Why is Active Response blocking an attacker's IP for Denial of Service type Ping of Death when the Active Response feature has been disabled in the Intrusion Prevention Policy?
Symptoms One or more machines are unable to communicate with a machine running the Symantec Endpoint Protection (SEP) Client
Reviewing the Symantec Endpoint Protection client "Client Management Logs - Security Log" show "Denial of Service" and "Active Response" events. The Denial of Service events are described as "Ping of Death" attacks. The corresponding "Active Response" event shows a machine is being blocked for a length of time.
Active Response is associated with the setting "Automatically block an attacker's IP address" in the Intrusion Prevention Policy. Active Response has been disabled in the policy assigned to the Symantec Endpoint Protection client.
The client is set in either Mixed Control Mode or Client Control Mode allowing the client default policy to be put in place for IPS settings which has DOS and Active Response both checked by default.
Either change the client back to Server Control Mode or set the IPS policy settings in Mixed Control Mode to be managed by the Server.
Imported Document ID: TECH123427
Subscribing will provide email updates when this Article is updated. Login is required.