Why is Active Response blocking an attacker's IP for Denial of Service type Ping of Death when the Active Response feature has been disabled in the Intrusion Prevention Policy?
Symptoms
One or more machines are unable to communicate with a machine running the Symantec Endpoint Protection (SEP) Client
The client is set in either Mixed Control Mode or Client Control Mode allowing the client default policy to be put in place for IPS settings which has DOS and Active Response both checked by default.
Either change the client back to Server Control Mode or set the IPS policy settings in Mixed Control Mode to be managed by the Server.