Views:
  1. Why is the isolate Endpoint command executed by SecOps reflected in the Trend Micro Apex One as a Service console?

    Answer:

    • The Response App will query the backend database to get the installed agent, if SecOps Endpoint Sensor is installed, it will send the isolation task to SecOps Endpoint Sensor model, otherwise will send to Trend Micro Apex Central.
    • If the backend database has not this agent's information, the Response App will send the isolation command to the Trend Micro Apex Central, and then the Trend Micro Apex Central will send the isolation command to the agent to isolate it.
    • In this case, The isolation task was sent to Trend Micro Apex Central, So the restore task will also send to Trend Micro Apex Central.
  2. What is the product specifications of the isolated function?

    Answer:

    • The inbound/outbound network traffic are blocked for the specific endpoint.
    • Network traffic from TrendMicro processes are allowed by default.
    • Custom allow list is not supported in the current phase, but will be implemented in the next phase.
      • Processes digitally signed by Trend Micro are allowed
      • DNS, DHCP, and WINS are allowed by default
  3. The customer isolated the agent from the Trend Vision One console or Trend Micro Apex Central console. Can the isolated connections be restored after uninstalling the Trend Micro Apex One agent?

    Answer:

    • Issue an isolate endpoint task from Trend Vision One, then uninstall the Trend Micro Apex One Endpoint Sensor agent.
    • The endpoint is still isolated. The network connection is not restored.
    • Issue a restore connection task from Trend Vision One, then the network connection is restored.
      • Issue an isolate task from Trend Micro Apex Central, then uninstall the Trend Micro Apex One Endpoint Sensor agent.
      • The connection is restored after the Trend Micro Apex One Endpoint Sensor agent is uninstalled.
  4. Why the isolation status was "Queued" in the Trend Vision One console?

    Answer:

    • The Response App has sent the restore task to Trend Micro Apex Central, but it does not finish in 25min. Then it will mark as queued, and it won't be changed anymore.
    • The endpoint may be offline. Check it with Trend Micro Apex Central console.
    • More detailed timeout and check interval default value, refer to the table below:
      ActionTimeout
      (Response Backend)      		Check Interval
      • block
      • restoreBlock
      		5min60s
      • isolate
      • restoreIsolate
      • Trend Micro Apex One as a Service: 25min
      • Cloud One Workload Security: 65min
      • SecOps Endpoint Sensor: 24h
      • Trend Micro Apex One as a Service: 90s
      • Cloud One Workload Security: 15s
      • SecOps Endpoint Sensor:
        • first 10min 15s
        • 10 min later: 300s
  5. Some Known issues about the isolation agent:
    • The existing connection network will not be blocked after the isolation action is performed.
    • Status sync issues between Trend Vision One and Trend Micro Apex One(Central)
      • Doing Endpoint Isolation and Restoration either from Trend Vision One or Trend Micro Apex One is individual/independent - meaning that if users isolate endpoints via Trend Vision One, they have to restore them from Trend Vision One.
      • There is no visibility consolidation - meaning that Trend Vision One has no idea which endpoints are being isolated by Trend Micro Apex One and Trend Micro Apex One has no idea about this done by Trend Vision One.
    • The allow list is not synced and merged; both lists from Trend Vision One and Trend Micro Apex One are independent.
    • If the user performs “Custom script” with network connection related functions or commands against on an isolated endpoint on Trend Vision One Response App, the script may encounter error due to the isolated network access.
Keywords: agent isolation failed,V1 console shows isolation has failed,isolation of agent shows as failed