You can remove compromised endpoints from your network so that they can't contaminate other endpoints in your environment. Once the threat is resolved and the endpoint is healthy again, you can rejoin them to your network. Symantec Advanced Threat Protection (ATP) supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 and later.
To isolate and rejoin endpoints from ATP Manager, you must have a Quarantine Firewall policy and Host Integrity policy set up in Symantec Endpoint Protection Manager. You need these policies so that the endpoint is put into or taken out of quarantine if your Host Integrity policy FAILS, regardless of what the THEN clause states. See your Symantec™ Endpoint Protection Manager documentation for more information about how to create these policies.
ATP lets you isolate endpoints in several places in ATP Manager. How you perform the task depends on which page in ATP Manager you take the action. Only users with the Admin role or Controller role can isolate endpoints from the network or rejoin them. These actions appear inactive in ATP Manager if you do not have the appropriate role.
ATP times-out the isolate or rejoin action 7 days after it is initiated so that the process doesn't run indefinitely. This timeout function applies to both EDR 1.0 and EDR 2.0 endpoints.
Table: To isolate breached endpoints
ATP Manager page
Incident details page
The Incident details page provides information about ATP's evaluation of the incident. It provides information about the events that comprise the incident.
To take action from the Incident graph, right-click on the endpoint entity node that you want to take action on. Then select the action from the context menu.
To take action from the Actions bar, click Isolate. A dialog box appears. By default, all of the endpoints that can be isolated are selected. Unselect the endpoints that you do not want to isolate, and click Isolate.
To rejoin an endpoint to the network, click Rejoin from the Actions bar, select the endpoints that you want to rejoin, and click Rejoin.