A search of controlled endpoints in ATP has been active for some time, but results are very slow to appear. 

This issue can occur when the total amount of uncompleted endpoints is close to the maximum endpoints that SEPM can handle (approximately 80,000). This issue occurs because the SEPM limit of 80,000 active endpoints is filled with offline clients. Because they are offline, they do not clear out their commands and end up timing out after 7 days.

Cancel the active endpoint search.  Note that any Administrator or Incident Responder can cancel an endpoint search regardless of who initiated the search. 

To cancel the active endpoint search:

1.  In the ATP Manager on the Investigator page, locate and copy the endpoint search task ID.

     The task ID begins after the last forward slash (/) in the URL.  See the example below showing the task ID is:dc957537-0550-4d14-ba91-0b4967437b3b

2.  Type the following in the URL field:  https://{atp-ip}/atpapp/eocsearch/cancel/{task-id}

   For example: https://10.147.26.180/atpapp/eocsearch/cancel/dc957537-0550-4d14-ba91-0b4967437b3b

• If the cancellation is successful, the following message appears:  Successfully cancelled command {task-id}
• If you cancel a completed task, the following message appears:   Command {task-id} is already completed.
• If you cancel a nonexistent task, the following message appears: Command {task-id} does not exist.

3. Verify that the status of "Cancelled" appears under the Search History.