Computer network isolation
Network isolation of the computer means that all processes and services of the computer's operating system, except those specifically excluded, are isolated from the network environment.
An isolated computer running Windows 11, Windows Vista, Windows XP, and Windows Server 2003, can respond to ARP, ICMP, and ICMPv6 requests, or send RST packets in response to incoming TCP requests. This activity is initiated by the operating system and is not controlled by the Network isolation component. Moreover, the Network isolation component does not control transit traffic.
Computer network isolation allows automatically isolating a computer from the network in response to the detection of an indicator of compromise (IOC) – this is the automatic mode. You can also manually enable Network isolation temporarily while you are investigating a detected threat by enabling the manual mode.
After enabling Network isolation, the application terminates all active TCP/IP connections on the computer and blocks any new TCP/IP connections except the following:
- Connections specified in Network isolation exclusions
- Connections initiated by Kaspersky Industrial CyberSecurity for Nodes services
- Connections initiated by the Kaspersky Security Center Network Agent
You can configure component settings only in the Kaspersky Security Center Web Console.
Automatic Network isolation mode
You can configure Network isolation to be enabled automatically as part of IOC detection response. Automatic Network isolation mode is configured using a group policy.
How to configure automatic Network isolation when an IOC is detected
- In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
- Click the Kaspersky Industrial CyberSecurity for Nodes IOC Scan task.
The task properties window opens.
If necessary, create an IOC Scan task.
- Select the Application settings tab.
- Under Action on IOC detection, select the Take response actions after an IOC is found and Isolate computer from the network check boxes.
- Save your changes.
As a result, when an IOC is detected, the application isolates the computer from the network to prevent the threat from spreading.
You can configure automatic Network isolation to be disabled after a certain period of time. By default, the application disables Network isolation after 8 hours from the time when it was enabled. You can also disable Network isolation manually (see the instructions below). After disabling Network isolation, the computer can be active on the network without restrictions.
How to configure the period after which automatic Network isolation is disabled
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Telemetry collection servers → Endpoint Detection and Response (Industrial CyberSecurity) and click Configure.
- In the Network isolation block, click Configure computer unlock settings.
- This opens a window; in this window, select the Automatically unlock isolated computer in check box and enter the delay for automatically turning off Network isolation.
- Save your changes.
Manual Network isolation mode
You can enable or disable Network isolation manually. You can configure the manual Network isolation mode using the computer properties in the Kaspersky Security Center Administration Console.
You can enable Network isolation in the following ways:
- In alert details (only for EDR Optimum).
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For more information about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.
- Using local application settings.
How to enable Network isolation of a computer manually
- In the main window of the Web Console, select Assets (Devices) → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the properties of the computer.
- Select the Application tab.
- Click Kaspersky Industrial CyberSecurity for Nodes.
This opens the local application settings.
- Select the Application settings tab.
- Go to Telemetry collection servers → Endpoint Detection and Response (Industrial CyberSecurity) and click Configure.
- Under Network isolation, click the Isolate computer from the network button.
- Click OK.
You can configure automatic Network isolation to be disabled after a certain period of time. By default, the application disables Network isolation after 8 hours from the time when it was enabled. After disabling Network isolation, the computer can be active on the network without restrictions.
How to configure the period after which manual Network isolation is disabled
- In the main window of the Web Console, select Assets (Devices) → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the properties of the computer.
- Select the Tasks tab.
The list of tasks available on the computer is displayed.
- Select the Network isolation task.
- Select the Application settings tab.
- This opens a window; in this window, specify the delay for turning off Network isolation.
- Save your changes.
How to disable Network isolation of a computer manually
- In the main window of the Web Console, select Assets (Devices) → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the properties of the computer.
- Select the Application tab.
- Click Kaspersky Industrial CyberSecurity for Nodes.
This opens the local application settings.
- Select the Application settings tab.
- Go to Telemetry collection servers → Endpoint Detection and Response (Industrial CyberSecurity) and click Configure.
- Under Network isolation, click the Unblock computer isolated from the network button.
- Save your changes.
You can also disable Network isolation locally on the command line.
Disabling Network isolation of the computer or displaying the current settings of the component. Component settings also include a list of network connections that have been added to exclusions.
To run the command, go to the folder where the kavshell.exe executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.
Command syntax:
KAVSHELL isolation [/disable] [/show] [/login=<name of the current user account>] [/PWD=</login password or KLAdmin password if /login is not specified>]
Command return values:
- -1: The command is not supported by the version of the application that is installed on the computer.
- 0: The command completed successfully.
- 1: A mandatory argument was not passed to the command.
- 2: General error.
- 4: Syntax error.
- 9: wrong operation (for example, an attempt to disable the component when it is already disabled).
Network isolation exclusions
You can configure Network isolation exclusions. Network connections that match the configured rules are not blocked on the computer after Network isolation is enabled.
To configure Network isolation exclusions, you can use a list of standard network profiles. By default, exclusions include network profiles consisting of rules that make sure that the functioning of devices with the DNS/DHCP server and DNS/DHCP client roles can continue without interruption. You can also manage the settings of standard network profiles or specify exclusions manually (see the instructions below).
Exclusions configured in policy settings are applied only if Network isolation has been enabled by the application automatically as part of threat response. Exclusions configured in computer properties are applied only if Network isolation has been enabled manually in computer properties in the Kaspersky Security Center console or in alert details.
The active policy does not prevent Network isolation exclusions configured in computer properties from being applied because these settings are applied in different scenarios.
How to add an exclusion from automatic Network isolation
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Telemetry collection servers → Endpoint Detection and Response (Industrial CyberSecurity) and click Configure.
- In the Network isolation exclusions block, click Exclusions.
- This opens a window; in that window, click Add from profile and select standard network profiles to configure exclusions.
Network connections from the profile are added to the list of Network isolation exclusions. You can view the properties of the network connections. If necessary, you can edit the settings of a network connection.
- If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions, click Add and manually specify the settings of the network exclusion.
- Save your changes.
How to add an exclusion from manual Network isolation
- In the main window of the Web Console, select Assets (Devices) → Managed devices.
- Select the computer for which you want to configure local application settings.
This opens the properties of the computer.
- Select the Tasks tab.
The list of tasks available on the computer is displayed.
- Select the Network isolation task.
- Select the Application settings tab.
- This opens a window; in that window, select Exclusions.
- This opens a window; in that window, click Add from profile and select standard network profiles to configure exclusions.
Network connections from the profile are added to the list of Network isolation exclusions. You can view the properties of the network connections. If necessary, you can edit the settings of a network connection.
- If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions, click Add and manually specify the settings of the network exclusion.
- Save your changes.
You can also view the list of Network isolation exclusions locally on the command line. To do this, the computer must be isolated.
Disabling Network isolation of the computer or displaying the current settings of the component. Component settings also include a list of network connections that have been added to exclusions.
To run the command, go to the folder where the kavshell.exe executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.
Command syntax:
KAVSHELL isolation [/disable] [/show] [/login=<name of the current user account>] [/PWD=</login password or KLAdmin password if /login is not specified>]
Command return values:
- -1: The command is not supported by the version of the application that is installed on the computer.
- 0: The command completed successfully.
- 1: A mandatory argument was not passed to the command.
- 2: General error.
- 4: Syntax error.
- 9: wrong operation (for example, an attempt to disable the component when it is already disabled).