When integrated with Detection and Response solutions, a device can be isolated from the network as part of a threat response action.
Special considerations involved with network isolation
After enabling network isolation, the application severs all active network connections on the device and blocks all new TCP/IP network connections, except for the connections listed below:
Network isolation can be applied when one of the following conditions is satisfied:
When integrated with Kaspersky Endpoint Detection and Response (KATA) and Kaspersky Managed Detection and Response, network isolation is enabled or disabled, and network isolation exclusions are configured on the side of the Detection and Response solution. For more information, see the Kaspersky Anti Targeted Attack Platform Help or the Kaspersky Managed Detection and Response Help. If necessary, you can manually disable network isolation of a device:
Manually disabling network isolation is possible regardless of whether integration with Detection and Response solutions is enabled, and regardless of whether a policy is applied to the device.
When integrated with Kaspersky Endpoint Detection and Response Optimum, network isolation can be applied in one of the following modes:
You can manage the following automatic network isolation settings:
If a device that is being isolated automatically is subject to a policy, the settings specified in the policy are applied. If a policy is not applied, the settings specified in the device properties are applied.
You can manage the following manual network isolation settings:
When integrated with Kaspersky Endpoint Detection and Response Optimum, you can manually disable network isolation of a device in the device properties in the Web Console and on the command line.
You can check the network isolation status of a device on the command line.
An isolated device is automatically assigned the ISOLATED FROM NETWORK tag. This tag is automatically removed when network isolation is disabled.
For general information on getting a list of isolated devices by tag, see the Kaspersky Endpoint Detection and Response Optimum Help.
Network isolation limitations
When you use network isolation, we strongly recommended that you familiarize yourself with the relevant limitations.
For network isolation to work, Kaspersky Endpoint Security must be running. If Kaspersky Endpoint Security malfunctions (and the application is not running), traffic blocking is not guaranteed when network isolation is enabled by Kaspersky Anti Targeted Attack Platform or Kaspersky Endpoint Detection and Response Optimum.
DHCP and DNS are not automatically added to network isolation exclusions, so if the network address of a resource changes during network isolation, Kaspersky Endpoint Security cannot gain access to it. The same applies to the nodes of the fault-tolerant KATA server. We recommend to not change their addresses so that Kaspersky Endpoint Security does not lose contact with them.
The proxy server is not added automatically to the network isolation exclusions, so you need to add it to the exclusions manually so that Kaspersky Endpoint Security does not lose contact with the KATA server.
Excluding a process from network isolation by name is supported on devices with kernel versions from 4.18 to 6.6 that support eBPF with BTF.
If Kaspersky Endpoint Security is used in standard mode, we recommend doing the following when using network isolation:
If it is impossible to use Kaspersky Security Center as a proxy server, you must configure the proxy server that you want to use and add it to exclusions.
These recommendations do not apply if Kaspersky Endpoint Security is being used in Light Agent mode.