Computer isolation

With Advanced EDR, you can isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data.

This feature is compatible with Windows, macOS, and Linux workstations and servers. It is not supported on Android devices.

When a computer is isolated, its communications are restricted except for:

• Access to the computer from the console. This enables you to analyze and resolve any detected problems with the tools in Advanced EDR.

• Access to the computer and remote control through Panda Systems Management. This enables you to collect extended information and resolve any detected problems with the solution remote management tools (remote desktop, remote command line, remote event viewer, etc.).

For more information about the remote management tools provided by Cytomic, see the Panda Systems Management Administration Guide available at https://www.pandasecurity.com/rfiles/enterprise/documentation/pcsm/docswebpage/SYSTEMSMANAGEMENT-Guide-EN.pdf.

Any other products and services installed on the affected workstation or server cannot communicate over the Internet/local network unless you set the appropriate exceptions. See Advanced options.

Computer isolation statuses

The Isolate computer and Stop isolating the computer operations are performed in real time. However, they could delay if the target computer is offline. To show the exact situation of a computer, Advanced EDR distinguishes among four different isolation statuses through these icons:

Icon	Description
Isolating	You launched a request to isolate one or more computers. The request is being processed.
Isolated	The isolation process has been completed and the computer communications are restricted.
Stopping isolation	You launched a request to stop isolating one or more computers. The request is being processed.
Not isolated	The process to stop isolating a computer has been completed. The computer can communicate with other computers based on settings configured in other modules, products, or the operating system.
Computer isolation statuses

These icons appear next to the IP address column in the Licenses and Protection status lists, and in the Computers area.

Isolating one or more computers from the organization network

Follow these steps to isolate one or more computers from the network:

• From the top menu, select Computers, or select one of these computer lists:

  • Protection status list.

  • Licenses list.

• Select the checkboxes for the computers you want to isolate.

• In the action bar, select Isolate computer. A dialog box opens and shows the Advanced options link.

• In Advanced options, type the programs you want to exclude from the isolation process. These programs can communicate normally with other computers in the organization or external computers.

• Click Isolate. The computer status changes to We're trying to isolate this computer.

• Follow these steps to isolate a computer group:

  • From the top menu, select Computers.

  • In the computer tree, select the folder view. Select the group you want to isolate.

  • From the group context menu, select the Isolate computers option. Click Isolate.

  • To isolate all computers on the network, expand the context menu of the All node.

Stopping isolation

• For more information, see section Isolating one or more computers from the organization network.

• In the action bar, select Stop isolating the computer.

• The computer status changes to We're trying to stop isolating this computer.

Advanced options

Allow processes

When you isolate a computer, you deny all communications to and from the computer except those required by the Cytomic product processes. All other processes, including those belonging to user programs, are prevented from communicating with the other computers in the organization.

To exclude specific programs from this behavior:

• Click the Advanced options link in the dialog box shown when you isolate a computer.

• In the Allow the following processes text box, type the programs you want to exclude from the isolation process.

These programs can communicate normally with other computers in the organization or external computers, unless otherwise indicated in the settings established for other Advanced EDR modules, in other products installed on the computer, or in the operating system firewall.

If you excluded programs in a previous isolation operation, they display in the text box. You can edit the values in the text box.

Show custom message (Windows computers only)

Type a descriptive message to inform users that their computer has been isolated from the network. The Advanced EDR agent will show a pop-up window with the content of the message. To not show the custom message to the user, enable the I prefer not to show any messages this time toggle. The message is not shown until you disable the toggle.

This feature is only compatible with Windows workstations and servers.

Communications allowed and denied on isolated computers

Advanced EDR denies all communications to and from isolated computers except those required to perform remote forensic analyses and to use the remediation tools in Advanced EDR and Panda Systems Management. Next is a list with all communications allowed and denied on isolated computers.

Allowed processes and services

• System processes:

  • All services required for the computer to be part of the corporate network, including DHCP services to obtain IP addresses, ARP, WINS, and DNS host name resolution services, etc.

• Advanced EDR processes:

  • Services required to communicate with the default gateway.

  • Services required to communicate with the Cytomic cloud to enable the protection engines to work, download signature files, and enable administrators to perform remote management tasks in the web console.

  • Services required by an isolated computer with the discovery computer role to perform discovery tasks.

  • Services required by an isolated computer with the cache role to act as a file server.

  • Services required by a computer with the Cytomic proxy role to act as a connection proxy.

• Services required by the Panda Systems Management agent to enable use of non-intrusive remote tools:

  • Remote access tools.

  • Services required for SNMP monitoring of devices not compatible with Panda Systems Management and with the connection node role assigned.

Blocked communications

All communications that are not listed in the section above are denied. This includes:

• Windows Update policies, macOS operating system updates, and Cytomic Patch updates through Panda Systems Management.

The Cytomic Patch module remains operational on isolated computers.

• Communication with the scripts and modules developed by the administrator or integrated from the Panda Systems Management ComStore.

• Web browsing, FTP, mail, and other Internet protocols.

• SMB file transfer between PCs on the network.

• Remote installation of Advanced EDR.