Team: Huntress EDR
Feature: Host Isolation
Environment: macOS
Summary: How Huntress Isolates macOS machines when malicious activity is detected
Huntress’s implementation of Host isolation on macOS is built on Apple’s Network Extension framework. Using a network extension, the Agent has access to a variety of system-level capabilities, including monitoring network traffic and blocking it if necessary.
Until host isolation is enabled from the portal, the network filter will have no effect on the system, despite appearing as Enabled: it will not block websites or otherwise affect network traffic in any way. When the host is isolated, only the following network traffic is allowed:
- DNS
- DHCP and DHCPv6
- Traffic from the Huntress Agent and Updater
- EDR event collection, if active
All other network traffic will be blocked.
Setting up the Network Extension
Before the endpoint can activate Host Isolation, the user must install and approve the Huntress System Extension (which contains the Network Extension functionality as well as our EDR capabilities), either by sending a task from the portal or running a command locally on the command line. For details, including information on automating the process using an MDM, see Install via MDM.
When the system extension is installed and the network filter authorized, it will appear in the Filters section of the Network panel in System Settings. It will be shown as “Enabled” regardless of whether Host Isolation is active for the endpoint; if Host Isolation is not active, this simply indicates that the network filter is ready to isolate the host when the portal requests it. The following screenshot shows an example:
This screen may look different for endpoints managed by an MDM. In particular, the “Enabled” dropdown may not be selectable, and the “+” and “-” buttons may not appear for MDM-managed endpoints. Using those buttons is not recommended in any case, and may lead to the network filter not working properly!
Note that there is currently no way to see on the endpoint itself whether host isolation is active, since this filter always appears as “Enabled”.
Astute observers may notice that the filter briefly turns off and on again when the host is isolated or released. This is expected, and simply represents the network filter restarting with the host isolation rules received from the portal, or, when the host is released, restarting without the rules applied.