Environment

• Carbon Black Cloud Console: All Versions
• Carbon Black Cloud Windows Sensor: All Supported Versions
• Carbon Black Cloud MacOS Sensor: All Supported Versions
• Carbon Black Cloud Linux Sensor: Version 2.13 and Later

Question

Answer

Connections

• The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console
• Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active 

Remote Investigation/Remediation Tools

• Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network
• CB Support will still be able to to pull sensor logs from the device while in quarantined mode

Additional Notes

• Windows & Mac: All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked
• Linux: All UDP connections except for those responsible for DNS requests i.e. UPD/53 and for DHCP requests i.e. UDP/67 & UPD/68 (for ipv4) and UDP/546 & UDP/547 (for ipv6), will be blocked.
• DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device
• ARP is allowed to ensure MAC addresses can resolve to to IP addresses
• ICMP (ping) is allowed
• Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections 
• Windows Filtering Platform API is used to determine traffic type per connection on Windows
• The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized

Related Content