Perform the following procedure to isolate an endpoint.
Prerequisites
To isolate an endpoint, you must be a
Carbon Black EDR Global Administrator, a
Carbon Black Hosted EDR Administrator, or a user on a team that has Analyst privileges for the endpoint to isolate.
Procedure
- On the navigation bar, click Sensors.
- Check the box next to each endpoint to isolate.
- From the Actions drop-down menu, click Isolate.
- Optional - Note the reason for this action in the Description text box.
- Click OK to confirm that you want to isolate these endpoints.
The endpoint is isolated from all but the
Carbon Black EDR server and the network services that are required to connect the two, in addition to any addresses that are allowed due to network isolation exclusions.
When you designate an endpoint for isolation, its status on the server first moves into an “isolation configured” state waiting for its next check-in. Because of this, several minutes can pass before the endpoint is actually isolated. When it checks in, the server tells the sensor to isolate the endpoint, and when the sensor responds, its state changes to “isolated”.
After it is isolated, endpoints normally remain isolated until the isolation is ended through the Carbon Black EDR console. However, if an isolated system is rebooted, it is not isolated again until it checks in with the Carbon Black EDR server, which could take several minutes.
Having isolated endpoints, you can proceed with remediation steps. For example, you might use Live Response to investigate or modify an endpoint. When you are finished, restore connectivity to the endpoints that you isolated. See Restore Connectivity to an Isolated Endpoint.