If you run Symantec Endpoint Detection and Response in inline block mode, Symantec EDR blocks users from accessing the external computers or files in the Blacklist. If you run Symantec EDR in tap mode or inline monitor mode, users can access items in your Blacklist. Symantec EDR generates an event when users attempt to access items in Blacklist policies regardless of which operation mode you use.
Symantec EDR lets you add external computers to the Blacklist or Whitelist in several places in the EDR appliance console. How you perform the task depends on from which page you take action. Only users with the Admin role or Controller role can blacklist external computers.
To blacklist or whitelist suspicious domains, URLs, and IP addresses through the EDR cloud console
Do any of the following:
Click and then click on an incident to view the Tasks details page. Do any of the following:
On the Events tab, click on any hyperlink to a domain's entity details page. On the Actions bar, click or .
On the Entities tab, click the actions menu (three vertical dots on the far right column) and select what you want to add to the Blacklist (i.e., Domain, URL, or IP).
Click Policies. Click the following link to learn more about adding items to the Blacklist or Whitelist on the Policies page.
See Creating a Blacklist policy.
See Creating a Whitelist policy.
To blacklist or whitelist suspicious domains, URLs, and IP addresses through the EDR appliance console
Do any of the following:
In the EDR appliance console, click . Select an incident to view its Incidents details page. Do any of the following:
To take action from the Incident graph, right-click on the domain entity node that you want to take action on. Then select the action from the context menu.
To take action from the Actions bar, click or . A dialog box appears. By default, all of the external computers for which that action can be applied are selected. Unselect the external computers that you do not want to take action on, and click to confirm that you want to proceed with the action.
See Viewing detailed information about an Incident.
Click on any hyperlink to go to a domain's entity details page. On the Actions bar, click or .
See Viewing detailed information about an endpoint .
In the EDR appliance console, click .
In the row for the entity that you want to take action on, hover over the actions menu to the far right of the row. The actions that you can perform appear.
Select the action that you want to perform.
See Finding the entities in your organization that may be compromised.
In EDR appliance console, click the Policies page. Click the following link to learn more about adding items to the Blacklist or Whitelist on the Policies page.
See Creating a Blacklist policy.
See Creating a Whitelist policy.
See Viewing the status of actions taken on entities in the Actions log.
See How long it takes for Symantec EDR to perform an action on an entity
See Workflow for analyzing and remediating threats
Thanks for your feedback. Let us know if you have additional comments below. (requires login)