi.exe: Represents the php-cgi.exe process.

*/php-fpm : Represents the php-fpm process.

d:\software* : Represents all processes under d:\software, such as d:\software\mysqld.exe.

d:\software\mysql\mysqld.exe : Represents the specific process d:\software\mysql\mysqld.exe.

Note: Some PHP programs need to communicate with DNS servers. 
It is recommended to add the IP addresses of DNS servers (e.g., 114.114.114.114, 8.8.8.8, 127.0.0.53, and 127.0.0.1) to the "Network" → "Whitelist" section.

2. Network Settings

Restrict the network communication behavior of protected processes.

Friendly Reminder: Communication will be permitted if the sender's and receiver's IP addresses are identical (e.g., local machine communication).

Deny TCP

Block outgoing TCP communication for the process.

Example: Blocking Redis from external TCP communication enhances security.

Deny UDP

Block outgoing UDP communication for the process.

Example: Blocking PHP from external UDP communication prevents PHP-DDoS attacks.

Whitelist

Target IPs and ranges exempt from network communication restrictions.

Supports IP addresses, subnet masks, and IP ranges.

Filling Examples:

192.168.2.1

192.168.2.1/16

192.168.2.1-192.168.255.255

3. File Access Settings

Restrict file access behaviors for protected processes. If no rules are set, all paths are accessible.

Access Paths

Specify restricted file paths. Use * to represent all paths.

Supports full paths or partial paths (with * on one or both sides).

Detailed Rules: http://www.magiaegis.com/supports/defense/159.html

Filling Examples:

*\uploads\* → Matches any path containing \uploads\, e.g., d:\web\uploads\logo.jpg

*\admin.php → Matches the file admin.php

*.php → Matches all PHP files

d:\wwwroot\* → Matches d:\wwwroot and its subdirectories, e.g., d:\wwwroot\site1\index.php

d:\wwwroot\admin\login.php → Matches this specific file

Action Limit

Deny Read: Prevent reading file/directory content (attributes excluded).

Deny Execute: Prevent running executable files in the process.

Deny Create: Prevent creating new files/directories.

Deny Modify: Prevent modifying file content (attributes excluded).

Deny Delete: Prevent deleting files/directories.

Deny Rename: Prevent renaming files/directories.

Note: Renaming storage directories (e.g., cut/move) is treated as create + delete.

Priority

Range: 1–99 (1 = highest priority, 99 = lowest).

When executing, it is executed from high priority to low priority, and the same priority is executed in reverse order according to the adding time. If the match is successful, it will be intercepted immediately.