1. Right click any attack in the Real Time Threat Analyzer, and press 'Edit Attack Settings'. From there, you can select appropriate responses, including 'block'. I recommend reading this KB for some related Insight.
2. Unfortunately I don't know enough about your environment to answer this question - however I do know that Google's DNS Servers are at 18.104.22.168 and 22.214.171.124. I would recommend checking out the workstations from which those alerts were generated.
3. That depends. If you're sure you want to Quarantine an IP, all traffic from the quarantined IP will only be allowed access to quarantine network objects depending on the 'Zones' you have setup.
For instance, if I quarantine the IP '192.168.1.55' - a user workstation - and set the 'Zone' to 'Allow Public Networks' for 15 minutes - that computer will not be able to access internal network resources for 15 minutes.
So to answer your question - it depends on the type of violation occurring, and what you intend to accomplish with the quarantine.
4. Quarantine will stop traffic depending on your definitions of the Zones in Policy > Intrusion Prevention > Objects > Quarantine Zones.
5. In that circumstance, I'll tell you what I would do.
I would first define a ruleset under Policy > Intrusion Prevention > Advanced > Rule Sets.
I'd name the ruleset 'Windows Family Web Servers'.
I'd go to rules > insert > configure > switch to 'OS' tab.
Uncheck 'select all OS' and select only the Windows machines that you have in your 'Windows Server Family' group. For my example, I'll select Windows7 and Windows2008 because I run web applications from both Windows 7 and Windows 2008 Servers.
Set Severity to something reasonable (I select 2 here), and set Benign Trigger Probability to something reasonable (I select 4 here).
Navigate to the 'Protocol' tab, uncheck 'Select All Protocols'. Select only the protocols your webservers use (in my case - http, dns, and ftp).
I would save that ruleset.
Now, under Policy > Intrusion Prevention > IPS Policies I would create a new policy, using settings appropriate to my environment. Under 'Rule Set' select the ruleset we just created.
Apply this policy to the interface your DMZ is attached to. Voila!
6. In this case 'Inconclusive' is the correct result. Inconclusive simply means that the IPS could not determine whether or not the attack was initiated successfully. In many cases, it is not possible to be conclusive about how successful attacks are, which would explain what you are seeing.
7. I would suggest the 'Windows Family' policy.
8. Correct. Each Sensor is rated at a certain 'Throughput' threshold - this can be observed via this document. In your case, this means that 2% of your throughput is in use - not nearly enough for worry!
Technical Support Engineer
McAfee. Part of Intel Security.