Active Response Server Settings

Configure the Active Response server.

Table 1: Active Response Server options
Option Definition
Search time-to-live The timeout (in milliseconds) that Active Response waits since the last endpoint replied to a search expression. If another endpoint replies during this wait, the time count is restarted. Else, the search stops.

Default: 15,000 ms

Search time-to-live at 50% Defines a percentage of the value in Search time-to-live that applies as the new timeout wait after 50% of available endpoints have replied.

Default: 33%

Search time-to-live at 90% Defines a percentage of the value in Search time-to-live that applies as the new timeout wait after 90% of available endpoints have replied.

Default: 7%

Compatibility with Active Response 1.0 clients When enabled, Active Response endpoint clients reply to searches, reactions, and triggers executed by an Active Response server.
Authentication Check Regenerate Stores to reset the certificate stores in the Active Response server.
Note: This must be done if McAfee ePO certificates changed after installation of Active Response server.
Table 2: Active Response Workspace options
Option Definition
Process instances

A process threat can be executed multiple times. Specify the maximum number of threat executions to display on the graph in the Trace chart. If more threat executions exist than the maximum setting, the latest threats are listed.

Max events on Trace chart (Chrome and Firefox)

Max events on Trace chart (Internet Explorer)

Specify the maximum number of events to display on the Trace chart for Google Chrome, Mozilla Firefox, and Internet Explorer browsers. If more events exist than the maximum setting, those events with the most high risk behaviors are displayed.