Computer network isolation
Computer network isolation allows automatically isolating a computer from the network in response to the detection of an indicator of compromise (IOC).
When Network isolation is turned on, the application severs all active connections and blocks all new TCP/IP network connections on the computer except the following connections:
- Connections listed in Network isolation exclusions.
- Connections initiated by Kaspersky Endpoint Security services.
- Connections initiated by the Kaspersky Security Center Administration agent.
Managing Network isolation
You can configure the component settings only in the Web Console.
You can configure Network isolation to be turned on automatically in response to an IOC detection. You can also manually turn Network isolation on and off.
You can turn on Network isolation:
- In alert details.
Alert Details is a tool for viewing the entirety of collected information about a detected threat and managing response actions. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.
- Using local application settings.
How to configure Network isolation to be turned on automatically in response to an IOC detection
- In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
- Click the IOC Scan task of Kaspersky Endpoint Security.
The task properties window opens.
If necessary, create the IOC Scan task.
- Select the Application settings tab.
- Under Action on IOC detection, select Take response actions after an IOC is found and Isolate computer from the network check boxes.
- Save your changes.
As a result, when an IOC is detected, the application isolates the computer from the network to prevent the threat from spreading.
How to turn on Network isolation of a computer manually
- In the main window of Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Applications tab.
- Click Kaspersky Endpoint Security for Windows.
This opens the local application settings.
- Select the Application settings tab.
- Select Detection and Response → Endpoint Detection and Response.
- Under Network isolation, click Isolate computer from the network.
- Save your changes.
You can configure Network isolation to be turned off automatically after a specified time elapses. By default, the application turns off Network isolation after 5 hours have passed from the time when it was turned on. You can also manually turn off Network isolation. After turning off network isolation, the computer can use the Network without restrictions.
How to configure the delay for automatically turning off Network isolation of a computer
- In the main window of Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Select Detection and Response → Endpoint Detection and Response.
- Under Network isolation, click Configure computer unlock settings.
- This opens a window; in this window, select the Automatically unlock isolated computer in N hours check box and enter the delay for automatically turning off Network isolation.
- Save your changes.
How to turn off Network isolation of a computer manually
- In the main window of Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Applications tab.
- Click Kaspersky Endpoint Security for Windows.
This opens the local application settings.
- Select the Application settings tab.
- Select Detection and Response → Endpoint Detection and Response.
- Under Network isolation, click Unblock computer isolated from the network.
- Save your changes.
You can also disable Network isolation locally using the command line.
Network isolation exclusions
You can configure Network isolation exclusions. Network connections that match the rules are not blocked on the computer when Network isolation is turned on.
To configure Network isolation exclusions, you can use a list of standard network profiles. By default, exclusions include network profiles containing rules that ensure uninterrupted operation of devices with the DNS/DHCP server and DNS/DHCP client roles. You can also modify the settings of standard network profiles or define exclusions manually (see instructions below).
Exclusions specified in policy properties are applied only if Network isolation is turned on automatically in response to a detected threat. Exclusions specified in computer properties are applied only if Network isolation is turned on manually in computer properties in the Kaspersky Security Center console.
An active policy does not prevent applying exclusions from Network isolation configured in computer properties because these parameters have different usage scenarios.
How to add a Network isolation exclusion
- In the main window of Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Select Detection and Response → Endpoint Detection and Response.
- Under Network isolation exclusions, click Exclusions.
- This opens a window; in this window, click Add from profile and select standard network profiles for configuring exclusions.
Network isolation exclusions from the profile are added to the list of Network isolation exclusions. You can view the properties of network connections. If necessary, you can modify network connection settings.
- If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions, click Add and manually edit network connection settings.
- Save your changes.
You can also view the Network isolation exclusion list locally using the command line.
Page top