Skip to Main Content

Trellix Endpoint Security FAQs

FireEye Endpoint Security (FES) is a small piece of software, called an 'agent', which is installed on servers and workstations to provide protection against common malware as well as advanced attacks. FES combines the best of legacy security products, enhanced with FireEye technology, expertise and intelligence to defend against today's cyber attacks. Based on a defense in depth model, FES uses a modular architecture with default engines and downloadable modules to protect, detect and respond to security events.

The short answer is because it works, it enables better response and investigation capabilities, and last but not least, because the cost is subsidized by the UC Office of the President.

The UC System selected Trellix as our Threat Detection and Identification (TDI) solution several years ago. Initially, the primary focus was on deploying network detection capabilities but those technologies do not extend beyond the campus network and did not address issues at the local IT system level. Additionally, with more and more Internet traffic being encrypted, network-based detection solutions are somewhat limited in their effectiveness.

Because TES is installed locally, it solves those problems. The protection provided by TES continues no matter where the IT system is located. Additionally, because TES operates at the system level, it can detect malicious activity that may occur even if the inbound or outbound network traffic is encrypted.

IT Services was an early adopter of TES and had it deployed in our data center on most of our servers. We have seen firsthand where TES has prevented a security event. Other UC campuses have started adopting TES and have reported similar results.

Last year, the UC suffered from a significant security event costing the UC over 1 million dollars. In reviewing the root cause of the incident, it was determined that TES could have prevented the event. After this event, the UC Office of the President decided to extend coverage of the TDI platform and fund the deployment of the TES agent for all campus locations.

Because TES is part of the existing TDI platform, the campus benefits from the 24X7 Trellix Security Operations Center monitoring and the collective intelligence of the entire platform. This combined with the cost savings of having the solution subsidized by UCOP and the benefit of a "single-pane-of-glass" for our security team provides efficiencies and improvements in security posture.

The TES agent delivers advanced detection capabilities that will help UCLA Information Security and IT professionals to respond to threats that bypass traditional endpoint technologies and defenses. It uses detailed intelligence to correlate multiple discrete activities and uncover exploits. Endpoint visibility is critical to identifying the root cause of an alert and conducting a deep analysis of a threat to determine its impact and risk. 

The functions of the agent include: 

Malware Detection/Protection (Not Supported for Linux) 

Trellix's Endpoint Security Agent malware protection feature guards and defends your host endpoints against malware infections by automatically scanning all files (upon read/write/execution) on your host endpoint for malicious code. Malware includes viruses, trojans, worms, spyware, adware, key loggers, rootkits, and other potentially unwanted programs (PUP). Malware protection uses malware definitions to detect and identify malicious artifacts. 

File quarantine 

Malware protection has two components: malware detection and quarantine. Malware detection, which includes MalwareGuard, utilizes two scanning engines to guard and defend your host endpoints against malware infections, the Antivirus engine, and the MalwareGuard engine. Quarantine isolates infected files on your endpoint and performs specific remediation actions on the infected file. This is similar to traditional off-the-shelf antivirus solutions. 

Exploit Detection/Protection (Not Supported for macOS or Linux) 

This is a Windows-only engine. Exploit detection uncovers exploit behaviors on your host endpoints that occur during the use of Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The following are examples of the exploit types that can be detected in these applications: 

  • Return-oriented programming (ROP) attacks
  • Reverse shell attempts in Windows environments
  • Heap spray attacks
  • Application crashes caused by exploits
  • Structured Exception Handling Overflow Protection (SEHOP) corruption of programs
  • Null page exploits
  • Microsoft Office macro-based exploits
  • Java exploits
  • Access token privilege escalation detection
  • First stage shellcode detection
  • Drive-by downloads

Real-Time Indicator Detection 

Threat activity intelligence is collected by Trellix and made available to the Endpoint Agent products as indicators of compromise (also referred to as indicators or IOCs) through Trellix’s Dynamic Threat Intelligence (DTI) cloud. Endpoint Security uses the Real-Time Indicator Detection (RTID) feature to detect suspicious activities on your host endpoints. RTID monitoring uses Trellix indicators to detect the following: 

  • Unauthorized use of valid accounts
  • Command and control activity
  • Known and unknown malware 
  • Suspicious network traffic
  • Valid programs used for malicious purposes 
  • Unauthorized file access
  • Trace evidence and partial files

Host Containment (Linux support in version 34 an above) 

The host containment feature is a function that will ONLY be performed with the approval of the Information Security Office manager and/or CISO in the event of a high severity detection, and the Security Office is unable to engage the system administrator for immediate containment action. This function enacts a host firewall that will restrict all network access to the host with the intention to prevent lateral movement or data exfiltration by the threat actor. 

