Skip to content
English
  • There are no suggestions because the search field is empty.

v4.2.1_Network Quarantine an Endpoint

Network quarantine is the mechanism employed by ZeroLock® to isolate infected Linux endpoints from the company network until the malware has been analyzed and remediated.

    At times, isolating a computer from the company’s network is necessary to protect the network's integrity. An example is when an endpoint suffers a malware attack. 

    NOTE: Quarantining is only available for Linux-based systems, not for ESXi host systems.

     

    There are two (2) ways ZeroLock places an endpoint into network quarantine: Automatically or Manually.

    Automatically

    Auto Quarantine is available when ransomware, cryptojacking, tampering alerts, or hash rules are triggered.

    1. The setting is enabled on the Configuration Profile assigned to an endpoint.Image_1_Select Profile_v4.2.1
    2. On selecting Edit, the full configuration profile settings are visible.  Activate Auto-Quarantine by selecting the box for each section.Image_2_Edit Config Profile_v4.2.1
    3. A confirmation modal appears when UPDATE is selected.  Clicking Confirm sets the new configuration.Image_3_Confirmation Modal_v4.2.1

      Image_3_Note-2
    4. The endpoint will automatically go into quarantine when triggered, in this case by a ransomware attack. The purple dot on the Endpoint and the purple arc in the endpoint display indicate that the endpoint has been quarantined.Image_4_Automatic Endpoint Quarantine_v4.2.1
    5. Even though an endpoint is quarantined, you can still see, connect, and work with the endpoint from the SHELL window on the endpoint detail page.Image_5_Shell Window_v4.2.1
    6. Releasing an endpoint from quarantine is as simple as selecting Unquarantine Endpoint from the Actions drop-down menu. The drop-down menu is accessible from the Endpoints homepage or the endpoint’s details page.Image_6_Unquarantine Endpoint_v4.2.1
    7. On the Unquarantine Endpoints screen,  select the Unquarantine button to release the endpoint.  The #2 refers to the endpoint’s ID number.Image_7_Select Unquarantine_v4.2.1
      Image_8_Endpoint Active_v4.2.1  

     

    Manually

    1. On the ZeroLock Management Console (ZMC), go to Endpoints and select the endpoint to be quarantined. 
      Image_1_Select Endpoint_v4.2.1

    2. Next, from the Actions drop-down menu, select Quarantine Endpoint.
      Image_2_Endpoints Actions Dropdown_v4.2.1
       
    3. On the Quarantine Endpoints modal, there is the option to set the amount of time in seconds that the endpoint will be quarantined, or the field may be left blank, so that the endpoint will remain quarantined until manually released.  The #2 refers to the ID number of the endpoint.
      Image_3_Quarantine Dialog Box_v4.2.1
    4. The purple dot on the Endpoints page and the purple arc on the Endpoints display indicate that an endpoint is under network quarantine.
      Image_4_Endpoint Quarantined_v4.1.3
    5. Releasing an endpoint from quarantine is simple: select the quarantined endpoint and 
      click Unquarantine Endpoint from the ACTIONS drop-down menu.
      Image_5_Unquarantine Endpoint_v4.2.1

    Congratulations.  You have successfully Quarantined and Unquarantined a ZeroLock Agent endpoint.