Any user can search Symantec Endpoint Protection endpoints for IOCs. However, only users with the Admin rights or Controller rights can cancel an endpoint search. Any partial search results that are returned are available to view until deleted from ATP Manager. When you cancel a search, you not only cancel a search of endpoint's hard drive, but you also cancel a search of the data recorder.
When you cancel an endpoint search on EDR 2 clients, the status appears in ATP Manager as canceled even though it may take some time before the cancel command is propagated to all of the affected endpoints or times out. When you cancel a search on EDR 1 clients that run Symantec Endpoint Protection 12.1 RU6 MP5, ATP shows the status as CANCEL_REQUEST until the endpoint has responded that the cancel was completed. The status then changes to CANCELLED. For clients earlier than Symantec Endpoint Protection 12.1 RU6 MP5, ATP can only show the command as CANCELLED for the clients that connect to Symantec Endpoint Protection Manager. The cancel search query command is not supported on Symantec Endpoint Protection 12.1 MP3 and earlier.
If ATP cannot cancel the search for some reason, ATP times-out the cancellation action 7 days after it is initiated so that the process doesn't run indefinitely.
To cancel an endpoint search query
In ATP Manager, click Search > Endpoint.
Do either of the following tasks:
To cancel the search from the Search Status list
Hover over the actions menu (three vertical dots) on the row that contains the search that you want to cancel.
Click Cancel Search.
To cancel the search from the Search details page
In the Search Status list, click on the Search Description hyperlink to go to the Search details page to view search results.
On the Action bar, click Cancel.
Select the search that you want canceled, and click Ok.