Issue
We have an additional AV console that we would like our endpoints to continue to communicate with even if the Carbon Black Sensor has been placed in isolation mode. Can this be done?
Environment
VMware Carbon Black EDR
Resolution
The answer is yes. There is a setting called "Network Isolation Exclusion" that is off by default on Carbon Black EDR Servers. Before any isolation exclusions can be entered, this feature needs to be enabled. You must first contact your Server administrator to request that "Network Isolation Exclusion" be enabled.
Once "Network Isolation Exclusion" has been enabled on the server, you must take the following steps to enter the desired network exclusions:
- Open your Carbon Black Response console.
- Click on the "Sensors" tab on the left menu bar.
- Select the appropriate Sensor Group settings by clicking on the gear icon next to the Sensor Group name.
- Expand the "Isolation Exclusions" bar (The grey bar on the right side), then click the "Add Exception" button.
- Enter the URL or IP address (or both) for the network location you want excluded.
- Make sure the "Enable this exclusion" box is selected.
- Click on the "Save Group" button to save the exclusions you entered.
Cause
When the Carbon Black Sensor is placed in "Isolation Mode" the endpoint can only communicate with the Carbon Black EDR Server, unless there are specific "Network Isolation Exclusions" in place.
Comments
0 comments
Please sign in to leave a comment.