EDR: Instructions Device Isolation on Sophos Central.


Isolation is a very necessary feature to isolate a device from the network to avoid the spread of viruses or to investigate cases that threaten the safety of the entire network. You can still manage or remove the computer/server from Sophos Central when it is isolated. This article provides further information on the different options for computer isolation in Sophos Central.

Note: Device isolation will not work if real-time scanning is disabled in the Threat Protection policy.

1.Administrator triggered isolation

Note: This is only available for customers with a Sophos Intercept X Advanced with EDR license.

1.1. From the Suggested next steps section in a threat case click Isolate this device.

1.2 From the computer/server view. When accessing the Summary click Isolate.

From the two ways above, when clicking Isolation, a window will pop up to confirm the reason of the quarantine device. Then click Isolation.

2. Allow computers to isolate themselves on red health.

Note: This is available for all customers with a Sophos Endpoint Protection license and is not available for Server Protection.

This provides a policy option that allows computers to isolate themselves from the network when the computer reports a red health status.

Go to Endpoint Protection > Policies > Base Policy – Threat Protection > Settings > Advanced Settings > Enable Device Isolation.


3. How do I know a computer/server has been isolated?

3.1. Administrator triggered isolation.

Clicking on the computer/server will display the summary showing  Isolated by Admin.

You can also see which computers are isolation by Admin in the following ways:

+ Go to Global Settings> General> Admin Isolated Devices.

+ Or go to Endpoint Protection> Policies> General> Admin Isolated Devices.

3.2 Red health status

Clicking on the computer will display the summary showing  Auto Isolated.


4. How do I remove a device from isolation?

4.1. From the Suggested next steps section in a threat case click Remove from isolation.


4.2. In the Computers/Servers view click on the computer/server to display the summary. Click Remove from Isolation

4.3. Remove isolation from Admin Isolation Device.

Go to Global Settings > Admin Isolated Devices or Endpoint Protection > Settings Admin Isolated Computers. Select the computer and click Remove from Isolation.

Due to a red health status: To remove a computer from isolation due to a red health status, the computer must be returned to good health.

5. Configuring isolation exclusions.

You can allow isolated computers, to communicate with other computers in limited circumstances. Example exclusion may be you want remote desktop access (port 3389) to an isolated computer so that you can troubleshoot.

Go to Endpoint Protection > Policies > Base Policy – Threat Protection > Settings > Exclusion > Add Exclusions.

Exclusion Type: Choose Computer Isolation (Windows)

Direction: You can choose Both, Inbound Connection or Outbound Connection.

Enter Local Port and Remote Port: Ex: RDP là port 3389.

Remote Address: Enter this if you want isolated computer to communicate only with this computer.

Click Add.

6. How override the isolation state locally on the computer/server?

This will remove the computer/server from isolation for up to 4 hours. If isolation is still enabled by the Administrator or the health of the computer/server is still red at this point, it will return to an isolated state.

+ Disabling Tamper Protection (if enabled). Get the Tamper Protection Password.

+ Open the Sophos Endpoint Agent. Click Admin sign-in và paste Tamper Protection Password. Clicking on Settings.

+ Tick the option Override Sophos Central Policy for up to 4 hours to troubleshoot.

+ De-select the radio button for Network Threat Protection.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.