FireEye (Trellix) Endpoint Deployment

Quick Start Guide

/////////////////////////////////////////////////////
MANDIANT PROPRIETARY AND CONFIDENTIAL
FIREEYE ENDPOINT SECURITY QUICK START GUIDE

FireEye Endpoint Deployment

Deploying the FireEye Endpoint Agent in a VDI Environment
If you need to deploy Endpoint Security Agent software in a non-persistent VDI environment, follow the recommendations
in section “Guidelines for Deploying Agents in a Non-Persistent VDI Environment” in the accompanying FireEye Endpoint
Security Agent Deployment Guide. Failure to adhere to these recommendations will result in duplicate agents and may
disrupt communication between the Endpoint Security server and host endpoints.

Deploying the FireEye Endpoint Agent (Windows)

The FireEye Endpoint agent package consists of two files: xagtSetup_X.X.X_universal.msi and
agent_config.json. xagtSetup_X.X.X_universal.msi is the FireEye Endpoint agent installation file. The
agent_config.json configuration file contains the specific settings preconfigured for the environment.

Antivirus Exclusions (Windows)

In order to prevent potential conflicts with antivirus and/or host-based intrusion detection software for FireEye Endpoint,
the following files should be whitelisted:

Files Default File Paths Windows Version

audits.dll, mindexer.sys, and %ProgramFiles%\FireEye\xagt\*.* 32-bit
xagt.exe %ProgramFiles(x86)%\FireEye\xagt\*.* 64-bit
NamespaceToEvents32.dll %SystemRoot%\FireEye\*.* 64-bit
NamespaceToEvents.dll %SystemRoot%\FireEye\*.* All
FeKern.sys %SystemRoot%\System32\drivers\FeKern.sys All
Everything in the %ALLUSERSPROFILE%\Application NT 5.x
ProgramData\FireEye\xagt Data\FireEye\xagt\*.*
Directory %ProgramData%\FireEye\xagt\*.* NT 6+
xagtnotif.exe %SystemRoot%\FireEye\xagtnotif.exe All
Any extensions in %ALLUSERSPROFILE%\Application All
Data\FireEye\xagt\exts directories or subdirectories should be
whitelisted in your antivirus software.

AppMonitorDll32_xx.dll %SystemRoot%\FireEye\AppMonitorDll32_xx.dll 64-bit

JavaAgentDll32_xx.dll %SystemRoot%\FireEye\JavaAgentDll32_xx.dll
(where xx is a series of incrementing numbers)

AppUIMonitor_xx.exe %SystemRoot%\FireEye\AppUIMonitor_xx.exe All

AppMonitorDll_xx.dll %SystemRoot%\FireEye\AppMonitorDll_xx.dll
JavaAgentDll_xx.dll %SystemRoot%\FireEye\JavaAgentDll_xx.dll
(where xx is a series of incrementing numbers)
All = All supported versions of Windows

MANDIANT PROPRIETARY AND CONFIDENTIAL 2

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

32-bit = 32-bit versions of Windows

64-bit = 64-bit versions of Windows
NT 5.x = Windows XP SP3 and Windows Server 2003 SP2+R2
NT 6+ = All other supported Windows versions

Installation (Windows)
To install the FireEye Endpoint agent, the installer must be run by an account with administrative privileges. In addition,
both the xagtSetup_X.X.X_universal.msi and agent_config.json files must be located in the same directory.
Many software deployment tools can be used to install the agent on systems across the environment. The following
command will install the agent using MSIEXEC:

msiexec.exe /i xagtSetup_X.X.X_universal.msi /qn

Specifying an Alternate Configuration File Location (Windows)

You can install the agent when the agent_conf.json file is not in the same directory as the .msi file downloaded from the
Endpoint Security server. Use the CONFJSONDIR option when you run the installation. The following example runs the
installation software using the agent_conf.json file in directory c:\temp:

msiexec.exe /i xagtSetup_x.x.x_universal.msi CONFJSONDIR=c:\temp

Uninstalling the FireEye Endpoint Agent (Windows)

The FireEye Endpoint agent can be uninstalled from systems in many ways. One example is to copy the original
xagtSetup_X.X.X_universal.msi installation package onto the system, then run the following MSIEXEC command on the
local system:

msiexec.exe /x xagtSetup_X.X.X_universal.msi /quiet

Confirming the Agent Installed Successfully (Windows)

Once the agent has been installed on a system successfully there are two checks that can be performed to confirm that the
agent is operating as expected. The first is to run the following command to ensure that the newly installed service is in the
RUNNING state:

sc query xagt

Confirming the Network Connection is Allowed (Windows)

