Blogs
The latest cybersecurity trends, best practices, security vulnerabilities, and more
Mitigating Security Update Risks Part 3: Product Features Endpoint Forensics
A Professional Services Perspective
By Jacob Robinson and Ron Keyston · July 29, 2024
Trellix regularly updates Endpoint Forensics (xAgent) software to add new features, enhance performance, and maintain compatibility with new versions of software. Endpoint Forensics (previously HX) is designed to put control back in the hands of IT administrators, whether deployed on-premises or in the cloud. We will explore xAgent best practices and how to control updates to meet diverse environmental needs. In particular, we’ll cover features that enable appropriate update testing procedures as outlined in Part 1.
Best Practices
Trellix recommends the use of canary groups for testing xAgent endpoint updates, and test environments to test appliance updates where they are available. Regardless of whether a test environment is available, there are some best practices Trellix recommends to all customers when planning and executing upgrades in their environments.
- Ensure that you can quickly recover your HX appliance in the event of an upgrade issue
- Take appliance backups for physical appliances and store them in a secondary location
- Take snapshots and appliance backups of virtual appliances
- Perform your appropriate change management process
- Measure twice, cut once for best results
- Select an appropriate change window and advise your cybersecurity operations center (CSOC)
- We highly recommend avoiding updates on a Friday
- Stage the update files if you have an air-gap or low-bandwidth environment
- Open a Thrive Support Request to cover the time you’ll be running your upgrade. In case there are unforeseen issues, it will speed up the time to engage support
- Use your Thrive Flex Credits to get access to Trellix Professional Services for the duration of your appliance upgrade
- When deploying updated xAgents to customer workstations, laptops, and servers, employ the use of canary groups to ensure compatibility with the environment
How Does the Design of Trellix Products Support These Testing Procedures?
Trellix Endpoint Forensics can be deployed on-premises, in customer AWS or Azure tenants, or as a SaaS offering hosted by Trellix. The majority of xAgent runs in user mode, and only runs in kernel mode when required. The majority of the application runs in user mode. Additionally, Endpoint Forensics driver files cannot be updated via security content updates. All changes to core software components, including drivers, are deployed only as signed software packages, and only by the express configuration of a customer administrator.
How Endpoint Forensics Manage Software and Content Updates
The latest release of xAgent software can be applied once the appliance managing the agent (HX appliance) is upgraded to the corresponding version of the appliance operating system. The xAgent software is not made available to deploy via the HX appliance until it is upgraded to a matching version. HX appliance OS upgrades typically include the latest xAgent software version. The latest xAgent software will not be deployed to any end user machine until the customer administrator creates an “Agent Upgrade” job. These upgrade jobs can target a subset of users to act as canaries.
- Security Content Updates
- These updates contain Indicators of Compromise(IoCs) related to ongoing threat campaigns, curated by the Trellix Content team.
- When the customer environment includes a Central Management Server (CMS) or Helix instance, content updates may also include IoCs automatically detected by other Trellix network products in the customer environment. These must be manually opted-in by the customer CMS/Helix administrator.
- Security content releases generally occur every Monday and Thursday
- The xAgent polls the HX appliance for these updates frequently, often hourly, and can be staged into automated canary groups or set to manual deployment.
- Machine Learning Model Updates
- The MalwareGuard model is re-trained periodically and released as a content update to the HX appliance and is automatically deployed to eligible xAgents on their polling interval.
- Antivirus Definitions
- These updates contain traditional DAT-based detections and are updated daily.
- Can be staged into canary groups via HX appliance host groups, or downloaded directly from the internet definition provider.
- Configuration Updates
- These are deployed only when the customer administrator alters the configuration of the xAgents in the HX appliance console. Administrators can set up the configuration update canary groups to test changes as appropriate.
Updates for other features outside of security content updates:
- ExploitGuard is only updated during xAgent deployments.
Performing an Appliance Backup
Before you upgrade, it is advisable to perform an appliance backup. Trellix always recommends backing up your database (shown as fedb below) and configuration prior to upgrading. You can back up to the local system, a USB drive, or a secure remote storage server via Secure Copy (SCP) or Secure File Transfer (SFTP).

