Endpoint Isolation and Connection Restoration

Isolate at-risk endpoints to run an investigation and resolve security issues. Restore the connection promptly when all issues have been resolved.

Endpoint isolation and connection restoration require the OfficeScan agent. The minimum required version is 11 SP1. In addition, the OfficeScan agent's firewall must be enabled.

Initiating Endpoint Isolation

The Isolate option is available from the following screens:

1.1. Endpoint screen



Note:

All the tabs in the Endpoint screen provide the Isolate option.

There are several ways to access this screen. The recommended way is to go to Directories > Users/Endpoints, use the search feature in the screen to find the endpoint to isolate, and then click the endpoint name when the search results display.

If isolation cannot be performed, a message displays below the Isolate option to indicate any of the following issues:

  • The agent on the endpoint runs an unsupported version.

  • The user account used to log on to Control Manager does not have the necessary permissions.



1.2. At Risk Endpoints screen



Note:

To access this screen, go to Administration > Indicators of Compromise, go to the At Risk column and click a number representing the number of at-risk endpoints.

Monitoring the Isolation Status

While an endpoint is being isolated, a message displays on top of the Endpoint or At Risk Endpoints screen, informing you that endpoint isolation is in progress.

The message disappears when the isolation is complete. On the endpoint, a notification appears to inform the user of the isolation.

If there is an issue, the message changes. Issues include:

  • The OfficeScan agent firewall was disabled by the OfficeScan server administrator or by the user, who has privileges to configure firewall settings. It is also possible that the firewall has become non-functional.

  • There is no connection between the OfficeScan agent on the endpoint and its parent server.

  • Both the OfficeScan server and agent are installed on the endpoint. Isolating the endpoint will cause disruptions to OfficeScan server functions.

  • An unexpected error occurred.

Refresh the screen to get the latest status.

Monitoring Isolated Endpoints

A list of isolated endpoints is available in the Endpoint tree, when you select the default filter, Isolated.



Configuring Allowed Traffic

By default, endpoint isolation blocks all inbound and outbound traffic, except traffic between the OfficeScan agent and its parent server.



You can configure inbound and outbound traffic that you want to allow on isolated endpoints. These settings apply to all isolated endpoints and cannot be configured for individual endpoints.

If other Trend Micro agents are installed on endpoints, be sure to configure allowed traffic so that the agents can continue to communicate with their parent servers.

Agent

Inbound Traffic

Outbound Traffic

Other Requirements

Vulnerability Protection

Protocol: TCP

Source IP address: IP address of the parent server

Destination port: 4118

Protocol: TCP

Destination IP address: IP address of the parent server

Destination port: 4120

If the Vulnerability Protection server installs using DNS settings, add the protocol, IP address, and destination ports of the DNS server.

Endpoint Encryption

Protocol: TCP

Source IP address: IP address of the parent server

Destination port: 80, 8080

Protocol: TCP

Destination IP address: IP address of the parent server

Destination port: 80, 8080

If the Endpoint Encryption server installs using DNS settings, add the protocol, IP address, and destination ports of the DNS server.

Deep Discovery Endpoint Sensor

Protocol: TCP

Source IP address: IP address of the parent server

Destination port: 8081

Protocol: TCP

Destination IP address: IP address of the parent server

Destination port: 8002, 8003

DNS settings (inbound):

Protocol: UDP

Source IP address: IP address of the DNS server

Destination port: 53

DNS settings (outbound):

Protocol: UDP

Destination IP address: IP address of the DNS server

Destination port: 53

Endpoint Application Control

Protocol: TCP

Source IP address: IP address of the parent server

Destination port: 80, 443, 8080, 4343

Protocol: TCP

Destination IP address: IP address of the parent server

Destination port: 8085, 8443

If the Endpoint Application Control server installs using DNS settings, add the protocol, IP address, and destination ports of the DNS server.

Click Apply to All to deploy the settings to OfficeScan servers with agents that have isolated or are in the process of isolating endpoints.

Restoring Endpoint Connection

After you are finished with your investigation and have confirmed that the endpoint is threat-free, restore the endpoint's network connection. A Restore option is available on the Endpoint screen or At Risk Endpoints screen.

After clicking Restore, a message displays on top of the screen, informing you that connection restoration is in progress. The message disappears when the restoration is complete.

If there is an issue, the message changes. Issues include:

  • The OfficeScan agent firewall was disabled by the OfficeScan server administrator or by the user, who has privileges to configure firewall settings. It is also possible that the firewall has become non-functional. As a result, network connection was automatically restored but the endpoint remains in the Isolated filter in the Control Manager Endpoint tree.

    Enable the firewall on the agent or verify that it is working properly and then initiate endpoint isolation from Control Manager (to keep the endpoint isolated) or connection restoration (to remove the endpoint from the Isolated filter in the Endpoint tree).

  • There is no connection between the OfficeScan agent on the endpoint and its parent server.

  • An unexpected error occurred.

Refresh the screen to get the latest status.

Endpoint Isolation and Connection Restoration History

Control Manager keeps a record of all isolation and connection restoration tasks performed on an endpoint. To view these records, go to the Endpoint screen and click the Notes tab.