Red Status in client but still there is a connection... Endpoint Protection | Intercept-X

Hi Can carmack 

There is a policy option that allows computers to isolate themselves from the network when the computer reports a red health status. This option is available in the Threat Protection policy under Device Isolation:

You can still manage the computer from Sophos Central when it is isolated. Please check this article for more information. 

Thanks for reply Shweta 

According to KB Intercept X Advanced with EDR license is needed.

With our license we can only isolate computers -not global rule- via Custom Policy.


For the test; applied this policy to small group of computers.
After policy apply, there are lots of computers get isolated.


Now can not remove these isolations from admin panel as mentioned in KB.
How to remove isolations proper way or manually.


ps: we are Intercept X Advanced licensed. no EDR or etc.

Hi Can carmack 

That option is only for the computers isolated by the administrators, not for the computers isolated due to red health.

The self-isolated computer will come out of the isolation if the health status turns Green. 

You can also try disabling the device isolation option in the threat protection policy and check whether that device gets connected to the internet or not.

Even when the device is isolated, it can communicate to the Sophos Central. So, the change in policy may change the policy of device isolation as well. 

Thanks for reply.

How can we remove isolation via admin panel without EDR license?

We can not connect to isolated client via remote tools to fix the client.
For fix there is a stop Health service and rename health database file command is given to us by Sophos Desk.

How to make client connectable?

Hi Can carmack 

The option of admin isolated machines is only valid for the machines which are isolated by the Sophos Central admin from the Sophos Central, not for the machines which are auto isolated because of the policy of device isolation.

Unfortunately, it is not possible that you can remove the isolation of the machine from Sophos Central. You can try by disabling the option of device isolation in the threat protection policy and apply to those red devices. Once the devices have been updated with the latest policy, they are chances that they may come out of the isolation.

Hi Can carmack 

The option of admin isolated machines is only valid for the machines which are isolated by the Sophos Central admin from the Sophos Central, not for the machines which are auto isolated because of the policy of device isolation.

Unfortunately, it is not possible that you can remove the isolation of the machine from Sophos Central. You can try by disabling the option of device isolation in the threat protection policy and apply to those red devices. Once the devices have been updated with the latest policy, they are chances that they may come out of the isolation.

Very hard and non-practical way.

Auto Isolation is far behind expectations for Advanced Intercept-X licensed companies.

There should be a better way to fix isolated computers.
Shweta Jasmin

Hi Can carmack 

We understand your concern but device isolated because of red health can only be back to the network when their health is green and that can only be achieved by working on the client computer.

Thank you,

How can we request from Sophos easy to use process for this situation?

Hi Can carmack 

To make the computers connected to the internet or network, you can below steps on the client after which the client will be available for the remote session.

1. Disabling Tamper Protection (if enabled)
2. Open the Sophos UI and clicking on Settings
3. Tick the option Override Sophos Central Policy for up to 4 hours to troubleshoot
4. De-select the radio button for Network Threat Protection

But for the above steps, you need the client machine or you can ask users to perform this after disabling the tamper protection from the Sophos Central.