Hi Update to the latest rapid release & check.

Here is the link :  http://www.symantec.com/avcenter/rapidrelease.download.html  


IF still the same issue then contact Tech support

Exclusing Netlogon doesn't look a good idea.
As netlogon is shared to everybody if thats infected everybody's infected. 

In SAV 10.x you had liberty to do so but not in SEP.Once you put it in centralized exception it is excluded from all scans.

Rather I would suggest you to Edit the IPS policy in SEPM go to Settings and Uncheck "automatically block attackers IP ........"

Run full scan and all make sure this computer is clean and you are not getting any IPS Pop-ups or IPS logs complaining about this server.
Set the IPS policy back to block attackers IP.

Title: 'Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained'
Document ID: 2008032011043948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008032011043948?Open&seg=ent

 Well you can Exclude a host in IPS. In that way AV will work on that PC but IPS won't once PC is cleaned you can remove that server from Excluded host.

 Is the attacking computer on your network ?
If yes then patch it and clean it first.
 
If not then in the excluded host list give the range of IP address you use in your network.
In this case only outsiders IP address will be blocked.

You can chnage the wait time from 600 seconds to whatever you want.

Automatically block an attacker's IP address : Blocks all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response.

and pulled it from the client end on the server, yet the timing out still occurs. I have also downloaded and ran the latest rapid release definitions.

1. Make sure policy is assigned to the group in which you have that server
2. Make sure client has updated the policy -right click-update policy
3.Make sure the clients are in Server Control and not in Client Control.

...enabled I want to disable it, but then the client freaks out, and is red and says this has problems, and tells me to fix it, with a giant fix button. How can I make it so I can disable the NTP on this box and not have that warning?

The option was easier in Pre MR3 versions just uncheck Teefer2 but now you can do itwith policies.

In the firewall policy ADD a  blank rule and move it to the top ( allow all)
thus firewall is OFF
In the Intrution prevention policy as shown the above policy settings uncheck
all of them
Enable IPS, Enable Port Scan, Enable DOS..

and the Server IP died down at the same time...I wonder if that is anything to do with SEP now.

I am new to SEP - but my problem looks similiar to the one mentioned above.

I have Intrusion Prevention policy set to block attackers' IP after 600 Secs and I am bound to follow that policy. I have couple of backup servers which tries to initiate connection with the client and this can stretch upto 30 mins - therefore identifying the backup server as attacker's IP - it blocks the client and hence terminates the connection with the backup server. Please suggest a solution to overcome this problem.

I can think of couple of options:
1. Exclude host.
2. Add the port details (Client/Server port used for communication) in the "Network Services" section.