Stop threats automatically with real-time protection.

Detection vs Blocking

Monitor and alert
  • Logs all security events
  • Sends notifications
  • No automatic action taken
  • Good for: Testing, compliance, analysis
GARNET_BLOCKING=false
Blocking mode dashboard showing active threat prevention

Enable Blocking

GitHub Actions

- uses: garnetlabs/garnet-action@v1
  with:
    blocking-enabled: true
    blocking-mode: strict
  env:
    GARNET_API_TOKEN: ${{ secrets.GARNET_API_TOKEN }}

Kubernetes

helm upgrade jibril garnet/jibril \
  --set blocking.enabled=true \
  --set blocking.mode=strict \
  --namespace garnet-system

Docker

docker run -d \
  --name jibril \
  --privileged \
  --pid=host \
  -e GARNET_API_TOKEN=$GARNET_API_TOKEN \
  -e GARNET_BLOCKING=true \
  -e GARNET_BLOCKING_MODE=strict \
  ghcr.io/garnetlabs/jibril:latest

Blocking Modes

Strict Mode

Maximum protection
  • Blocks all detected threats immediately
  • Zero tolerance for suspicious activity
  • May cause false positive disruptions
  • Recommended for: High-security environments
GARNET_BLOCKING_MODE=strict

Permissive Mode

Balanced protection
  • Blocks only high-confidence threats
  • Allows some suspicious activity
  • Reduces false positive impact
  • Recommended for: Most production environments
GARNET_BLOCKING_MODE=permissive

Custom Mode

Configurable rules
  • Block specific threat types only
  • Custom severity thresholds
  • Environment-specific policies
  • Recommended for: Complex environments
GARNET_BLOCKING_MODE=custom
GARNET_BLOCK_SEVERITY=high,critical

What Gets Blocked

Process Blocking

Malicious processes killed
  • Crypto miners
  • Malware execution
  • Privilege escalation attempts
  • Unauthorized system access

Network Blocking

Connections terminated
  • C2 communications
  • Data exfiltration
  • Malicious downloads
  • Unauthorized outbound traffic

File Blocking

File operations prevented
  • Malicious file execution
  • Ransomware encryption
  • Unauthorized file access
  • System file modifications

Container Blocking

Container actions stopped
  • Container breakout attempts
  • Privilege escalation
  • Unauthorized mounts
  • Resource abuse

Blocking Actions

Process Termination

When malicious processes are detected:
  1. Immediate termination - Process killed via SIGKILL
  2. Parent process tracking - Related processes identified
  3. Resource cleanup - Memory and file handles released
  4. Event logging - Full forensic details recorded
{
  "action": "process_killed",
  "process": {
    "pid": 12345,
    "command": "xmrig --donate-level=0",
    "user": "app",
    "signal": "SIGKILL"
  },
  "timestamp": "2024-01-15T10:30:00Z"
}

Network Connection Blocking

For malicious network activity:
  1. Connection termination - Active connections dropped
  2. IP/domain blocking - Future connections prevented
  3. Firewall rules - Dynamic rules created
  4. DNS blocking - Domain resolution blocked
{
  "action": "connection_blocked",
  "network": {
    "destination": "malicious.example.com",
    "ip": "192.168.1.100",
    "port": 8080,
    "protocol": "TCP"
  },
  "block_duration": "24h"
}

File System Protection

For file-based threats:
  1. File quarantine - Malicious files isolated
  2. Access prevention - File permissions revoked
  3. Hash blacklisting - Similar files blocked
  4. Backup restoration - Clean versions restored
{
  "action": "file_quarantined",
  "file": {
    "path": "/tmp/malware.exe",
    "sha256": "abc123...",
    "quarantine_location": "/opt/garnet/quarantine/"
  }
}

Blocking Policies

Default Policies

Out-of-the-box protection:
  • Crypto miners - Always blocked
  • Known malware - Always blocked
  • C2 communications - Always blocked
  • Container breakouts - Always blocked

Custom Policies

Create environment-specific rules: 
# Block by threat severity
policies:
  - name: "critical-threats"
    action: "block"
    severity: ["critical"]
    
  - name: "high-threats"
    action: "block"
    severity: ["high"]
    environments: ["production"]

Allowlist Rules

Prevent blocking of legitimate activities: 
allowlist:
  - name: "dev-tools"
    pattern: "npm install|yarn install|pip install"
    environments: ["development", "ci"]
    
