Compliant Product - Trellix Endpoint Security (HX) Agent v35.31.31
Certificate Date:
2024.05.29
CC Certificate
Security Target
Validation Report
Validation Report Number: CCEVS-VR-VID11415-2024 Product Type: Network Encryption Application Software Conformance Claim: Protection Profile Compliant PP Identifier: Functional Package for TLS Version 1.1 Protection Profile for Application Software Version 1.4 CC Testing Lab: Acumen Security Validation Report Addendum Assurance Activity Administrative Guide: Trellix Endpoint Security (HX) Agent v35.31.31 Common Criteria Guidance Supplement Administrative Guide: Endpoint Security xAgent Deployment Guide Release 35.31.0
Product Description
Evaluated Configuration
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Trellix Endpoint Security (HX) Agent v35.31.31 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in Common Criteria Administrator Guidance, satisfies all of the security functional requirements stated in the Trellix Endpoint Security (HX) Agent v35.31.31 Security Target. The project underwent CCEVS Validator review. The evaluation was completed in May/2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Environmental Strengths
Security Functions Provided by the TOE The TOE implements all security functions and mechanisms required for conformance with [PP_APP_v1.4] and [PKG_TLS_V1.1].
Cryptographic Support The TOE implements cryptographic support for the following: - TLS connectivity between itself and a Trellix Endpoint Security (HX) Series Appliance, including generation of 2048-bit RSA keys for a certificate signing request and implementation of all required cryptographic algorithms, and - Digital certificate validation.
The cryptographic algorithms the TOE implements and the CAVP certificate numbers are given in Table 1. Each algorithm is implemented using the OpenSSL Cryptographic Library version 3.0.8 which is part of the TOE.
Table 1 TOE Cryptographic Algorithms and CAVP Certificate References
Identification and Authentication The TOE uses X.509v3 certificates as defined by RFC 5280 to authenticate the TLS connection to the Trellix Endpoint Security (HX) Series appliance. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.
The TOE is distributed as an installer package in Microsoft Installer (MSI) format. As well as the initial installation package, all updates to the TOE are also distributed as MSI packages. Each TOE installation and update package is digitally signed by Trellix in the production environment of the TOE. There are several methods to acquire the TOE's installation images. These include downloading them from the HX server, manually obtaining them from the vendor's cloud servers, or accessing them from the vendor's offline portal. Subsequent updates for the TOE can either be distributed from the HX server or downloaded and installed manually on the host machine.
Privacy The TOE does not transmit Personally Identifiable Information (PII) over the network. This protects the privacy of the users of the host platform.
Protection of the TSF The TOE implements several security mechanisms to protect itself when installed on the host platform. Protection of the installation and update packages when stored on the Trellix Endpoint Security (HX) Series appliance or on the TOE is using digital signatures as described in User Data Protection.
The TOE never allocates memory with both write and execute permissions. Furthermore, the TOE operates in an environment in which the following security mechanisms are in effect: - Data execution prevention, - Mandatory address space layout randomization (no memory map to an explicit address), - Structured exception handler overwrite protection, - Export address table access filtering, and - Anti-Return Oriented Programming. Protection of the TOE and parts of it when stored within the production environment is not in the scope of the evaluation. Nevertheless, during compilation, the TOE is built with several flags enabled to check for engineering flaws. The flags and the protection mechanisms include the following: - The TOE is built with the /GS flag enabled. This reduces the possibilities of stack-based buffer overflows in the product. - The compiler enables Address Space Layout Randomization (ASLR) by default. - The TOE is not built with the /DYNAMICBASE:NO which would disable ASLR.
Trusted Path/Channels The TOE receives scanning policies from the associated Trellix Endpoint Security (HX) Series appliance over a network connection. The TOE uses the scanning policies for scanning the host platform and returns the results of the scanning to the appliance. The connection between the TOE and the Trellix Endpoint Security (HX) Series appliance is always secured with TLS. The TLS is implemented in full conformance with [PKG_TLS_V1.1]. Vendor InformationTrellix Product Certifications 1-855-434-7339 sec_certs@trellix.com www.trellix.com |