Incident Response Triage Acquisition 

This is a function that allows Information Security and Trellix analyst(s) to execute acquisition scripts on the host as it pertains to a detected threat. The scripts vary in content based on the operating system (OS). 

The TES Agent is being deployed to all UCLA owned systems (workstations and servers). While personally owned devices are not mandated at this time, any system that will store, process, or transmit university data can have the TES agent installed. 

It is important to understand that installing the TES agent on a personally-owned device will give UCLA Information Security staff and Trellix staff access to the same level of information on these devices as they would have on a UCLA owned device. This does reduce your personal privacy on that device but provides you with additional protection as well.

TES is being deployed through local IT Teams in collaboration with the OCISO Security Operations Team and Professional Services provided by Trellix engineers. There are three modes of deployment:

  • Self Managed - Unit IT is provided direction but they largely handle the implementation to systems on their own.
  • Fully Managed - OCISO and Trellix do most of the heavy lifting to implement on systems in the local Unit.
  • Partially Managed - Local IT, OCISO staff, and Trellix work together on the implementation of the agents on local systems.

The typically deployment schedule is done in four phases:

  • Pre-Deployment: OCISO and Trellix staff meet with local IT to go over the process, expectations, and timelines, as well as answer any questions the local IT unit, may have.
  • Deployment: This phase can last up to 4 weeks and is where the agent deployment begins and any exclusion lists are developed. During this phase, the local IT team will typically deploy the agent to a sampling of IT systems at first and then to the larger population of systems. The OCISO team validates deployment via the TES console in collaboration with the local IT Unit.
  • Baselining: This phase typically lasts 2 weeks. During this phase, the teams work through any false-positive findings and fine-tune the agent for the Unit. This is also where Unit notifications are established and Prevention mode is enabled.
  • Validation: For the final week, the teams work together to validate the list of systems that have been included in the deployment and they test system features such as host containment and triage acquisition. A final step is to document any lessons learned during the various phases.

This phased approach has been implemented across campus with the goal of having all UCLA-owned assets covered by December 31, 2021.

Trellix offers clients for most versions of Windows, MacOS and many Linux variants, specifically:

  • Windows 7, 8, 10
  • Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019
  • MacOS 10.9-10.15, 11
  • Linux
    • RHEL 6.8-6.10, 7.2+, 8+
    • CentOS 6.8-6.10, 7.2+,8+
    • Ubuntu 14.04, 16.04, 18.04
    • SUSE 11.3, 11.4
    • SUSE 12.2, 12.3, 15
    • OpenSUSE 15.1
    • Amazon AMI 2018.3, AMI2
    • Oracle Linux 6.10 & 7.6
Yes, all of these environments are supported.

The Trellix Endpoint Security solution is designed to replace traditional anti-virus software (e.g. Sophos) and provide enhanced security and privacy through its use of multiple product engines:  

  • Indicator of Compromise (IOC) collects real-time events continuously on each endpoint (e.g. changes to file system, live memory, registry persistence, DNS lookups, IP connections, URL events, etc.) to instantly confine a threat and investigate the incident without risking further infection.
  • Exploit Guard applies behavioral analysis and machine intelligence techniques to evaluate individual endpoint activities and correlate this data to detect an exploit.  It allows for rapid response to new threats and false positives (e.g. heap spray, ROP, web shell exploits, crash analysis, Java exploits, Office macro exploits, SEHOP corruption analysis, unattended download, null page exploits, network events, special strings, OS behavior analysis, etc.)
  • Anti-Virus—powered by Bitdefender—allows for a real-time or scheduled scan of all files for Windows and MacOSX.
  • MalwareGuard uses machine learning classification of new/unknown executables. It is signature-less with a small client footprint and works in conjunction with the Anti-Virus engine. It has a disconnected model that does not require cloud lookups or constant model updates.

Yes, Trellix will recognize the behaviors of ransomware and prevent it from encrypting files.

The TES client uses a small amount of system resources and should not impact your daily activities. However, each application and system is unique, and Information Security encourages all admins to install and test the agent in their own environment to validate that system and application performance remains acceptable.

In some situations, the TES agent may be impractical to install and maintain. While these situations are likely limited, we do have an exception process that can be utilized to request and exception from implementing the TES agent.

When a situation arises where TES is impractical, the Unit IT personnel can request an exception. Once the Unit IT has filled out the exception request the Unit Head (typically the Vice Chancellor, Vice Provost, Dean or University Librarian) will review the request and authorize it for consideration. The exception request will then be presented to the Campus Chief Information Security Officer (CISO) for review. If the risk posed by the exception request is reasonably mitigated, the CISO can approve the risk. In cases where the risk is not sufficiently mitigated, the CISO will forward the request to the Cyber-Risk Responsible Executive (CRE) for review. The CRE has the final authority on granting or rejecting an exception request.

