Troubleshoot Secure Endpoint Stuck in Isolation with Recovery Methods

Available Languages

Download Options

PDF (389.3 KB)
View with Adobe Reader on a variety of devices
ePub (494.5 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (404.2 KB)
View on Kindle device or Kindle app on multiple devices

Updated:November 2, 2022

Document ID:218064

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the process to recover an endpoint with the Secure Endpoint connector installed from isolation mode.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Secure Endpoint Connector
Secure Endpoint Console
Endpoint Isolation feature

Components Used

The information in this document is based on these software and hardware versions:

Secure Endpoint console version v5.4.2021092321
Secure Endpoint Windows connector version v7.4.5.20701
Secure Endpoint Mac connection version v1.21.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

The procedure described in this document is helpful in situations where the endpoint device is stuck in this state and it is not possible to disable isolation mode.

Endpoint isolation is a feature that lets you block network activity (IN and OUT) on a computer to prevent threats such as data exfiltration and malware propagation. It is available on:

64-bit versions of Windows that support version 7.0.5 and later of the Windows connector
Mac versions that support version 1.21.0 and later of the Mac connector.

Endpoint isolation sessions do not affect communication between the connector and the Cisco cloud. There is the same level of protection and visibility on your endpoints as before the session. You can configure IP Isolation Allow Lists of addresses in order to avoid that the connector blocks the IP addresses in question while an active endpoint isolation session is active. You can review more detailed information about the Endpoint Isolation feature here.

Stop Isolation

Once you want to stop the Endpoint Isolation on a computer, do these quick steps via the Secure Endpoint console or command line.

Stop Isolation Session from the Console

In order to stop an isolation session and restore all network traffic to an endpoint.

Step 1. In the console, navigate to Management > Computers.
Step 2. Locate the computer you want to stop isolation and click to display details.
Step 3. Click the Stop Isolation button, as shown in the image.

stop isolation

Step 4. Enter any comments about why you stopped the isolation feature on the endpoint.

Stop Isolation Session from the Command Line

If an isolated endpoint loses its connection to the Cisco cloud, and you are unable to stop the isolation session from the console. In these situations, you can stop the session locally from the command line with the unlock code.

Step 1. In the console, navigate to Management > Computers.

Step 2. Locate the computer you want to stop isolation and click to display details.

Step 3. Note the Unlock Code, as shown in the image.

unlock code error2

Step 4. You can also find the Unlock Code if you navigate to Account > Audit Log, as shown in the image.

audit log, unlock code

Step 5. On the isolated computer, open a command prompt with administrator privileges.

Step 6. Navigate to the directory where the connector is installed

Windows: C:\Program Files\Cisco\AMP\[version number]

Mac: /opt/cisco/amp

Step 7. Run the stop command

Windows: sfc.exe -n [unlock code]

cmd unlcok

Mac: ampcli isolate stop [unlock code]

Caution: If the unlock code is entered incorrectly 5 times, it is necessary to wait 30 minutes before you make another unlock attempt.

Recovery Troubleshoot

In case you exhausted all avenues and you are still unable to recover an isolated endpoint from the Secure Endpoint console or locally with the unlock code; you can recover the isolated endpoint with the emergency recovery methods.

Mac Recovery:

Remove the isolation configuration and restart the Secure Endpoint Service

sudo rm /Library/Application\ Support/Cisco/Secure\ Endpoint/endpoint_isolation.xml
sudo launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.cisco.amp.daemon.plist

Windows Recovery:

Recovery Isolation Method from the Command Line

In situations where your endpoint device is stuck in isolation and it is not possible to disable isolation via the Secure Endpoint console or with the unlock code, do these steps.

Step 1. Stop the connector service via the connector user interface or Windows Services.

Step 2. Locate the Secure Endpoint connector service and stop the service.

Step 3. On the isolated computer, open a command prompt with administrator privileges.

Step 4. Run the command reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect" /v "unlock_code" /f as shown in the image.

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect" /v "unlock_code" /f

hkey unlock

Step 5. The message The operation completed successfully indicates the operation was completed. (If another message is displayed, as "Error: Access is denied" you need to stop the Secure Endpoint connector service prior that you run the command).

Step 6. Start the Secure Endpoint connector service.

Tip: If you are unable to stop the Secure Endpoint connector service from the connector user interface or Windows Services, you can do a Safe boot.

On the isolated endpoint, navigate to System Configuration > Boot > Boot options and select Safe boot, as shown in the image.

safe boot

Recovery Isolation Method Without the Command Line

In case your endpoint device is stuck in isolation and it is not possible to disable isolation via the Secure Endpoint console or with the unlock code or even if you are unable to use the command line, do these steps:

Step 1. Stop the connector service via the connector user interface or Windows Services.

Step 2. Navigate to the directory where the connector is installed (C:\Program Files\Cisco\AMP\) and delete the file jobs.db, as shown in the image.

file name jobs

3. Reboot the computer.

Additionally, if you see the Isolation event in the console, you can navigate to Error Details in order to review the error code and its description, as shown in the image.

error_code

Verify

In order to verify the endpoint is back from isolation or is no longer isolated, you can see the Secure Endpoint connector user interface displays the Isolation status as Not Isolated, as shown in the image.

user interface

From the Secure Endpoint console, if you navigate the Management > Computers, and locate the computer in question, you can click to display details. The Isolation status displays Not Isolated, as shown in the image.

console event

Related Information

Revision History

Revision	Publish Date	Comments
2.0	02-Nov-2022	Added: Mac version, Mac stop command, Mac recovery method
1.0	19-Aug-2022	Initial Release

Contributed by Cisco Engineers

Brenda Marquez
Cisco TAC Engineer

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Endpoint