Isolate endpoints to stop threats from spreading between endpoints by restricting their communication or access. An isolated endpoint can still communicate with the console and run OneView processes.
Types of isolation
There are three different isolation types. They may be enabled separately or combined to increase isolation. The three isolation types are:
- Network Isolation: Prevent the endpoint from communicating with other devices on your network.
-
Process Isolation: Restrict which processes can run on the endpoint and prevent processes from interacting.
- Note: Not supported on macOS 10.13 and 10.14.
- Desktop Isolation (Windows only): Prevent end users from accessing the endpoint.
With Process Isolation enabled, only Privileged Processes are allowed to launch on the endpoint. Privileged Processes belong to one of these types:
- Predefined (hardcoded) processes: Currently there are two predefined processes: CONSENT.exe, necessary to execute UAC elevated processes; and CSRSS.EXE which is a critical system process.
- Processes digitally signed by ThreatDown: These are allowed to run unrestricted on isolated endpoints.
- Processes spawned by other Privileged Processes: A process with a privileged parent process is also privileged. Privileged child process may create more privileged child processes.
Isolate endpoints
Before you can isolate an endpoint, the policy settings must be enabled. For more information, see Endpoint Detection and Response policy settings in OneView.
To isolate an endpoint:
- On the left navigation menu, go to Manage > Endpoints, then select an endpoint to isolate.
- Click Actions > Isolate endpoint(s).
- Confirm the types of isolation you want, and click Accept. All isolation types are enabled by default. To change the isolation type applied to an endpoint, you must remove the isolation and then apply the new isolation types.
Automatic isolation
Enable automatic isolation in the policy settings to isolate endpoints immediately when critical severity suspicious activity is detected. This lets you contain severe threats while you investigate. For more information, see Automatic isolation in OneView.
Remove endpoint isolation
You can remove endpoints from isolation on the Endpoints screen. Removing an endpoint from isolation turns off all isolation types.
- Select an isolated endpoint.
- Click Actions > Remove Isolation.
- Click Accept.
- Isolation is removed from the endpoint and a reboot is required, which may result in losing unsaved work.
If the endpoint is still isolated after removing it in the console, contact Support.
Delete isolated endpoints
If an endpoint has been reimaged without first removing isolation, it remains in the console and uses up a license. Remove the endpoint from the console to free up a license.
- Go to Manage > Endpoints.
- Select the isolated endpoint(s) to delete from the console.
- At the top-right click Actions > Delete.
- A delete confirmation window displays.
- Enter the number of endpoints to be deleted, click Delete.
- An isolation confirmation window displays.
- In the lower-right corner, click Continue to Delete Endpoint or click OK to cancel.
- A second confirmation window displays. Click Delete.