Yes, the client will protect against malware threats when the device is disconnected from the internet.

The TES agent only collects logs normally created on your system. The types of logs collected are:

-Image load events                           -Registry event
-Process Lifecycle events                 -DNS lookup event
-File Write event                                -Network event
-URL event                                        -Endpoint IP address change

This data does not leave your system unless an event is detected and usually only stays on your device for 1-6 days. If an event is detected, a subset of the logs are sent to the Trellix HX Appliance, a UCLA owned and operated, physical server in our data center. This data is referred to as alert data. In some circumstances, the TES agent will pull a snapshot of system activity 10 minutes prior to the incident and 10 minutes after the incident. This data is referred to as security event metadata (this is also referred to as a triage package). Data sent to our HX appliance is retained for a period of 1 year. 

Trellix security operations also receive alert data and security event metadata sent to our internal appliance. This information is provided to Trellix and UCLA Information Security for investigation. No additional data can be reviewed without confirmation of an incident and specific authorization/approval consistent with the UC Electronic Communications Policy and UCLA Policy 410 : Nonconsensual Access to Electronic Communications Records

If an investigation is warranted, the UCLA Security team can pull a full triage package using the TES agent. This capability allows our internal investigators to pull all of the log data available in the local system buffer (typically 1-6 days worth of logs). This is simply pulling additional logs not, individual files, and this data is not automatically shared with Trellix, it is only available locally.

The TES console does allow our internal team to pull an individual file however, this is a manual process and only done in consultation with the local IT contacts in connection with a security event detection. Any files that are acquired by the internal security team are not shared with the Trellix team unless they are engaged to provide support during a significant security incident. TES only supports multiple file copies via API commands or recursive raw disk capture (Windows-only) which would first require hands-on enumeration of physical disks within a system (via Command Line Interface). This approach is not only extremely time-consuming but impractical from a storage limitation and bandwidth perspective. Neither of these methods would be part of any routine process.

TES does not have the capabilities to do a full disk copy. Any investigation that requires a full disk image would require either the consent of the individual or authorization under UCLA Policy 410 : Nonconsensual Access to Electronic Communications Records. The acquisition of a complete disk image, if authorized, would not be performed by TES due to the limitations and lack of completeness cited above.

The TES console provides a full audit trail for any information that is accessed by Trellix or the Information Security Office. This audit trail can be inspected by our internal auditors and campus leadership or other governing bodies determined appropriate by leadership.

All data sent to Trellix during the course of operations is retained in their US datacenters for a period of one year. Any access to UCLA data is governed by our Electronic Communications Policy and contractual provisions which require a "least invasive" review. 

Attacks that start at an endpoint can spread quickly through the network. After the identification of an attack, TES enables Information Security to isolate compromised devices via the containment feature from the management console in order to stop an attack and prevent lateral movement or data exfiltration. Essentially, this feature allows UCLA Information Security to isolate a single computer, preventing it from communicating with any other devices until the investigation has been completed. Information Security will then conduct a complete forensic investigation of the incident without risking further infection or data compromise. 

Generally speaking, once the TES agent is put into blocking mode it can not be stopped or removed by anyone other than the Information Security team. However, during the onboarding process, the local IT Unit can have a "break glass" password set. This will allow the local IT Unit to remove the TES agent if mission-critical systems or applications are impacted.

If the agent blocks a legitimate service or application, the local Unit IT team can work with the Information Security team to restore the service or application. If mission-critical systems are impacted, local IT can also use a "break glass" password to remove the agent and restore services but only after it is confirmed that no legitimate threat exists.

Extreme caution should be taken when using the "break glass" process. This can expose your system to compromise and could expose the campus to additional security exposure. It is important that the local IT team work with the Information security team to restore the TES agent to normal operation as soon as possible. 

Responding to subpoenas is governed by UCLA Policy 120 : Legal Process - Summonses, Complaints and Subpoenas and UCLA Procedure 120.1 : Producing Records Under Subpoena Duces Tecum and Deposition Subpoena. Any legal process served to the Information Security Office is immediately forwarded to Campus Counsel for disposition. We do not release security-related information to law enforcement or other entities unless directed to do so by counsel. If and when legal counsel authorizes a release of information, counsel reviews the information before providing it to outside agencies.   

Internally, at the campus or system level, this data is not released except in the course of an authorized audit, and even in those cases, great care is taken to release only the minimum necessary data. Provisions are being made to allow authorized individuals from a Unit to request a review of any access logs pertaining to systems or users within that Unit.

The data collected by TES is generally considered 'Computer Security Sensitive Information' which may be exempt from public records disclosure. This data is not released without consultation with legal counsel. 


Get Help

Our Information Security staff is on hand to answer all of your questions about Trellix. If you have any questions, please contact the Information Security Office at

Go to Trellix Security Website