This article provides further information on the different options for computer isolation in Sophos Central, the available policy options and known issues.
The following sections are covered:
This allows the Central Administrator to isolate a Windows computer from the network while investigating a threat case. There are multiple ways to isolate a computer:
Note: This is available for all customers with a Sophos Endpoint Protection license.
This provides a policy option that allows computers to isolate themselves from the network when the computer reports a red health status. This option is available in the Threat Protection policy under Device Isolation:
You can still manage the computer from Sophos Central when it is isolated.
Note: This policy option is not enabled by default.
To display a list of isolated computers access Settings and under Endpoint Protection select Admin Isolated Computers. This will display the isolated computer name, date isolated, last logged on user, IP address, which Central account isolated the computer and associated comment (if entered):
Note: This report only displays computers isolated by the Central Administrator and does not display computers that have isolated themselves due to a red health status.
Note: To apply isolation exclusions you must be running Core Agent 2.2.0 on the computer.
You can allow isolated computers, to communicate with other computers in limited circumstances. This can be configured by accessing Settings | Global Scanning Exclusions, click Add Exclusion and in the Exclusion Type drop-down list, select Computer isolation (Windows):
An example exclusion may be you want remote desktop access to an isolated computer so that you can troubleshoot.
In Sophos Central:
Computer isolated by <Administrator>
Computer auto isolated due to red health
Locally on the computer:
Your administrator isolated the computer
Computer isolated. Contact IT for help
If you are logged on to the isolated computer and have a requirement to disable the isolation status you can do this by:
Administrator triggered isolation
There are three different ways to remove a computer from isolation:
Due to a red health status:
To remove a computer from isolation due to a red health status, the computer must be returned to good health.
Note: If required, the policy option enabling this setting as detailed under Allow computers to isolate themselves on red health can be disabled.
Application <application name> was blocked by an endpoint firewall
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.