Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Endpoint Isolation
Environment: Windows Server 2008 and newer, Windows Vista and newer
Summary: How Huntress Isolates Windows endpoints when malicious activity is detected
Huntress uses Windows Filtering Platform (or Windows Group Policy (GPO) as a fallback mechanism) to manage the endpoint firewall. The rules applied by Huntress block all inbound and outbound network connections unless the connection is destined for a Huntress service (the Huntress agent + updater + EDR) or other essential services (DNS + DHCP).
The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. WFP is a development platform and not a firewall itself. The firewall application that is built into Windows Vista, Windows Server 2008, and later operating systems is implemented using WFP.
Huntress uses WFP API calls to manage the endpoint firewall by creating filters to block traffic that is not destined to Huntress.io.
The WFP API consists of a user-mode API and a kernel-mode API. Currently Huntress leverages the user-mode APIs.
Note: For endpoints that WFP fails on, if they are joined to a Windows Domain they must have connectivity to a Domain Controller in order to confirm the Huntress GPO doesn't interfere with any higher level GPO's. It also may require a reboot to release a endpoint from GPO based isolation.
Note: Windows Group Policy (GPO) will be used as fallback if WFP fails OR if the endpoint does not support WFP isolation (Supported Operating Systems / System Requirements)
Note: In some cases during endpoint isolation, it may be necessary for the Huntress agent to fall back on CloudFlare's public DNS (1.1.1.1) if the local DNS fails when trying to reach huntress.io. The backup requires a connection to 1.1.1.1:53/udp which then should also be added to the firewall settings allow list.