How to Upgrade the Appliance Image
Upgrades are performed only when directed by the HX appliance administrator. Updates can be downloaded via Dynamic Intelligence Cloud (DTI), from customer hosted URL, or a locally inserted USB drive. The USB option is useful for clients operating in an air-gapped network or environments without access to the internet. An appliance typically takes 5 to 10 minutes to reboot after an upgrade, but can sometimes take as long as 20 minutes.
If the image currently installed on the HX appliance is multiple versions behind, you may not be able to upgrade directly to the newest version. Consult the release notes to determine an upgrade path to the latest Trellix Endpoint Forensic appliance image.

Upgrading the xAgent Software
Trellix Endpoint Security xAgent software upgrades can be performed using the upgrade jobs configured in the webUI. The Agent Upgrade page allows you to create and manage upgrade jobs. You can run upgrade jobs for different operating system platforms (such as Microsoft Windows, macOS, and Linux) at the same time.

Trellix recommends using a phased approach when upgrading to the latest software version. Start with a representative sample for selection. This could be a group of test user workstations or low impact servers. The sample set should be representative of hardware and software, different operating systems, and preferably a non-production development environment.
If the xAgent version currently installed on the endpoint is multiple versions behind, you may not be able to upgrade directly to the newest version. Consult the release notes to determine an upgrade path to the latest xAgent software version.

Customer administrators can include or exclude groups of hosts in an upgrade job by using the “Host Sets” feature of Trellix Endpoint Security. These host sets are groups of hosts (endpoint machines) created by the IT administrators. Hosts sets can be defined by a variety of dynamic attributes or a static list.
Using Host Sets
There are two types of Host Sets:
- Static sets are stable groups of hosts that you create and edit directly. Static sets change as you add or remove hosts.
- Standard sets are dynamic groups of hosts defined by filtering criteria that you specify. Standard sets change as eligible hosts are provisioned or deleted and as you change their filtering criteria.

Administrators can create, save, edit, and delete host sets for a variety of operations, such as configuring policy updates, containment settings, and xAgent upgrades. Use host sets to upgrade a specified group of hosts while other hosts support system load or other organizational priorities. Agent-upgrade sets can consist of agents on hosts located in the same geographic region or specific functional department, running the same agent version, or that are sensitive or critical machines.
Further Reading
- https://thrive.trellix.com/s/article/000001669
- https://thrive.trellix.com/s/article/000001549
- https://thrive.trellix.com/s/article/000001604
- https://thrive.trellix.com/s/article/000002801
- https://thrive.trellix.com/s/article/000002574
Conclusion
Trellix offers customers Transparency, Choice, and Responsibility in our software and content update processes. This enables customers to exercise due diligence and consistent testing in their environments, which can dramatically limit impacts and reduce the risks to your organization. If your organization needs help, consider Trellix Professional Services which offers various strategic and technical services that can help your team test, automate, operate, and govern your cyber defenses. Contact your Trellix account manager, or otherwise let us know you’re interested.
Continue reading the series: Part 1 (Intro), Part 2 (Product Features ePO, EDR, and ENS), Part 3 (Product Features Endpoint Forensics), and Part 4 (Testing Procedures for ePO, EDR, ENS, and HX).
Make sure you read this disclaimer after all that recommendations goodness:
This document may contain information on Trellix products, services, and/or processes in development. All information provided here is subject to change without notice at Trellix’s sole discretion. Contact your Trellix representative for the latest forecast, schedule, specifications, and roadmaps.
RECENT NEWS
-
Feb 5, 2025
Trellix Accelerates Secure Cloud Adoption in Australia with New Government Accreditations
-
Jan 28, 2025
Trellix and NEXTGEN Accelerate Cybersecurity Platform Adoption in Australia and New Zealand
-
Jan 22, 2025
Trellix Welcomes New CEO to Lead Next Phase of Growth
-
Jan 14, 2025
Trellix Accelerates Global Partner Growth with Revamped Xtend Partner Program
-
Jan 13, 2025
Trellix Promotes Gareth Maclachlan to Chief Product Officer
RECENT STORIES
Latest from our newsroom
Get the latest
Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Zero spam. Unsubscribe at any time.