Isolating Possibly Infected VMs

  • 24 July 2020
  • 0 replies
  • 1215 views

Userlevel 2
Badge +2

Do you have a VM that you suspect may have been compromised or infected by malicious software (i.e. ransomware) and want to have a means to quickly remove it from your network (so as to not infect other entities)? Do you also want to be able to inspect and work on this VM from a “safe distance” using available forensic tools? Using Flow Microsegmenation, you can accomplish both of these objectives through the use of Quarantine Policies.

When configuring Quarantine Policies, you can specify the “Quarantine Method” as either “Strict” or “Forensic”. The “Strict” option isolates the VM from all inbound/outbound traffic entirely. The “Forensic” option allows the limitation of inbound/outbound traffic to that which is specified from the “Add Forensic Tools” tab. For example, this could allow the infected VM to communicate only with another entity that maintains tools for further analysis of the VM.

You can find more information regarding Quarantine Policies within the “QUARANTINE POLICY CONFIGURATION” section of the Flow Microsegmentation Guide.


This topic has been closed for comments