Device network isolation and remediation (new in 2017.1)
When you suspect an endpoint is running malware, the best practice is to isolate the endpoint from the network to ensure the malware doesn’t spread to other endpoints.
The Endpoint Security for Endpoint Manager isolation capability provides an end-to-end solution for you to respond quickly to security threats and remediate them as soon as possible. Using Endpoint Security for Endpoint Manager, you can:
- Isolate a device directly from the management console by right-clicking it in the network view and clicking Isolation. There is no need to physically “walk” to the endpoint.
- Open a remote-control session to the isolated device to help you estimate the damage.
- Deploy any type of software or script to the endpoint. Specifically, this is useful to deploy a one-time antivirus scanner that requires you to download its latest virus definitions from the internet. Endpoint Security for Endpoint Manager allows you to enable access to the internet for specific software while the rest of the device is isolated.
All the above capabilities can be done from one simple view, ensuring faster time to remediation.
A specific icon is shown in the console for each isolated device. The icon represents the EPS client, acknowledging it was able to isolate the endpoint.
How network isolation works
When you select the Isolation option for a device in the network view, a new window opens allowing you to start a remote-control session immediately and select a software package to deploy (a list of software packages is imported from the software distribution settings).
Once you select the desired options and click OK, the core immediately tries to notify the endpoint using the standard push mechanism. If the endpoint cannot be connected directly from the core, such as when the endpoint is connected over a CSA, the core will use another push technique that leverages the remote-control push capabilities to notify the endpoint.
Once the EPS agent is notified, the EPS agent will block any network traffic in/out of the device on all ports except the Endpoint Security for Endpoint Manager and remote control communication ports. This allows the core to continue managing the endpoint once the device is isolated. EPS also allows DNS traffic, ensuring the Ivanti agent can continue to operate. The EPS agent only allows traffic to/from the core/CSA on the specific opened ports, which can only be used to send/receive traffic from the management console.
If you required a software package to be deployed or a remote-control session to start, the relevant agent components are notified so those processes can begin.
If you want to allow a specific process to connect to the internet while the device is isolated from the network, open the EPS agent UI and look for the process. Right-click and select the relevant option.
IMPORTANT: The remote-control agent must be installed on the endpoint for the core to push the isolation command to endpoints connecting through CSA.
In addition to the above, you can use the other remediation capabilities of the product once the endpoint is isolated. These capabilities include:
- Remote file view and management (delete remote files).
- Processes view and kill a process.
- Full inventory analysis—understanding which applications were installed on the endpoint, when, and when last run.
- Full remote access to Windows logs.
- Shut down or reboot the endpoint.
If the malicious software was removed from the endpoint, you can “release” the endpoint from isolation. Otherwise, use provisioning to re-image the endpoint.