Isolating a infected endpoint device from all network connectivity

[p_s_]

Once an endpoint, like laptop, desktop, is infected, quick detection and the ability to respond fast is needed to minimize impact. Quick isolation is needed for reducing the spread of malware.

Our Windows machines are Intel devices which have Intel Active Management Technology (AMT) which can filter all network communications on the wired and 802.11 wireless networks of a platform using a feature called System Defense.

We are using McAfee anti-virus right now so using McAfee Threat Event Log, we identify the Event ID for situations where isolation of the endpoint is needed. This can separate the infected device from our network and alert us via email. This allows us to quickly isolate a device when it is infected instead of waiting for a call/ticket from user.

Isolating a Client from All Network Connectivity explains how it is done.


We are moving to Microsoft Defender and considering going to Microsoft Defender Advanced Threat Protection if our budget allows it.


1. Can we do this if we have Microsoft Defender which comes with Windows 10? If so, how?


2. Can we do this if we have Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)? If yes, how?

More...