What happens when a Device is placed in Quarantine?
book
Article ID: 285472
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
What happens when a Device is placed in Quarantine?
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Windows Sensor: All Supported Versions
Carbon Black Cloud MacOS Sensor: All Supported Versions
Carbon Black Cloud Linux Sensor: Version 2.13 and Later
Resolution
Connections
The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console
Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active
Remote Investigation/Remediation Tools
Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network
CB Support will still be able to to pull sensor logs from the device while in quarantined mode
Additional Information
Windows & Mac: All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked
Linux: All UDP connections except for those responsible for DNS requests i.e. UPD/53 and for DHCP requests i.e. UDP/67 & UPD/68 (for ipv4) and UDP/546 & UDP/547 (for ipv6), will be blocked.
DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device
ARP is allowed to ensure MAC addresses can resolve to to IP addresses
ICMP (ping) is allowed
Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections
Windows Filtering Platform API is used to determine traffic type per connection on Windows
The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized