Network Quarantine an Endpoint

Network quarantine is the mechanism employed by ZeroLock® to isolate the infected Linux endpoints from the company network until the malware has been analyzed and remediated.

    At times, it becomes necessary to isolate a computer from the company’s network to protect the integrity of the network. A situation where this becomes necessary is when an endpoint suffers a malware attack. 

    There are two (2) ways ZeroLock places an endpoint into network quarantine: Manually or Automatically.

    Manually

    1. On the ZeroLock Management Console (ZMC) go to Endpoints and select the endpoint to be quarantined. 
      Select Endpoint to Quarantine v3.1.5

    2. Next, from the Actions drop-down, select Quarantine Endpoint.
      Actions Dropdown Quarantine v3.1.5
       
    3. On the Quarantine Endpoints screen you have the option to set the amount of time in seconds that the endpoint will be quarantined, or you may leave the timeout field blank, so that the endpoint will stay quarantined until manually released.  The #2 refers to the ID number of the endpoint. 
      Quarantine Verification Dialog v3.1.5
    4. You can tell an endpoint is under network quarantine by the purple dot on the Endpoints page and the purple arc in the endpoints display.
      Endpoint Quarantined v3.1.5

    Automatically

    Auto Quarantine is based on ransomware, crypto-jacking, or tampering alerts being triggered.
    1. The setting is enabled on the Configuration Profile assigned to an endpoint.  Config Profile Demo Profile v3.1.5

    2. On selecting Edit the full configuration profile settings are visible.  Activate Auto-Quarantine by selecting the box for each section.Config Profile AutoQuarantine Selected v3.1.5
    3. On selecting Update a confirmation pop-up appears.  Clicking Confirm sets the new configuration.Autoquarantine confirm 2.0.1
    4. You can tell an endpoint is under network quarantine by the purple dot on the Endpoints page and the purple arc in the endpoints display.
      Endpoint Quarantined v3.1.5

    5. Even though an endpoint is quarantined, you can still see, connect, and work with the endpoint from the SHELL window on the endpoint detail page.
      Quarantined Endpoint Details Shell v3.1.5-1

    6. Releasing an endpoint from quarantine is as simple as selecting the endpoint, returning to the Actions drop-down screen, and selecting Unquarantine Endpoint.
      Unquarantine Endpoint v3.1.5 
    7. On the Unquarantine Endpoints screen you select the Unquarantine button to release the endpoint.  The #2 refers to the ID number of the endpoint. 
       
      Unquarantine Dialog Box v3.1.5

    Congratulations.  You have successfully Quarantined and Unquarantined a ZeroLock Agent endpoint.