Containing a Compromised Host

In this installment of the Tips and Insights series, Dan Faltisco explains how to contain a possibly compromised host within FireEye Endpoint Security.

Hello I’m Dan Faltisco a Channel Sales Engineer at FireEye. I’d like to go over the process of containing a potentially uncompromised host within FireEye endpoint. The step is crucial to your ability to handle a threat. So let’s dive in. Before I show you the process of containing a host I’d like to review some settings you can adjust from the admin containment settings screen. From here we can do three main things. We can exclude specific hosts from being contained. This is useful if for instance you’re running a honeypot scenario or you don’t want to have the machine be contained. We can set which IP addresses and hosts that contained machines can connect to and by default the HX appliances are included in this. And finally we can set a custom message that the users will see if they try to access the network on a contained host. Okay now that we reviewed our settings we can look at a potentially compromised host. So I’m going to go over to the hosts tab. I’m going to show host with alerts. I’m just going to pick one with a lot of alerts. As we can see here this particular victim machine in our test environment has 90 plus alerts on it. Pretty good chance that this is a compromised machine. We click the plus button next to this machine. We can expand upon it. It’s important to review a host potential compromise prior to requesting containment. So I can definitely tell from this host that there’s a high chance his machine was compromised and at the very least I’m going to want to take a look at this further. I’m going to want to go ahead and request containment for this host. So by doing so I can hit this request contain button. And you’ll notice that the machine is not yet contained and only that a request containment command has gone out. Containing a host is a two step process which allows a level of delegated administration. For instance we could have a level one security analyst with only the ability to request containment while a higher level analysts will be able to complete that request. In this demo environment I’ve given myself the ability to do both steps in one. So I’m going to go ahead and click contain. We could tell that this machine is contained because we see a check-mark that has been approved for containment. And if I go back into hosts we see this lock meaning this has been a contained machine. And that’s how you contain a potentially compromised host in a FireEye endpoint. Thanks for watching. Stay tuned for more tips and insight videos from FireEye.

Scroll to Top