How to stop a Symantec Endpoint Protection Intrusion Prevention System Active Response from blocking an attacker's IP address after it is triggered
Last Updated October 25, 2018
By default, when the Symantec Endpoint Protection (SEP) Intrusion Prevention System (IPS) policy is enabled, Active Response is also enabled. Once an event is triggered that engages Active Response and is blocking an attacker's IP address, you wish to disengage or stop that Active Response action.
To disable or stop the Active Response before the set time-out, on the Symantec Endpoint Protection client open the Security log and locate the log entry for the Active Response event that you want to stop. Right click on the event and instruct it to stop. This will stop the Active Response prior to the configured time-out.
Active Response configured as part of Intrusion Prevention System
Active Response has engaged on an event and is blocking communication
Client User Interface Control Settings are set for Client control
Client User Interface Control Settings are set for Mixed control and Intrusion Prevention Policy - Settings allow a Client to 'Automatically block an attacker's IP address'
Imported Document ID: TECH165002
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe