Enabling or disabling device network isolation
You can enable network isolation for a device in the following ways:
- Using the IOC Scan task.
When creating and configuring IOC Scan task settings in the Actions on IOC detection section, if you select the Apply response actions when an IOC is detected and Isolate device from the network check boxes, then network isolation is enabled automatically when the application detects indicators of compromise (IOCs).
- In the alert details window
- In the device properties in the Web Console.
Enabling network isolation is available only if integration with Kaspersky Endpoint Detection and Response Optimum is enabled and the EDR Optimum component has the In progress status.
You can disable network isolation for a device in the following ways:
- Manually in the device properties in the Web Console.
- Manually on the command line.
- In the alert details window.
- By configuring automatic disabling in the device properties or in the policy properties.
Disabling network isolation in the device properties and in the command line is available regardless of whether integration with Kaspersky Endpoint Detection and Response Optimum is enabled and the EDR Optimum component is enabled, or whether a policy is applied to the device.
You can configure exclusions for network connections that do not need to be isolated when network isolation is enabled.
You can check the network isolation status on the command line.
After enabling network isolation, the application severs all active network connections on the device and blocks all new TCP/IP network connections, except for the connections listed below:
- Connections specified in exclusions from network isolation.
- Connections initiated by Kaspersky Endpoint Security services.
- Connections initiated by the Kaspersky Security Center Network Agent.
- Connections to the SVM and the Integration Server if the application is being used in Light Agent mode.
An isolated EDR Optimum device automatically gets the ISOLATED FROM NETWORK tag. This tag is automatically removed when network isolation is disabled.
For general information on getting a list of isolated devices by tag, see the Kaspersky Endpoint Detection and Response Optimum Help.