Using the IP address of the HX controller provided by Mandiant, open a web browser and make an HTTPS (TLS) connection
to the IP address using the format https://<IP>. If the network is configured correctly to allow outbound communication to
the controller, a certificate error should display in the web browser as shown below:

MANDIANT PROPRIETARY AND CONFIDENTIAL 3

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

Confirming the Network Connection is Established (Windows)

After installation of the agent and the agent’s successful connection to the controller, there should be at least one
connection with the TIME_WAIT state. Any other connection status does not indicate a successful installation. You
can run the following command a few times after installation to confirm. If you do not see TIME_WAIT, we need to
make sure the connection is not being blocked at the network level. Replace “XX.XX.XX.XX” with the IP address of the
controller for your specific engagement.

netstat -nao | findstr “XX.XX.XX.XX”

Example results:

Deploying the FireEye Endpoint Agent (Mac)

The FireEye Endpoint agent package for Mac is a .dmg archive consisting of two files: xagtSetup_X.X.X.mpkg and
agent_config.json. xagtSetup_X.X.X.mpkg is the FireEye Endpoint agent installation file. The
agent_config.json configuration file contains the specific settings that have been preconfigured for the environment.

Antivirus Exclusions (Mac)

In order to prevent potential conflicts with antivirus and/or host-based intrusion detection software for FireEye Endpoint,
the following files should be whitelisted:

Files Default File Paths OS Version

xagt/* /Library/FireEye/xagt/* All
Support/FireEye/* /Library/Application Support/FireEye/* All
FireEye.kext/* /Library/Extensions/FireEye.kext/* All
com.fireeye.xagt.plist /Library/LaunchDaemons/com.fireeye.xagt.plist All
com.fireeye.xagtnotif.plist /Library/LaunchAgents/com.fireeye.xagtnotif.plist

MANDIANT PROPRIETARY AND CONFIDENTIAL 4

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

All = Supported OS X/MacOS versions: 10.9 (Mavericks), 10.10 (Yosemite), 10.11 (El Capitan), 10.12 (Sierra), and 10.13* (High Sierra)

*MacOS 10.13 (High Sierra) systems may require FireEye’s Team ID for deployment of the FireEye Endpoint agent: P2BNL68L2C

Installation (Mac)
Follow the steps below to install the FireEye Endpoint agent on a Mac endpoint:
1. Mount the .dmg file containing xagtSetup_X.X.X.mpkg and agent_config.json
2. Double-click the installation file to launch the setup wizard
3. Accept all suggested settings and license agreement and continue through the wizard.
4. When the wizard completes, click Close.
Alternatively, a third-party endpoint management solution for Mac such as Jamf Pro can be used to deploy the FireEye
Endpoint agent to Mac endpoints across the enterprise.

Additional Installation Instructions (High Sierra and above)

MacOS High Sierra and above implemented additional security controls that require explicit approval of any Kernel
extension installed after upgrade. As such, the FireEye kernel extension must be allowed either during manual installation
or post installation manually or using a third-party endpoint management solution for Mac such as Jamf Pro. To manually
enable the kernel extension after installation, use the following instructions:
• System Preferences -> Security and Privacy -> Some System Software was Block from Loading -> Click Allow
• Allow the FireEye Inc. and BitDefender entries and Click OK
Third Party software including Jamf Pro require the software Team ID to enable the kernel extension:
• Team ID for FireEye endpoint agent: P2BNL68L2C
• Team ID for BitDefender used by FireEye endpoint agent: GUNFMW623Y
Full Disk Access permission will need to be granted for the FireEye agent. This can be done with a configuration profile using
a third-party endpoint management solution such as Jamf Pro. To enable manually, use following instructions:
1. Open System Preferences.
2. Select the Security & Privacy tab.
3. In the list of services on the left, choose Full Disk Access.
4. Click the Lock icon in the bottom left corner to unlock the setting.
5. Enter Administrator credentials.
6. Click the + icon.
7. Navigate to the /Library/FireEye/xagt/ folder.
8. Select xagt.app.
9. Click the Open button.
10. Quit Security & Privacy.

