Sometime , administrator may want to disconnect the infected clients.

Active Response with HIPS FW using Application-Based policy Tagging   might be the Best Practice in this case , but the customers who don't have HIPS FW would want more "light" way.

In this example, we will create a simple AR Reaction to disable Network Adapter, and also display a simple dialog to the user.

This is optional, but is useful for testing and demonstration purposes. In this note we'll walk through all the steps necessary to create this reaction.

Creating Disable Network Adapter and Notify User Reaction

1. Open the Active Response Catalog and select the Reactions tab.  Click New Reaction.
   
2. Next enter a name and a description for this Reaction
   
3. For Reaction Content, select " Execute OS command" and enter the following 2 lines:

   msg * "Don't re-enable Network Adapter!! Your PC might be infected. Administrator closed your network connection. Bring your PC to IT helpdesk."

   netsh interface set interface "Local Area Connection" disabled

4. Click the Save button at the top of the screen to save your work.

Testing the Disable Network Adapter and Notify Reaction

Once saved, your reaction will be immediately distributed to your endpoints via the DXL.

You can view this test on Active Response Demo video.

https://community.mcafee.com/docs/DOC-7704

(from 3:30)

Going Further

For some additional thoughts on using Reactions within Active Response, see AR Reaction: More ideas