This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Isolation Settings Questions

Hello All,

Questions regarding Endpoint Policies Device Isolation Settings. Need some clarification and if anyone out there is using this settings

The description states for Device Isolation - Allow computers to isolate themselves on red health

 Note: If a computer has red health, it will isolate itself from the network. It will still communicate with Sophos Central.
1. Does that mean if the computer is not updated with the latest version will the device auto isolate?
2. This seems like it would be a pain in the butt if you have many nodes. I'm guessing users will call and say I cant get email or access the internet 
because the agent is not updated
3. Does anyone use this feature at all and how does it affect your day to day support of many nodes
Thoughts on this ...thanks

This thread was automatically locked due to age.
  • A computer not updated with the latest version i.e. failed update would be a yellow health state so it would not self-isolate.

    It might be helpful to have a non-isolate Threat Protection policy that was cloned from your original policy. You can move computers in and out of this policy in emergency situations to clear the isolation if needed without addressing the cause.

  • Hi

    So device isolation is meant to prevent lateral movement of malware through an environment. Red Health means an active threat on the machine.

    This means that a detection has occurred and the endpoint software has been unable to remediate it. So, to prevent it from spreading, we turn on a block all traffic except to specific locations (Sophos Central and the items you put in the exclusions for Isolation) so any malware can't infect other nodes. Think of it like a portcullis slamming down keeping the invader stuck in the gatehouse.

    Once the machine goes out of Red Health (the threat is no longer active) the portcullis is raised. This will happen either by the active malicious process terminating, the endpoint remediating the threat, or an admin rdp in (if you have allowed RDP in the isolation elements - if you do only allow it from specific IT controlled machines to limit exposure) and fixes the issue.

    The idea for this feature is that it is an emergency safeguard so if you are going to use it - turn it on as default and understand you are taking the security posture of - I don't want things spreading through my network and I want to inspect when issues crop up. A better safe than sorry attitude.

    I hope this helps.


    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thank you all for the insight...much appreciated!!!!