EDR: Why Is An Endpoint In Isolation By The EDR Sensor Communicating With An Unknown IP Address?

EDR: Why Is An Endpoint In Isolation By The EDR Sensor Communicating With An Unknown IP Address?

search cancel

EDR: Why Is An Endpoint In Isolation By The EDR Sensor Communicating With An Unknown IP Address?

book

Article ID: 287256

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why is an endpoint in isolation by the EDR Sensor communicating with an unknown IP address?

Environment

EDR Server: 7.4.0 and Higher
EDR Sensor: 7.1.1 - 7.2.0

Resolution

Isolation does not prevent DNS queries; all UDP and TCP traffic on port 53 is allowed.
EDR also permits all UDP port 67 (DHCP) traffic.

Additional Information

A later sensor version will further limit the allowed traffic, so that the sensor will only permit TCP/UDP to the assigned DNS server.

Feedback

thumb_up Yes

thumb_down No