Host isolation
What this page is
The host isolation module, the two isolation backends (WFP primary, Windows Firewall fallback), the audit trail, the release procedure, and the decision log that records every isolation event.
Why it exists this way
The architecture document requires the sensor to isolate a compromised endpoint from the network while preserving the management channel to the Collector so analysts can triage and release the host. Two backends exist because WFP provides fine-grained blocking but requires the Base Filtering Engine service and can be disabled by kernel-mode malware; Windows Firewall provides a stateless backup that survives service restarts.
How it works
The edr_windows::isolation module implements IsolationPolicy
with two modes:
WFP mode (primary)
The edr_windows::wfp::WfpManager registers WFP callout drivers
at the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. The isolation policy
adds a blocking filter with a high weight that overrides all
allow rules. The management channel to the Collector
(collector.<region>.example:9443) is whitelisted via a
higher-priority permit filter keyed on the destination IP and
port tuple.
Windows Firewall mode (fallback)
When WFP is unavailable or its callout registration fails,
IsolationPolicy falls back to Windows Firewall rules via the
netsh advfirewall CLI. Three rules are created:
- Allow outbound TCP/9443 to the Collector.
- Allow outbound UDP/53 for DNS (required by the Collector hostname resolution).
- Block all other outbound traffic.
The same rules are also created for the inbound direction so the endpoint cannot receive unsolicited connections from lateral movement.
Audit trail
Every isolation action is recorded in a DecisionLog entry that
captures:
isolate_id: Uuid: the unique identifier for this isolation eventoperator_id: String: the analyst who initiated isolationmode: IsolationMode: which backend was used (Wfp or Firewall)policy: IsolationPolicy: the applied rule setapplied_at: DateTime<Utc>: when the rules took effectmanagement_whitelist: Vec<SocketAddr>: the allowed destinationsoutcome: IsolateOutcome: success or the specific failure reason
Decision logs are shipped to the Collector immediately via a separate gRPC unary call so the analyst sees confirmation before the network is fully blocked.
Release procedure
Releasing isolation is the reverse: all WFP filters or firewall
rules are deleted by their assigned IDs. The release is recorded
as a separate DecisionLog entry with action: Release. After
release, the sensor verifies connectivity to the Collector by
sending a HealthCheck RPC; if it fails within 10 seconds, the
sensor re-applies the isolation policy and escalates the error.
What goes wrong
WfpManagerregistration fails because the Base Filtering Engine service is stopped. The policy auto-falls-back to Windows Firewall. A counterisolation_wfp_fallback_totalincrements.- WFP filter is removed by kernel-mode malware. The guard module polls WFP state every 30 seconds and re-applies filters if they are missing. If re-application fails 3 consecutive times, the sensor escalates to Windows Firewall.
- Firewall rules are purged by Group Policy. The sensor detects rule removal within 60 seconds and re-creates the rules. If GP enforcement is too frequent, the sensor logs a recommendation to exclude AuroraEDR rules from the domain policy.
- DNS whitelist is insufficient for environments with internal DNS
servers that require Kerberos or LDAP queries. The policy schema
includes an
extra_whitelistfield that fleet operators populate during enrollment for site-specific dependencies.