Links

Asset Isolation

Isolating assets during an investigation
Asset Isolation works by terminating all connections of an endpoint and not allowing any new connections.
When an asset is isolated, you can still perform tasks such as Acquisition, Triage, interACT and Time-lining.

How it works

This feature uses a Kernel Mode Driver for performing the isolation and does not depend on Windows Firewall.
The isolation task is persistent. Even if you reboot an isolated machine from the AIR Console, the asset will still be isolated after the reboot until you un-isolate it from the Asset Details page.