Uninstalling the FireEye Endpoint Agent (Mac)

The FireEye Endpoint agent can be uninstalled from Mac systems using the following steps:

MANDIANT PROPRIETARY AND CONFIDENTIAL 5

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

1. Launch the Terminal and enter the following command to run the uninstall script:

sudo /Library/FireEye/xagt/uninstall.tool

2. Enter the administrator password when prompted

3. Enter the following command to verify that no xagt processes are running:

ps aux | grep xagt

4. If xagt processes are running on the endpoint, perform one of the following steps:
a. If all the agent artifacts still remain on the endpoint, run the uninstall script again
b. If all the agent artifacts have been removed from the endpoint, manually terminate the xagt process

Deploying the FireEye Endpoint Agent (Linux)

The FireEye Endpoint agent package for Linux is a .tgz archive consisting of eight files:
• agent_config.json
• xagt-xx.x.x-x.el6.x86_64.rpm
• xagt-xx.x.x-x.el7.x86_64.rpm
• xagt-xx.x.x-x.sle11.x86_64.rpm
• xagt-xx.x.x-x.sle12.x86_64.rpm
• xagtSetup_xx.x.x.run
• xagt_xx.x.x-x.ubuntu12_amd64.deb
• xagt_xx.x.x-x.ubuntu16_amd64.deb

Antivirus Exclusions (Linux)

In order to prevent potential conflicts with antivirus and/or host-based intrusion detection software for FireEye Endpoint,
the following files should be whitelisted:

Files Default File Paths OS Version

xagt /etc/rc.d/init.d/xagt RHEL 6.x
Everything in /var/lib/fireeye/ /var/lib/fireeye/* All
Everything in /opt/FireEye/ /opt/fireeye/* All
xagt.service /usr/lib/system/system/xagt.service RHEL 7.x
All = Supported Linux versions: RHEL 6.8 and RHEL 7.x

Installation (Linux Ubuntu/Debian)

Follow the steps below to install the FireEye Endpoint agent on a Linux endpoint:
*NOTE: STEPS 4 THROUGH 5 REQUIRE SUDO ACCESS*
1. Place the FireEye Endpoint .tgz package in a directory named FireEye on the Linux Endpoint’s Desktop

MANDIANT PROPRIETARY AND CONFIDENTIAL 6

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

2. Use the tar zxf command to unzip the FireEye Endpoint agent .tgz package

username@localhost:~/Desktop/FireEye$ tar zxf IMAGE_HX_AGENT_LINUX_X.X.X.tgz

3. Select the appropriate .deb file depending on the version of Ubuntu (12 or 16).
a. xagt_xx.x.x-x.ubuntu12_amd64.deb
b. xagt_xx.x.x-x.ubuntu16_amd64.deb
4. Use the dpkg -i option to run the appropriate .deb and install the agent on your Linux endpoint

username@localhost:~/Desktop/FireEye$ sudo dpkg -i xagt-X.X.X-1.el<version>.x86_64

a. You must run the .deb file that is compatible with your Linux environment. For example, if your Linux
endpoints are currently running Ubuntu version 12.04 or 14.04, run the .deb file xagt_xx.x.x-
x.ubuntu12_amd64.deb. If your Linux endpoints are currently running Ubuntu version 16.04 or 18.04,
run the .deb file xagt_xx.x.x-x.ubuntu16_amd64.deb
5. After the .deb installation is complete, use the -i option to import the agent configuration file from the
/opt/fireeye/bin/xagt binary path:

username@localhost:~/Desktop/FireEye$ sudo /opt/fireeye/bin/xagt -i agent_config.json

6. Start the agent services on your Linux endpoint using one of the commands below:

username@localhost:~/Desktop/FireEye$ sudo service xagt start

7. Use the following commands to verify that the service is running:

username@localhost:~/Desktop/FireEye$ sudo service xagt status

Installation (Linux RHEL/CentOS)

The agent .run file is used to manually install the agent on an endpoint running Red Hat Enterprise Linux (RHEL) versions
6.8, 7.2, or 7.3. The agent .rpm files are used to perform a single or bulk deployment of the agent software to Linux
endpoints running RHEL versions 6.8, 7.2, or 7.3.
Follow the steps below to install the FireEye Endpoint agent on a Linux endpoint:
*NOTE: STEPS 3 THROUGH 5 REQUIRE SUDO ACCESS*
8. Place the FireEye Endpoint .tgz package in a directory named FireEye on the Linux Endpoint’s Desktop
9. Use the tar zxf command to unzip the FireEye Endpoint agent .tgz package
username@localhost:~/Desktop/FireEye$ tar zxf IMAGE_HX_AGENT_LINUX_X.X.X.tgz
10. Use the -ihv option to run the appropriate .rpm script and install the agent on your Linux endpoint

username@localhost:~/Desktop/FireEye$ sudo rpm -ihv xagt-X.X.X-1.el<version>.x86_64

a. The .rpm file automatically detects the version of RHEL currently running on the endpoint. If the .rpm file
is not compatible with the RHEL version running on the endpoint, an error message appears.
b. You must run the .rpm file that is compatible with your Linux environment. If your Linux endpoints are
currently running RHEL version 6.8, run the .rpm file xagt-X.X.X-1.el6.x86_64.rpm. If your Linux
endpoints are running RHEL versions 7.2 or 7.3, run .rpm file xagt-X.X.X-1.el7.x86_64.rpm.

