This Site Has Been Decomissioned

This site remains for historical review purposes only. Any changes made to the data will not be saved.

 
NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Trellix Endpoint Security (HX) Agent v35.31.31

Certificate Date:  2024.05.29

Validation Report Number:  CCEVS-VR-VID11415-2024

Product Type:    Network Encryption
   Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Functional Package for TLS Version 1.1
  Protection Profile for Application Software Version 1.4

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Validation Report Addendum [PDF]

Assurance Activity [PDF]

Administrative Guide: Trellix Endpoint Security (HX) Agent v35.31.31 Common Criteria Guidance Supplement [PDF]

Administrative Guide: Endpoint Security xAgent Deployment Guide Release 35.31.0 [PDF]


Product Description

 

Component

Description

Trellix Endpoint Security (HX) Server

Trellix Endpoint Security (HX) Server is the server from which the TOE and updates thereof are installed on host platforms, from which the TOE receives the rules for scanning the host platform, and to which the TOE forwards the scanning results.

For installation on a host platform, the TOE and any updates thereof need to be uploaded from the production environment to the Trellix HX server. This uploading is not within the scope of this evaluation. Once uploaded, the TOE can be downloaded on the host platform and installed.

The TOE collects system events (file, process, registry, network etc.) and processes them as per business logic expressed as scanning rules. It then communicates the results of the scanning to the Trellix HX Server. The TOE implements HTTPS TLS for secure communication between itself and the Trellix Endpoint Security (HX) Server and uses that for all communication.

Host Platform

The Host Platform may be any computer with an allowed Microsoft Windows operating system. The hoist platform must have in the minimum 1GB of system memory.

The Host Platform must also implement the necessary network connectivity for the TOE to communicate with the Trellix Endpoint Security (HX) Server. While the TOE implements TLS to protect the content of the communication, the Host Platform must implement the protocol stacks and the physical ports for the connectivity.

CRL Server

The TOE must be associated to a Certificate Revocation List (CRL) Server. The CRL Server contains the revocation list which is communicated to the TOE and used in the validation of the X.509 certificates. The CRL Server is part of the management server associated to the Trellix Endpoint Security (HX) Server.

Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Trellix Endpoint Security (HX) Agent v35.31.31 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in Common Criteria Administrator Guidance, satisfies all of the security functional requirements stated in the Trellix Endpoint Security (HX) Agent v35.31.31 Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in May/2024.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

Security Functions Provided by the TOE

The TOE implements all security functions and mechanisms required for conformance with [PP_APP_v1.4] and [PKG_TLS_V1.1].

 

Cryptographic Support

The TOE implements cryptographic support for the following:

-       TLS connectivity between itself and a Trellix Endpoint Security (HX) Series Appliance, including generation of 2048-bit RSA keys for a certificate signing request and implementation of all required cryptographic algorithms, and

-       Digital certificate validation.

 

The cryptographic algorithms the TOE implements and the CAVP certificate numbers are given in Table 1. Each algorithm is implemented using the OpenSSL Cryptographic Library version 3.0.8 which is part of the TOE.

 

Table 1 TOE Cryptographic Algorithms and CAVP Certificate References

SFR

Algorithm in ST

Implementation name

CAVP Alg.

CAVP Cert #

FCS_CKM.1/AK

RSA schemes using cryptographic key sizes of 2048-bit that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3

Trellix OpenSSL FIPS Provider v3.0.8

RSA KeyGen (FIPS186-4)

A5228

FCS_CKM.2

RSA key establishment schemes that meet the following: NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”

Trellix OpenSSL FIPS Provider v3.0.8

Vendor Affirmed

Vendor Affirmed

FCS_COP.1/ SKC

AES-CBC mode as defined in NIST SP 800-38A and cryptographic key sizes 128 bits and 256 bits

Trellix OpenSSL FIPS Provider v3.0.8

AES-CBC

A5228

FCS_COP.1/ Hash

SHA-1 and SHA-256 and message digest sizes 160 and 256 bits

Trellix OpenSSL FIPS Provider v3.0.8

SHA-1

SHA2-256

A5228

FCS_COP.1/ Sig

RSA scheme using cryptographic key sizes of 2048-bit that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5

Trellix OpenSSL FIPS Provider v3.0.8

RSA SigGen (FIPS186-4)

RSA SigVer (FIPS186-4)

A5228

FCS_COP.1/ KeyedHash

HMAC-SHA-1 and HMAC-SHA-256 with key sizes 256 and 160 bits used in HMAC and message digest sizes 256 and 160 bits that meet the following: FIPS Pub 198-1,’The Keyed-Hash Message Authentication Code’ and FIPS Pub 180-4 ‘Secure Hash Standard'

Trellix OpenSSL FIPS Provider v3.0.8

HMAC-SHA-1

HMAC-SHA2- 256

A5228

FCS_RBG_EXT.2.1

An NIST Special Publication 800-90A using CTR_DRBG(AES) with a minimum of 256-bits

Trellix OpenSSL FIPS Provider v3.0.8

Counter DRBG

A5228

 

Identification and Authentication

The TOE uses X.509v3 certificates as defined by RFC 5280 to authenticate the TLS connection to the Trellix Endpoint Security (HX) Series appliance. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.

 

User Data Protection

The TOE is distributed as an installer package in Microsoft Installer (MSI) format. As well as the initial installation package, all updates to the TOE are also distributed as MSI packages. Each TOE installation and update package is digitally signed by Trellix in the production environment of the TOE. There are several methods to acquire the TOE's installation images. These include downloading them from the HX server, manually obtaining them from the vendor's cloud servers, or accessing them from the vendor's offline portal. Subsequent updates for the TOE can either be distributed from the HX server or downloaded and installed manually on the host machine.

 

Privacy

The TOE does not transmit Personally Identifiable Information (PII) over the network. This protects the privacy of the users of the host platform.

 

Protection of the TSF

The TOE implements several security mechanisms to protect itself when installed on the host platform. Protection of the installation and update packages when stored on the Trellix Endpoint Security (HX) Series appliance or on the TOE is using digital signatures as described in User Data Protection.

 

The TOE never allocates memory with both write and execute permissions. Furthermore, the TOE operates in an environment in which the following security mechanisms are in effect:

-        Data execution prevention,

-        Mandatory address space layout randomization (no memory map to an explicit address),

-        Structured exception handler overwrite protection,

-        Export address table access filtering, and

-        Anti-Return Oriented Programming.

Protection of the TOE and parts of it when stored within the production environment is not in the scope of the evaluation. Nevertheless, during compilation, the TOE is built with several flags enabled to check for engineering flaws. The flags and the protection mechanisms include the following:

-        The TOE is built with the /GS flag enabled. This reduces the possibilities of stack-based buffer overflows in the product.

-        The compiler enables Address Space Layout Randomization (ASLR) by default.

-        The TOE is not built with the /DYNAMICBASE:NO which would disable ASLR.

 

Trusted Path/Channels

The TOE receives scanning policies from the associated Trellix Endpoint Security (HX) Series appliance over a network connection. The TOE uses the scanning policies for scanning the host platform and returns the results of the scanning to the appliance. The connection between the TOE and the Trellix Endpoint Security (HX) Series appliance is always secured with TLS. The TLS is implemented in full conformance with [PKG_TLS_V1.1].


Vendor Information


Trellix
Product Certifications
1-855-434-7339
sec_certs@trellix.com

www.trellix.com
Site Map              Contact Us              Home