Quarantine mode allows both Carbon Black Support and Carbon Black Cloud administrators to continue investigating an asset from the Carbon Black Cloud console (Investigate Page, Live Response, Live Query, and so on) while reducing the risks involved with allowing a compromised asset to access the local network
You can quarantine an asset on the Alerts page or Investigate page.
When an asset is quarantined, all incoming and outgoing TCP traffic is blocked to all IP addresses or ports except for those IP addresses and ports that maintain a connection to the Carbon Black Cloud. Quarantined assets can still check in with the Carbon Black Cloud console for status changes; for example, moving from Quarantine to Active state.
During quarantine, Carbon Black Support can pull sensor logs from the asset.
The following caveats apply when an asset is quarantined:
- For assets that are running Windows or macOS operating systems, all UDP connections except for those responsible for DNS requests, UDP/53 and DHCP, UDP/67, and UDP/68, are blocked.
- For assets that are running Linux operating systems, all UDP connections except for those responsible for DNS requests are blocked. Allowed connections can use:
- UPD/53
- DHCP requests: UDP/67 and UPD/68 (for IPv4)
- UDP/546 and UDP/547 (for IPv6)
- DNS and DHCP are allowed to ensure the bilateral communication between the Carbon Black Cloud and the quarantined asset.
- ARP is allowed to ensure that MAC addresses can resolve to to IP addresses.
- ICMP (ping) is allowed.
- Quarantine terminates active sockets that are not exempt from Quarantine; this action effectively re-authorizes any existing connections.
- Windows Filtering Platform API is used to determine traffic type per connection on Windows.
- The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized