EDR: How To Isolate An Endpoint Running a CB Response Sensor
Article ID: 284724
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- How to isolate an endpoint running a CB Response sensor.
Environment
- EDR: 5.x - 6.x
- EDR: All Versions
Resolution
- In the navigation bar of the CB Response console, select Sensors.
- On the Sensors page, check the box next to each endpoint to isolate.
- From the Actions drop-down list, select Isolate.
- In the confirmation dialog box, click OK to confirm isolation of these endpoints.
Additional Information
- User must be a Global Administrator to put any sensor into isolation.
- The CB Response server can communicate with an isolated computer.
- To allow the sensor to communicate with the CB Response server, ARP, DNS, and DHCP services remain operational on the sensor’s host.
- DNS and DHCP are allowed through on all platforms during isolation. This is required for proper communications to the Cb Response server. Protocols are allowed by UDP/53, UDP/ 67, and UDP/68.
- ICMP is allowed on Windows (operating systems prior to Vista) and OSX during isolation.
- UDP is blocked on all platforms during isolation.
- When an endpoint is designated for isolation, its status on the server first moves into in “isolation configured” state waiting for its next check-in. Because of this, there could be a period of several minutes before the endpoint is actually isolated. When it checks in, the server tells the sensor to isolate the endpoint, and when the sensor responds, its state changes to “isolated”.
- Once isolated, endpoints normally remain isolated until the isolation is ended through the console. However, if an isolated system is rebooted, it is not isolated again until it checks in with the CB Response server, which again could take several minutes.
Feedback
Yes
No
Powered by
