How is Network Isolation supposed to work?

[j-gray 37]

Had an infected Windows system running the latest versions of agent, AV and EI Connector. Ran the 'Isolate Network' task which completed successfully.

However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated.

Both EP and EI console at least think it's isolated, as the only task option now is to end Network Isolation.

I don't find much in the documentation; what are the prerequisites for this to function, what is expected as far as access, and how can one tell if it was successfully implemented regardless of the task reporting successful?

[itman 1,743]

12 minutes ago, j-gray said:

However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated.

According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening.

[Marcos 5,241]

Do you actually see "Network access blocked" in the protection status pane?

[j-gray 37]

@Marcos I tested on another Windows workstation with latest versions of all components. As you can see, the GUI shows 'Network access blocked', but I can ping the client and RDP into it to get this screenshot. You can see that the blocked client can ping Google's DNS server, as well as browse the web.

I can't find documented what the prerequisites are for this functionality. What ESET component actually does the blocking and how is it effected?

 

[j-gray 37]

17 hours ago, itman said:

According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening.

Thanks. Yes, this is the document I was working from, but it's quite vague. For example, what exactly is allowed for "login to domain"? We assume that DNS, NTP, LDAPS, etc. will have to work at the very least. SMB for group policy, etc.

And there's no indication of what component is leveraged. I'm starting to believe it must rely on the ESET firewall.

[itman 1,743]

I reviewed a couple other forum postings on this Network Isolation feature. Awaiting comment from Eset, my opinion is the feature's purpose is to isolate the device from the other devices on the local subnet. The equivalent to setting the device's Eset network connection to Public. The isolated device itself still has full Internet connectivity.

[j-gray 37]

@itman Thanks for the reply and for checking.

This doesn't appear to be the case either, though. I hopped on another Windows workstation on the same subnet and can still ping, remote manage, RDP, etc. to the 'isolated' workstation.

From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet.

So it seems like it's really not blocking anything as far as I can tell, inbound or outbound either one.

[itman 1,743]

1 minute ago, j-gray said:

From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet.

Definitely not good!

[Marcos 5,241]

I've tested it with ESET Endpoint Antivirus 11.1 and RDP, SMB, ICMP communication was blocked. Please provide logs collected with ESET Log Collector from the machine to start off.

[j-gray 37]

@Marcos Are you able to confirm what component(s) this functionality relies upon? My suspicion is that the ESET firewall would be responsible for network isolation but I can't find anything documented.

[Marcos 5,241]

The functionality is in EpfwWfp.sys driver which is used by all ESET products on Windows.

[j-gray 37]

@Marcos I opened a support case with collected logs and screenshot (00811157 and 00811158) in case you're interested. Not sure how/why I got two cases and expect one will be closed.

FWIW, Network Isolation appears to be working across our Server platforms, just not Win10/11.

[Marcos 5,241]

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

Standard EEA drivers installed:

Yours:

 

[itman 1,743]

3 minutes ago, Marcos said:

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

What's missing are the firewall drivers.

Now for the $64,000 question. Does EEA support Network Isolation since it doesn't include a firewall component as EES does?

[Marcos 5,241]

Endpoint Antivirus contains Network protection so it's capable of isolating the network as long as the network protection component and its drivers are installed.

[j-gray 37]

25 minutes ago, Marcos said:

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

We use the standard EP Console provided install task, so I'm not sure how any components would be omitted.

I'm guessing a specific policy needs to be enabled, then? Though again I'm finding no prerequisites documented.

Edited August 27 by j-gray

[itman 1,743]

Here's what I don't understand.

When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled.

Edited August 27 by itman

[j-gray 37]

25 minutes ago, itman said:

Here's what I don't understand.

When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled.

Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients.

[Marcos 5,241]

Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible.

P_EESW-11780

[itman 1,743]

13 hours ago, j-gray said:

Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients.

Note that with Network Protection disabled not only is IDS protection disabled, but also Eset Brute Force RDP logon protection disabled.

Edited August 28 by itman

[j-gray 37]

13 hours ago, Marcos said:

Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible.

P_EESW-11780

Awesome -thank you!

This would be super helpful to have documented here.