Views:
  1. Why is the isolate Endpoint command executed by XDR reflected in the Apex One as a Service console?

    Answer:

    • The Response App will query the backend database to get the installed agent, if XDR Endpoint Sensor is installed, it will send the isolation task to XDR Endpoint Sensor model, otherwise will send to apex central.
    • If the backend database has not this agent's information, the Response App will send the isolation command to the Apex Central, and then the Apex Central will send the isolation command to the agent to isolate it.
    • In this case, The isolation task was sent to ApexCentral, So the restore task will also send to Apex Central.
  2. What is the product specifications of the isolated function?

    Answer:

    • The inbound/outbound network traffic are blocked for the specific endpoint.
    • Network traffic from TrendMicro processes are allowed by default.
    • Custom allow list is not supported in the current phase, but will be implemented in the next phase.
      • Processes digitally signed by Trend Micro are allowed
      • DNS, DHCP, and WINS are allowed by default
  3. The customer isolated the agent from the Trend Vision One console or Apex Central console. Can the isolated connections be restored after uninstalling the Apex One agent?

    Answer:

    • Issue an isolate endpoint task from V1, then uninstall the A1S agent.
    • The endpoint is still isolated. The network connection is not restored.
    • Issue a restore connection task from V1, then the network connection is restored.
      • Issue an isolate task from AC, then uninstall the AS1 agent.
      • The connection is restored after the A1S agent is uninstalled.
  4. Why the isolation status was "Queued" in the Trend Vision One console?

    Answer:

    • The Response App has sent the restore task to Apex Central, but it does not finish in 25min. Then it will mark as queued, and it won't be changed anymore.
    • The endpoint may be offline. Check it with Apex Central console.
    • More detailed timeout and check interval default value, refer to the table below:
      Action Timeout
      (Response Backend)      		 Check Interval
      • block
      • restoreBlock
      		 5min 60s
      • isolate
      • restoreIsolate
      • Apex One SaaS: 25min
      • Cloud One Workload Security: 65min
      • XDR Endpoint Sensor: 24h
      • Apex One SaaS: 90s
      • Cloud One Workload Security: 15s
      • XDR Endpoint Sensor:
        • first 10min 15s
        • 10 min later: 300s
  5. Some Known issues about the isolation agent:
    • The existing connection network will not be blocked after the isolation action is performed.
    • Status sync issues between Trend Vision One and Apex One(Central)
      • Doing Endpoint Isolation and Restoration either from Trend Vision One or Apex One is individual/independent - meaning that if users isolate endpoints via Trend Vision One, they have to restore them from Trend Vision One.
      • There is no visibility consolidation - meaning that Trend Vision One has no idea which endpoints are being isolated by Apex One and Apex One has no idea about this done by Trend Vision One.
    • The allow list is not synced and merged; both lists from Trend Vision One and Apex One are independent.
    • If the user performs “Custom script” with network connection related functions or commands against on an isolated endpoint on Trend Vision One Response App, the script may encounter error due to the isolated network access.
Keywords: agent isolation failed,V1 console shows isolation has failed,isolation of agent shows as failed