Automatically blocking connections to an attacking computer

If the
Symantec Endpoint Protection
client detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.
The attacker’s IP address is recorded in the Security log. You can unblock an attack by canceling a specific IP address or canceling all Active Response.
If you set the client to mixed control, you can specify whether the setting is available on the client for the user to enable. If it is not available, you must enable it in the
Client User Interface Mixed Control Settings
dialog box.
Updated IPS signatures, updated denial-of-service signatures, port scans, and MAC spoofing also trigger an Active Response.
  1. To automatically block connections to an attacking computer
  2. In the console, open a Firewall policy.
  3. On the
    Firewall Policy
    page in the left pane, click one of the following options:
    • Under
      Windows Settings
      :
      Protection and Stealth
    • Under
      Mac Settings
      :
      Protection
      Mac settings are available only as of version 14.2.
  4. Under
    Protection Settings
    , check
    Automatically block an attacker's IP address
    .
  5. In the
    Number of seconds during which to block IP address ... seconds
    text box, specify the number of seconds to block potential attackers.
    You can enter a value from 1 to 999,999.
  6. Click
    OK
    .