Automatically blocking connections to an attacking computer
Symantec Endpoint Protectionclient detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.
The attacker’s IP address is recorded in the Security log. You can unblock an attack by canceling a specific IP address or canceling all Active Response.
If you set the client to mixed control, you can specify whether the setting is available on the client for the user to enable. If it is not available, you must enable it in the
Client User Interface Mixed Control Settingsdialog box.
Updated IPS signatures, updated denial-of-service signatures, port scans, and MAC spoofing also trigger an Active Response.
- To automatically block connections to an attacking computer
- In the console, open a Firewall policy.
- On theFirewall Policypage in the left pane, click one of the following options:
- UnderWindows Settings:Protection and Stealth
- UnderMac Settings:ProtectionMac settings are available only as of version 14.2.
- UnderProtection Settings, checkAutomatically block an attacker's IP address.
- In theNumber of seconds during which to block IP address ... secondstext box, specify the number of seconds to block potential attackers.You can enter a value from 1 to 999,999.