EDR: Why Is An Endpoint In Isolation By The EDR Sensor Communicating With An Unknown IP Address?
book
Article ID: 287256
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why is an endpoint in isolation by the EDR Sensor communicating with an unknown IP address?
Environment
- EDR Server: 7.4.0 and Higher
- EDR Sensor: 7.1.1 - 7.2.0
Resolution
- Isolation does not prevent DNS queries; all UDP and TCP traffic on port 53 is allowed.
- EDR also permits all UDP port 67 (DHCP) traffic.
Additional Information
A later sensor version will further limit the allowed traffic, so that the sensor will only permit TCP/UDP to the assigned DNS server.
Feedback
thumb_up
Yes
thumb_down
No