Sometime , administrator may want to disconnect the infected clients.
Active Response with HIPS FW using Application-Based policy Tagging might be the Best Practice in this case , but the customers who don't have HIPS FW would want more "light" way.
In this example, we will create a simple AR Reaction to disable Network Adapter, and also display a simple dialog to the user.
This is optional, but is useful for testing and demonstration purposes. In this note we'll walk through all the steps necessary to create this reaction.
msg * "Don't re-enable Network Adapter!! Your PC might be infected. Administrator closed your network connection. Bring your PC to IT helpdesk."
netsh interface set interface "Local Area Connection" disabled
Once saved, your reaction will be immediately distributed to your endpoints via the DXL.
You can view this test on Active Response Demo video.
For some additional thoughts on using Reactions within Active Response, see AR Reaction: More ideas