Environment
- Carbon Black EDR Server (on-prem and hosted): All Supported Versions
- Carbon Black EDR Sensor: All Supported Versions
Question
What is the meaning of "isloation" as it applies to the Carbon Black EDR sensor, and if it is kept in a state of "isolation", what will happen to the endpoint?
Answer
When an endpoint is isolated, its connectivity is limited to the following (unless you have created network isolation exclusions):
- The Carbon Black EDR server can communicate with an isolated computer.
- To allow the sensor to communicate with the Carbon Black EDR server, ARP, DNS, and DHCP services remain operational on the sensor’s host. (For Windows operating systems prior to Vista, ICMP (for example, ping) will remain operational.)
- DNS and DHCP are allowed through on all platforms. This is required for proper communications to the Carbon Black EDR server. Protocols are allowed by UDP/53, UDP/67, and UDP/68.
- ICMP is allowed on the following operating systems:-Windows (operating systems prior to Vista)-OSX -Linux
- UDP is blocked on all platforms.
If kept in an isolated state, the endpoint will only be able to communicate to the items listed above. After it is isolated, endpoints normally remain isolated until the isolation is ended through the Carbon Black EDR console. However, if an isolated system is rebooted, it is not isolated again until it checks in with the Carbon Black EDR server, which could take several minutes. "Endpoint Isolation" is used as a remediation step in response to a potential security incident on an endpoint(s).
Related Content