  - name: "monitoring"
    pattern: "prometheus|grafana|datadog"
    scope: "global"
    
  - name: "internal-traffic"
    network: "10.0.0.0/8"
    action: "allow"

Monitoring Blocking Activity

Real-Time Dashboard

Monitor blocking effectiveness:
  • Threats Blocked - Number of threats stopped
  • Block Success Rate - Percentage of threats caught
  • Response Time - Time from detection to block
  • False Positive Rate - Legitimate activities blocked

Blocking Analytics

Analyze protection trends:
  • Daily Block Volume - Threats blocked per day
  • Threat Type Distribution - Most common threats
  • Source Analysis - Where threats originate
  • Target Analysis - Most attacked assets

Performance Impact

Monitor blocking overhead:
  • CPU Usage - Additional processing load
  • Memory Usage - Blocking subsystem memory
  • Latency Impact - Application performance
  • Network Overhead - Blocking traffic costs

Handling Blocked Events

Immediate Response

When threats are blocked:
  1. Automatic notification - Instant alerts sent
  2. Incident creation - Tracking ticket opened
  3. Forensic preservation - Evidence collected
  4. Stakeholder notification - Teams informed

Investigation Process

For blocked threats:
  1. Review block details - What was blocked and why
  2. Analyze threat context - How did it get there
  3. Check for related activity - Broader compromise
  4. Verify block effectiveness - Threat actually stopped

False Positive Handling

When legitimate activity is blocked:
  1. Immediate unblock - Restore service quickly
  2. Create allowlist rule - Prevent future blocks
  3. Notify affected users - Explain disruption
  4. Tune detection rules - Reduce false positives

Troubleshooting

Threats detected but not blocked.Troubleshooting:
  1. Verify blocking is enabled:
# Check agent configuration
docker exec jibril printenv | grep BLOCKING
  1. Check agent permissions:
# Ensure privileged mode (Docker)
docker inspect jibril | grep Privileged
# Should show "Privileged": true
  1. Review blocking policies:
# Check if threat type is configured to block
Dashboard Settings Blocking Policies
  1. Verify agent version supports blocking:
docker exec jibril /opt/jibril/bin/jibril --version
# Needs version 2.0+ for full blocking support
Legitimate activities being blocked.Solutions:
  1. Switch to permissive mode:
GARNET_BLOCKING_MODE=permissive
  1. Create allowlist rules:
allowlist:
  - name: "legitimate-tools"
    pattern: "kubectl|docker|npm"
    environments: ["development"]
  1. Adjust severity threshold:
GARNET_BLOCK_SEVERITY=critical
  1. Use environment-specific policies
Blocking causing application slowdowns.Optimization:
  1. Use lightweight blocking:
GARNET_BLOCKING_MODE=lightweight
  1. Reduce blocking scope:
GARNET_BLOCK_NETWORKS_ONLY=true
  1. Increase blocking thresholds:
GARNET_BLOCK_CONFIDENCE_THRESHOLD=0.9
  1. Monitor resource usage and adjust accordingly
Same threat appearing again after blocking.Investigation:
  1. Check if block was effective:
# Review block action logs
Dashboard Events Filter by "blocked"
  1. Verify threat source:
# May be coming from different process/location
# Check process hierarchy and file paths
  1. Strengthen blocking rules:
# Block by hash, network, or pattern
# Not just specific process instance
  1. Consider system-level compromise requiring deeper investigation

Best Practices

Deployment Strategy

  1. Start with monitoring - Observe before blocking
  2. Test in staging - Validate policies work correctly
  3. Gradual rollout - Enable blocking incrementally
  4. Monitor closely - Watch for false positives

Policy Management

  1. Document policies - Clear rationale for each rule
  2. Regular review - Update policies quarterly
  3. Environment alignment - Match policies to risk tolerance
  4. Version control - Track policy changes

Incident Response

  1. Automated escalation - Route critical blocks immediately
  2. Investigation playbooks - Standard response procedures
  3. Communication plans - Stakeholder notification
  4. Post-incident review - Learn from each event

Operational Excellence

  1. Performance monitoring - Track blocking overhead
  2. Accuracy tracking - Measure false positive rates
  3. Threat intelligence - Update detection rules regularly
  4. Team training - Ensure staff understand blocking

Next Steps

View Blocked Events

See what’s being stopped

Manage Agents

Configure blocking settings

API Automation

Automate blocking actions