MANDIANT PROPRIETARY AND CONFIDENTIAL 7

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

11. After the .rpm installation script is complete, use the -i option to import the agent configuration file from the
/opt/fireeye/bin/xagt binary path:

username@localhost:~/Desktop/FireEye$ sudo /opt/fireeye/bin/xagt -i agent_config.json

12. Start the agent services on your Linux endpoint using one of the commands below:

For endpoints running RHEL 6.8

username@localhost:~/Desktop/FireEye$ sudo service xagt start

For endpoints running RHEL 7.2 or 7.3

username@localhost:~/Desktop/FireEye$ sudo systemctl start xagt

13. Use the following commands to verify that the service is running on RHEL 6.8, or 7.3 & 7.3 respectively:

username@localhost:~/Desktop/FireEye$ sudo service xagt status

username@localhost:~/Desktop/FireEye$ sudo systemctl status xagt

Alternate Method for Deploying the FireEye Endpoint Agent (RHEL/CENTOS)

If the .rpm file fails to install the FireEye Endpoint agent on your Linux endpoints correctly, follow the steps in this section to
use the .run file to install the agent on your endpoints. The following steps require sudo.

1. From the FireEye directory on the Desktop of the Linux endpoint, run the command:

username@localhost:~/Desktop/FireEye$ sudo ./xagtSetup_dev_X.X.X.run

2. After the .run script is complete, use the -i option to import the agent configuration file:
username@localhost:~/Desktop/FireEye$ sudo /opt/fireeye/bin/xagt -i agent_config.json

3. Start the agent services on your Linux endpoint using one of the commands below:

For endpoints running RHEL 6.8

username@localhost:~/Desktop/FireEye$ sudo service xagt start

For endpoints running RHEL 7.2 or 7.3

username@localhost:~/Desktop/FireEye$ sudo systemctl start xagt

4. Use the following commands to verify that the service is running on RHEL 6.8, or 7.3 & 7.3 respectively:

username@localhost:~/Desktop/FireEye$ sudo service xagt status

username@localhost:~/Desktop/FireEye$ sudo systemctl start xagt

MANDIANT PROPRIETARY AND CONFIDENTIAL 8

FIREEYE ENDPOINT SECURITY QUICK START GUIDE

Uninstalling the FireEye Endpoint Agent (Linux RHEL/CENTOS)

To uninstall the FireEye Endpoint agent from your Linux endpoint, you must use the rpm -e command, or the uninstall
script (uninstall.sh) included in the .run installation file.
To determine which uninstall option to use, you must first identify which file type was used to install the agent on your
Linux endpoint. If the agent was installed using one of the .rpm files, use the rpm -e command to remove the agent:

username@localhost:~$ sudo rpm -e xagt

If the agent was installed using the .run file, use the uninstall.sh script:

username@localhost:~$ sudo /opt/fireeye/bin/uninstall.sh

Network Settings
To ensure that the FireEye endpoint agents can communicate with the FireEye Endpoint server, the FireEye endpoint agents
must be able to communicate to the FireEye Controller IP address over TCP ports 80 and 443. Agents also must be able to
resolve the FireEye Controller fully qualified domain (FQDN) and any subdomains. Traffic destined to the FireEye controller
should be whitelisted in the firewall, proxy, and IPS, and be excluded from HTTP inspection as the traffic is non-standard
traffic. To allow agent communications, allow connections from the network address information below at your web proxy
and firewall:

Cloud Deployment Ports

Internal Controller à Cloud Controller TCP 80, TCP 443
Physical Controller Deployment Ports
FireEye Endpoint Agent à Internal Controller TCP 80, TCP 443
FireEye Endpoint Agent à DMZ Controller TCP 80, TCP 443
Internal Controller à DMZ Controller TCP 6800

Frequently Asked Questions (FAQ)

Q: Does the installation or removal of the agent require a system reboot?
A: No, a system reboot is not required for agent installation or removal through most deployment mechanisms such as
SCCM, Altiris, etc. If, however, the agent is installed through a Microsoft GPO, then a system reboot may be required.
Q: Does the agent behave differently on virtual machines?
A: In virtualized environments, the FireEye Endpoint agent is unable to tell what physical hardware it is running on. It is
possible, in some circumstances, for a sweep to run on multiple virtual machines that run on shared hardware. This could
result in degraded performance during the course of sweep. To avoid potential performance issues, please provide
Mandiant with a list of hostnames and IP addresses of all virtual machines within scope in the environment. Mandiant will
configure the sweeps in a manner that minimizes the potential system impact of virtual machines.

MANDIANT PROPRIETARY AND CONFIDENTIAL 9