Network isolation of hosts with the Endpoint Agent component

When responding to threats, users with the Senior security officer role can isolate hosts with detected objects that require your attention during the incident investigation.

Network isolation is not a Threat Response action by itself. The security officer should take steps to investigate the incident on his own while the network isolation is active for the host. You can configure the duration of host network isolation when you create the network isolation rule.

If you are using Kaspersky Endpoint Agent for Windows as the Endpoint Agent component, network isolation is available for hosts with the Kaspersky Endpoint Agent application version 3.8 and later.

To ensure correct operation of an isolated host, it is recommended to meet the following conditions:

• Create a local administrator account on the host or save the domain account data to the cache before enabling the network isolation rule.
• Do not change the certificate and IP address of the server with the Central Node component while the network isolation rule is enabled.

Isolated hosts can access the following resources over the network:

• Server with the Central Node component.
• Source of application database updates (Kaspersky update server or custom source).
• Servers of the KSN service.
• Hosts added to network isolation rule exclusions.

In cases when the Endpoint Agent component is turned off on the host, and also for a certain period of time after turning on th component or restarting the computer with the component, network isolation of the host may be inactive.

Consider some limitations when applying network isolation.

In this section Creating a network isolation rule Adding an exclusion from a network isolation rule Deleting a network isolation rule Limitations that are relevant to network isolation

Page top