Network isolation of Kaspersky Endpoint Agent hosts

When responding to threats, users with the Senior security officer role can isolate hosts with detected objects that require your attention when investigating the incident.

Network isolation is not a Threat Response action by itself. The security officer should take steps to investigate the incident on his own while the network isolation is active for the host. You can configure the duration of host network isolation when you create the network isolation rule.

Network isolation is available for hosts with Kaspersky Endpoint Agent version 3.8 or newer.

To ensure correct operation of an isolated host, it is recommended to meet the following conditions:

• Create a local administrator account on the host or save the domain account data to the cache before enabling the network isolation rule.
• Do not change the certificate and IP address of the server with the Central Node component while the network isolation rule is enabled.

Isolated hosts can access the following resources over the network:

• Server with the Central Node component.
• Source of program database updates (Kaspersky update server or custom source).
• Servers of the KSN service.
• Hosts added to network isolation rule exclusions.

If there is no connection between the isolated host and the server with the Central Node component for more than 5 hours, the network isolation rule is automatically disabled.

In cases when Kaspersky Endpoint Agent is turned off on the host, and also for a certain period of time after turning on Kaspersky Endpoint Agent or rebooting the computer with Kaspersky Endpoint Agent, network isolation of the host may be inactive.

Keep in mind several limitations when applying network isolation.

Creating a network isolation rule

To create a network isolation rule:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Select the host for which you want to enable or disable the network isolation rule.

   This opens a window containing information about the host.

3. Click Isolate.
4. In the Disable isolation after field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
5. In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
   • Incoming/Outgoing.
   • Incoming.
   • Outgoing.
6. In the IP field, enter the IP address whose network traffic must not be blocked.

   You can use a proxy server to let Kaspersky Endpoint Agent for Windows connect to Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.

7. If you selected Incoming or Outgoing, in the Ports field, enter the connection ports.
8. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
9. Click Save.

The host will be isolated from the network.

You can also create a network isolation rule by clicking the Isolate <host name> link in the event information and in the alert information.

Users with the Security auditor and Security officer roles cannot create network isolation rules.

The network isolation feature is not available for hosts with Kaspersky Endpoint Agent for Linux.

Adding an exclusion from a network isolation rule

To add an exclusion to a previously created network isolation rule:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Select the isolated host for which you want to create an exclusion from the network isolation rule.

   This opens a window containing information about the host.

3. Click the Add to exclusions link to expand the Exclusions for the host isolation rule settings group.
4. Select the direction of network traffic that must not be blocked:
   • Incoming/Outgoing.
   • Incoming.
   • Outgoing.
5. In the IP field, enter the IP address whose network traffic must not be blocked.
6. If you selected Incoming or Outgoing, in the Ports field, enter the connection ports.
7. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields. Click Save.

The network isolation rule exclusion will be added.

You can use a proxy server to let Kaspersky Endpoint Agent for Windows connect to Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.

Users with the Security auditor and Security officer roles cannot create exclusions from a network isolation rule.

Deleting a network isolation rule

To delete a network isolation rule:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the name of the host for which you want to delete a network isolation rule to open the action menu for the host.
3. Select the Delete host isolation rule action.

   This opens the action confirmation window.

4. Click Yes.

The network isolation rule for the host is deleted.

Users with the Security auditor and Security officer roles cannot remove network isolation rules.

Limitations that are relevant to network isolation

Some limitations apply when network isolation is used:

• When a network isolation rule is enabled on a host, all current connections are disconnected and a VPN connection becomes unavailable.
• If the program administrator replaces the certificate of the server with the Central Node component while a network isolation rule is enabled, you cannot disable the rule.
• The program blocks the connection of isolated hosts with an Active Directory server. If the operating system settings require a connection to Active Directory services for authorization, the user of an isolated host will not be able to log in to the system.