Issue
Are there any possibilities to whitelist specific IPs/protocols when a host is isolated? We would like to be able to run cloud scanning for remediation.
Environment
VMware Carbon Black Standard EDR (Formerly known as Response)
Resolution
By default all routes except to the EDR server and DNS/ DHCP will be cut. The exclusion is not bi-directional, isolation exclusions only work from the endpoint to the whitelisted IP or URL.
Starting with Carbon Black EDR Server version 6.5.0, Windows Sensor version 6.2.4 and higher, and macOS Sensor version 6.2.7 and higher, Network Isolation Exclusions support was added. As a result, you can add one or more IPv4 addresses or domain URLs that isolated endpoints can access (in addition to the EDR server) while in isolation mode. This setting is applied on a per-sensor-group basis. NOTE: This feature is disabled by default. To enable it, you must edit the Server's cb.conf file. See the VMware Carbon Black EDR Server Configuration Guide for instructions.
Once the Network Isolation Exclusions settings have been enabled on the Server, you will need to configure the isolation exclusions in the Sensor Group settings:
- On the navigation bar, click
Sensors. - Click the gear icon next to the sensor group for which you want to add isolation
exclusions. - Click Isolation Exclusions and then click Add Exclusion.
- Enter a description that identifies the exclusion (50 character maximum), and the IPv4 address or domain URL that specifies the exclusion (253 character maximum).
- NOTE: The isolation exclusion does not work for traffic coming into the isolated host.
Cause
The machine is isolated.
Comments
0 comments
Please sign in to leave a comment.