Endpoint Isolation in Endpoint Protection and Response

Document created by bgoddard Employee on Oct 29, 2019Last modified by bgoddard Employee on Nov 13, 2019
Version 8Show Document
  • View in full screen mode

Malwarebytes Endpoint Protection and Response includes Endpoint Isolation, which temporarily stops threats from spreading between endpoints by restricting their communication or access. An isolated endpoint can still communicate with the console and run Malwarebytes processes. Endpoint Isolation may be enabled on any endpoint that has had a Threat Scan.

 

For Endpoint Isolation usage requirements, see Malwarebytes Cloud Platform minimum specifications.

 

 

Types of isolation

There are three different isolation types. They may be enabled separately or combined to increase isolation. The three isolation types are:

  • Network Isolation: Prevent the endpoint from communicating with other devices on your network.
  • Process Isolation: Restrict which processes can run on the endpoint and prevent processes from interacting.
  • Desktop Isolation: Prevent end users from accessing the endpoint.

 

With Process Isolation enabled, only Privileged Processes are allowed to launch on the endpoint. Privileged Processes belong to one of these types:

  • Predefined (hardcoded) processes: Currently there are two predefined processes: CONSENT.exe, necessary to execute UAC elevated processes; and CSRSS.EXE which is a critical system process.
  • Processes digitally signed by Malwarebytes: These are allowed to run unrestricted on isolated endpoints.
  • Processes spawned by other Privileged Processes: A process with a privileged parent process is also privileged. Privileged child process may create more privileged child processes.

 

Isolate endpoints

Before you can isolate an endpoint, Malwarebytes must run a Threat Scan on the system. This is necessary to install plugins for the Endpoint Agent. When the scan finishes, you can isolate the endpoint.

 

Isolation is cumulative. If you select an isolated endpoint and apply another type of isolation, both isolation types will be applied.

 

  1. Go to Endpoints.

  2. Select which endpoints you want to isolate.

  3. In the top right of the screen, select Actions > Isolate Endpoint(s).

  4. Confirm the types of isolation you want, and click YES. All isolation types are enabled by default.

 

Change isolation type

To change the isolation type applied to an endpoint, you must either:

  • Add additional isolation types
  • Remove all isolation and then apply the isolation types needed

 

Remove endpoint isolation

You can remove endpoints from isolation on the Endpoints screen. Removing an endpoint from isolation turns off all isolation types.

  1. Go to Endpoints.

  2. Select the endpoints you want to remove from isolation.

  3. In the top right of the screen, select Actions > Remove Isolation.

  4. The endpoint will be removed from isolation and automatically reboot. You may lose any unsaved work.

 

Customize endpoint isolation alerts (Windows only)

Administrators can customize the message displayed on endpoints when they are isolated. This is optional, and is changed at the policy level.

  1. Go to Settings > Policies > Select a policy > WindowsSettingsEndpoint Protection & Response (EPR) Settings > ENDPOINT ISOLATION (EPR).

  2. Enter custom text in the Isolation Title and Isolation Message fields, or click Use Default Message to restore the default.

  3. You may upload a BMP image to be displayed along with the message. Drag an image file onto the upload area or click CHOOSE A FILE to select an image.

  4. Click SAVE to save changes. The new isolation message will be shown for future endpoint isolations. It does not affect currently-isolated endpoints.

 

See also

 

 

Return to the Malwarebytes Cloud Platform Administrator Guide 

Attachments

    Outcomes