Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Windows Sensor: All Supported Versions
- Carbon Black Cloud MacOS Sensor: All Supported Versions
- Carbon Black Cloud Linux Sensor: Version 2.13 and Later
Question
What happens when a Device is placed in Quarantine?
Answer
Connections
- The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console
- Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active
Remote Investigation/Remediation Tools
- Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network
- CB Support will still be able to to pull sensor logs from the device while in quarantined mode
Additional Notes
- Windows & Mac: All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked
- Linux: All UDP connections except for those responsible for DNS requests i.e. UPD/53 and for DHCP requests i.e. UDP/67 & UPD/68 (for ipv4) and UDP/546 & UDP/547 (for ipv6), will be blocked.
- DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device
- ARP is allowed to ensure MAC addresses can resolve to to IP addresses
- ICMP (ping) is allowed
- Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections
- Windows Filtering Platform API is used to determine traffic type per connection on Windows
- The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized
Related Content