Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: What happens when a Device is placed in Quarantine?

Endpoint Standard: What happens when a Device is placed in Quarantine?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: All Supported Versions
  • Carbon Black Cloud MacOS Sensor: All Supported Versions
  • Carbon Black Cloud Linux Sensor: Version 2.13 and Later

Question

What happens when a Device is placed in Quarantine?

Answer

Connections

  • The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console
  • Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active 

Remote Investigation/Remediation Tools

  • Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network
  • CB Support will still be able to to pull sensor logs from the device while in quarantined mode

Additional Notes

  • Windows & Mac: All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked
  • Linux: All UDP connections except for those responsible for DNS requests i.e. UPD/53 and for DHCP requests i.e. UDP/67 & UPD/68 (for ipv4) and UDP/546 & UDP/547 (for ipv6), will be blocked.
  • DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device
  • ARP is allowed to ensure MAC addresses can resolve to to IP addresses
  • ICMP (ping) is allowed
  • Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections 
  • Windows Filtering Platform API is used to determine traffic type per connection on Windows
  • The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized

Related Content


Was this article helpful? Yes No
61% helpful (3/5)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
12869
Contributors