Computer network isolation
Computer network isolation allows automatically isolating a computer from the network in response to the detection of an indicator of compromise (IOC) – this is the automatic mode. You can turn on Network isolation manually while you are investigating the detected threat – this is the manual mode.
When Network isolation is turned on, the application severs all active connections and blocks all new TCP/IP network connections on the computer except the following connections:
- Connections listed in Network isolation exclusions.
- Connections initiated by Kaspersky Endpoint Security services.
- Connections initiated by the Kaspersky Security Center Network Agent.
You can configure the component settings only in the Web Console.
Automatic Network isolation mode
You can configure Network isolation to be turned on automatically in response to an IOC detection. You can configure the automatic Network isolation mode with a group policy.
How to configure Network isolation to be turned on automatically in response to an IOC detection
- In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
- Click the IOC Scan task of Kaspersky Endpoint Security.
The task properties window opens.
If necessary, create the IOC Scan task.
- Select the Application settings tab.
- In the Action on IOC detection block, select the Take response actions after an IOC is found and Isolate computer from the network check boxes.
- Save your changes.
As a result, when an IOC is detected, the application isolates the computer from the network to prevent the threat from spreading.
You can configure Network isolation to be turned off automatically after a specified time elapses. By default, the application turns off Network isolation after 8 hours have passed from the time when it was turned on. You can also turn off Network isolation manually (see the instructions below). After turning off network isolation, the computer can use the Network without restrictions.
How to configure the delay for turning off Network isolation of a computer in automatic mode
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Detection and Response → Endpoint Detection and Response.
- In the Network isolation block, click Configure computer unlock settings.
- This opens a window; in this window, select the Automatically unlock isolated computer in N hours check box and enter the delay for automatically turning off Network isolation.
- Save your changes.
Manual Network isolation mode
You can manually turn Network isolation on and off. You can configure the manual Network isolation mode using the computer properties in the Kaspersky Security Center console.
You can turn on Network isolation:
How to turn on Network isolation of a computer manually
- In the main window of the Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Applications tab.
- Click Kaspersky Endpoint Security for Windows.
This opens the local application settings.
- Select the Application settings tab.
- Go to Detection and Response → Endpoint Detection and Response.
- In the Network isolation block, click Isolate computer from the network.
You can configure Network isolation to be turned off automatically after a specified time elapses. By default, the application turns off Network isolation after 8 hours have passed from the time when it was turned on. After turning off network isolation, the computer can use the Network without restrictions.
How to configure the delay for turning off Network isolation of a computer in manual mode
- In the main window of the Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Tasks tab.
This displays the list of tasks available on the computer.
- Select the Network isolation task.
- Select the Application settings tab.
- This opens a window; in this window, select the delay for turning off Network isolation.
- Save your changes.
How to turn off Network isolation of a computer manually
- In the main window of the Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Applications tab.
- Click Kaspersky Endpoint Security for Windows.
This opens the local application settings.
- Select the Application settings tab.
- Go to Detection and Response → Endpoint Detection and Response.
- In the Network isolation block, click Unblock computer isolated from the network.
You can also disable Network isolation locally using the command line.
Network isolation exclusions
You can configure Network isolation exclusions. Network connections that match the rules are not blocked on the computer when Network isolation is turned on.
To configure Network isolation exclusions, you can use a list of standard network profiles. By default, exclusions include network profiles containing rules that ensure uninterrupted operation of devices with the DNS/DHCP server and DNS/DHCP client roles. You can also modify the settings of standard network profiles or define exclusions manually (see instructions below).
Exclusions specified in policy properties are applied only if Network isolation is turned on automatically in response to a detected threat. Exclusions specified in computer properties are applied only if Network isolation is turned on manually in computer properties in the Kaspersky Security Center console or in alert details.
An active policy does not prevent applying exclusions from Network isolation configured in computer properties because these parameters have different usage scenarios.
How to add a Network isolation exclusion in automatic mode
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Detection and Response → Endpoint Detection and Response.
- In the Network isolation exclusions block, click Exclusions.
- This opens a window; in this window, click Add from profile and select standard network profiles for configuring exclusions.
Network isolation exclusions from the profile are added to the list of Network isolation exclusions. You can view the properties of network connections. If necessary, you can modify network connection settings.
- If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions, click Add and manually edit network connection settings.
- Save your changes.
How to add a Network isolation exclusion in manual mode
- In the main window of the Web Console, select Devices → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the computer properties.
- Select the Tasks tab.
This displays the list of tasks available on the computer.
- Select the Network isolation task.
- Select the Application settings tab.
- This opens a window; in this window, click Exclusions.
- This opens a window; in this window, click Add from profile and select standard network profiles for configuring exclusions.
Network isolation exclusions from the profile are added to the list of Network isolation exclusions. You can view the properties of network connections. If necessary, you can modify network connection settings.
- If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions, click Add and manually edit network connection settings.
- Save your changes.
You can also view the Network isolation exclusion list locally using the command line. In this case, the computer must be isolated.
Page top