Host Isolation - How Huntress Isolates

Team: Huntress EDR
Feature: Host Isolation
Environment: Windows Server 2008 and newer, Windows Vista and newer
Summary: How Huntress Isolates machines when malicious activity is detected

Huntress uses Windows Filtering Platform (or Windows Group Policy (GPO) as a fallback mechanism) to manage the host firewall. The rules applied by Huntress block all inbound and outbound network connections unless the connection is destined for a Huntress service (the Huntress agent + updater + EDR) or other essential services (DNS + DHCP).

The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. WFP is a development platform and not a firewall itself. The firewall application that is built into Windows Vista, Windows Server 2008, and later operating systems is implemented using WFP.

Huntress uses WFP API calls to manage the host firewall by creating filters to block traffic that is not destined to Huntress.io.

The WFP API consists of a user-mode API and a kernel-mode API. Currently Huntress leverages the user-mode APIs. 

Note: For machines that WFP fails on, if they are joined to a Windows Domain they must have connectivity to a Domain Controller in order to confirm the Huntress GPO doesn't interfere with any higher level GPO's. It also may require a reboot to release a host from GPO based isolation. 

Note: Windows Group Policy (GPO) will be used as fallback if WFP fails OR if the host does not support WFP isolation (Supported Operating Systems / System Requirements)