By default, when the Symantec Endpoint Protection (SEP) Intrusion Prevention System (IPS) policy is enabled, Active Response is also enabled. Once an event is triggered that engages Active Response and is blocking an attacker's IP address, you wish to disengage or stop that Active Response action.
To disable or stop the Active Response before the set time-out, on the Symantec Endpoint Protection client open the Security log and locate the log entry for the Active Response event that you want to stop. Right click on the event and instruct it to stop. This will stop the Active Response prior to the configured time-out.
Applies To
OR