Configure TDR Containment

To prevent the spread of threats on your network, you can contain a host. Containment terminates current connections and prevents new network connections on a specific host so that threats cannot spread through the network. Contained hosts are isolated and cannot connect over the network. Other devices cannot connect to a contained host. To restore network connectivity when the threat is resolved, the host must be released from containment.

There are two ways to contain and release hosts — manually or automatically based on a containment policy. To allow hosts to be contained manually or automatically, the Enable Kernel Host Containment Action must be enabled in the Host Sensor settings. For more information, see Configure TDR Host Sensor Settings.

TDR can contain Windows hosts. Containment is not supported on non-Windows systems.

Contain and Release Hosts Manually

You can contain and release a Windows host manually in the Hosts or Groups pages.

To contain a host manually:

  1. Select the check box next to the Windows host you want to contain.
  2. Select Actions > Contain Host.
    The Confirm Action - Contain Host dialog box opens.
  3. Click Execute Action.
    The host is contained and a containment icon is shown in the Sensor Status column.

Screen shot of the Install State and Sensor status columns for a contained host

To release a host from containment manually:

  1. Select the check box next to the Windows host you want to release.
  2. Select Actions > Release Host.
    The Confirm Action – Release Host dialog box opens.
  3. Click Execute Action
    The host is released from containment.

If the Release Host action is disabled, this means the host is not contained, or it is not communicating with ThreatSync. Check if the host is in containment on the Containment page, and check the status of the host on the ThreatSync > Hosts page.

For more information, see Manage TDR Hosts and Host Sensors, Manage TDR Groups, and Manage TDR Incidents.

Containment Policies

Containment policies contain and release Windows hosts automatically based on an incident threat score threshold. When an incident with a threat score equal to the value specified in the policy occurs, the host is contained. When the threat score falls below the specified threshold, the host is released from containment automatically.

Your TDR account includes a default containment policy with recommended settings. You can edit the default containment policy and configure additional policies that apply to different hosts and host groups at different Cybercon levels.

For information on how to add a containment policy, see Configure TDR Policies

Containment Exceptions

When a host is contained, it can only connect to itself, TDR, DNS servers, and DHCP servers. If you want to allow other network traffic to and from contained hosts, you can add host containment exceptions for hosts or a network. For example, you might want to allow support to connect to contained hosts on a network to troubleshoot incidents.

To define a containment exception, you must specify two or more of these connection details:

Local Host/Network IP

IP address of a remote machine or network with slash notation.

Local Port

Port on a host.

Remote Host/Network IP

IP address of a remote machine or network with slash notation.

Remote Port

Port on a remote machine.

You can specify connections for port to port, IP address to port, or IP address to IP address. For example, to configure a containment exception to allow a support person to connect to contained hosts, specify:

  • Remote Host/Network IP — The IP address with slash notation of the support person’s computer.
  • Local Port — The port the support person needs to connect to on the hosts.

For more information about slash notation, see About Slash Notation.

Add Containment Exceptions

Back Up or Import Containment Exceptions

You can save a backup of all containment exceptions to a .json file. To add the containment exceptions to any TDR account, you can import the saved file. This enables a TDR Service Provider to easily copy containment exceptions configured in one managed customer account to another managed account. To avoid duplicate exceptions, the imported containment exceptions are merged with the existing list of containment exceptions.

To import containment exceptions from a saved .json file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box opens.
  3. Click Import.
    The containment exceptions from the file are added to the containment exceptions list.

Edit or Remove a Containment Exception

To edit a containment exception:

  1. In the Containment list, to the left of the exception to edit, click .
  2. Edit the settings as described in the previous procedure.
  3. Click Save & Close.

To remove a containment exception:

  1. In the Containment list, to the right of the exception to remove, click .
  2. Select Remove Containment Exception.
    A confirmation message appears.
  3. Click Yes, Delete.

See Also

Manage TDR Hosts and Host Sensors

Manage TDR Groups

Configure TDR Policies

Configure TDR Host Sensor Settings