If you run Symantec Advanced Threat Protection (ATP) in inline block mode, ATP blocks users from accessing the external computers or files in the Blacklist. If you run ATP in tap mode or inline monitor mode, users can access items in your Blacklist. ATP generates an event when users attempt to access items in Blacklist policies regardless of which operation mode you use.
ATP lets you add external computers to the Blacklist or Whitelist in several places in ATP Manager. How you perform the task depends on from which page you take action. Only users with the Admin role or Controller role can blacklist external computers. Actions that are not permitted based on your role appear in ATP Manager as inactive.
ATP Manager page
Incident details page
The Incident details page provides information about ATP's evaluation of the incident. It provides information about the events that comprise the incident.
To take action from the Incident graph, right-click on the domain entity node that you want to take action on. Select the action that you want to take.
To take action from the Actions bar, click the action that you want to take. A dialog box appears. By default, all of the external computers for which that action can be applied are selected. Unselect the external computers that you do not want to take action on, and click to confirm that you want to proceed with the action.
The Domain details page provides information about all of the events that ATP detected has occurred with this external computer. It shows its relationship with other entities, and it lets you blacklist or whitelist the external computer from the Actions bar.
You can create Blacklist policies from the Policies page. You can also view all of the external computers that you've already whitelisted and blacklisted and remove domains from Whitelists and Blacklists.