Jump to content

How is Network Isolation supposed to work?


j-gray
Go to solution Solved by Marcos,

Recommended Posts

Had an infected Windows system running the latest versions of agent, AV and EI Connector. Ran the 'Isolate Network' task which completed successfully.

However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated.

Both EP and EI console at least think it's isolated, as the only task option now is to end Network Isolation.

I don't find much in the documentation; what are the prerequisites for this to function, what is expected as far as access, and how can one tell if it was successfully implemented regardless of the task reporting successful?

Link to comment
Share on other sites

12 minutes ago, j-gray said:

However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated.

According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening.

Link to comment
Share on other sites

@Marcos I tested on another Windows workstation with latest versions of all components. As you can see, the GUI shows 'Network access blocked', but I can ping the client and RDP into it to get this screenshot. You can see that the blocked client can ping Google's DNS server, as well as browse the web.

I can't find documented what the prerequisites are for this functionality. What ESET component actually does the blocking and how is it effected?

 

image.thumb.png.672b401c08c52cf864809e59589bd554.png

Link to comment
Share on other sites

17 hours ago, itman said:

According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening.

Thanks. Yes, this is the document I was working from, but it's quite vague. For example, what exactly is allowed for "login to domain"? We assume that DNS, NTP, LDAPS, etc. will have to work at the very least. SMB for group policy, etc.

And there's no indication of what component is leveraged. I'm starting to believe it must rely on the ESET firewall.

Link to comment
Share on other sites

I reviewed a couple other forum postings on this Network Isolation feature. Awaiting comment from Eset, my opinion is the feature's purpose is to isolate the device from the other devices on the local subnet. The equivalent to setting the device's Eset network connection to Public. The isolated device itself still has full Internet connectivity.

Link to comment
Share on other sites

@itman Thanks for the reply and for checking.

This doesn't appear to be the case either, though. I hopped on another Windows workstation on the same subnet and can still ping, remote manage, RDP, etc. to the 'isolated' workstation.

From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet.

So it seems like it's really not blocking anything as far as I can tell, inbound or outbound either one.

Link to comment
Share on other sites

1 minute ago, j-gray said:

From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet.

Definitely not good!

Link to comment
Share on other sites

  • Administrators

I've tested it with ESET Endpoint Antivirus 11.1 and RDP, SMB, ICMP communication was blocked. Please provide logs collected with ESET Log Collector from the machine to start off.

Link to comment
Share on other sites

@Marcos Are you able to confirm what component(s) this functionality relies upon? My suspicion is that the ESET firewall would be responsible for network isolation but I can't find anything documented.

Link to comment
Share on other sites

@Marcos I opened a support case with collected logs and screenshot (00811157 and 00811158) in case you're interested. Not sure how/why I got two cases and expect one will be closed.

FWIW, Network Isolation appears to be working across our Server platforms, just not Win10/11.

Link to comment
Share on other sites

  • Administrators

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

Standard EEA drivers installed:

image.png

Yours:

image.png

 

Link to comment
Share on other sites

3 minutes ago, Marcos said:

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

What's missing are the firewall drivers.

Now for the $64,000 question. Does EEA support Network Isolation since it doesn't include a firewall component as EES does?

Link to comment
Share on other sites

  • Administrators

Endpoint Antivirus contains Network protection so it's capable of isolating the network as long as the network protection component and its drivers are installed.

Link to comment
Share on other sites

Posted (edited)
25 minutes ago, Marcos said:

It appears that ESET Endpoint Antivirus was installed without the Network protection component.

We use the standard EP Console provided install task, so I'm not sure how any components would be omitted.

I'm guessing a specific policy needs to be enabled, then? Though again I'm finding no prerequisites documented.

Edited by j-gray
Link to comment
Share on other sites

Here's what I don't understand.

When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled.

Eset_Network.png.8cd1bf260bae41f7aded89d6100e5839.png

Edited by itman
Link to comment
Share on other sites

25 minutes ago, itman said:

Here's what I don't understand.

When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled.

Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients.

Link to comment
Share on other sites

  • Administrators
  • Solution

Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible.

P_EESW-11780

Link to comment
Share on other sites

13 hours ago, j-gray said:

Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients.

Note that with Network Protection disabled not only is IDS protection disabled, but also Eset Brute Force RDP logon protection disabled.

Edited by itman
Link to comment
Share on other sites

13 hours ago, Marcos said:

Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible.

P_EESW-11780

Awesome -thank you!

This would be super helpful to have documented here

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...