Are there any possibilities to whitelist specific IPs/protocols when a host is isolated? We would like to be able to run cloud scanning for remediation.
VMware Carbon Black Standard EDR (Formerly known as Response)
By default all routes except to the EDR server and DNS/ DHCP will be cut. The exclusion is not bi-directional, isolation exclusions only work from the endpoint to the whitelisted IP or URL.
Starting with Carbon Black EDR Server version 6.5.0, Windows Sensor version 6.2.4 and higher, and macOS Sensor version 6.2.7 and higher, Network Isolation Exclusions support was added. As a result, you can add one or more IPv4 addresses or domain URLs that isolated endpoints can access (in addition to the EDR server) while in isolation mode. This setting is applied on a per-sensor-group basis. NOTE: This feature is disabled by default. To enable it, you must edit the Server's cb.conf file. See the VMware Carbon Black EDR Server Configuration Guide for instructions.
Once the Network Isolation Exclusions settings have been enabled on the Server, you will need to configure the isolation exclusions in the Sensor Group settings:
- On the navigation bar, click
- Click the gear icon next to the sensor group for which you want to add isolation
- Click Isolation Exclusions and then click Add Exclusion.
- Enter a description that identifies the exclusion (50 character maximum), and the IPv4 address or domain URL that specifies the exclusion (253 character maximum).
- NOTE: The isolation exclusion does not work for traffic coming into the isolated host.
The machine is isolated.