By default, when the Symantec Endpoint Protection (SEP) Intrusion Prevention System (IPS) policy is enabled, Active Response is also enabled.  Once an event is triggered that engages Active Response and is blocking an attacker's IP address, you wish to disengage or stop that Active Response action.

To disable or stop the Active Response before the set time-out, on the Symantec Endpoint Protection client open the Security log and locate the log entry for the Active Response event that you want to stop.  Right click on the event and instruct it to stop.  This will stop the Active Response prior to the configured time-out.

Applies To

• Active Response configured as part of Intrusion Prevention System
• Active Response has engaged on an event and is blocking communication
• Client User Interface Control Settings are set for Client control

OR

• Client User Interface Control Settings are set for Mixed control and Intrusion Prevention Policy - Settings allow a Client to 'Automatically block an attacker's IP address'