Exploit Prevention content isn't updated in air-gapped environments

Technical Articles ID: KB96730
Last Modified: 2023-10-13 13:22:34 Etc/GMT

Environment

Endpoint Security (ENS) Threat Prevention 10.x standalone client in an air-gapped environment

Summary

Recent updates to this article

Date	Update
October 13, 2023	Removed workaround and expanded on available solutions.

Problem

Standalone clients in air-gapped environments see the Exploit Prevention content remain on version 10.7.0.7691 and are never updated.

But, the AMCore content version is updated to the current version.

System Change

AMCore content is being updated via the V3 DAT executable installer (V3_XXXXDAT.EXE).

Cause

AMCore content doesn't carry Exploit Prevention content.

Exploit Prevention content is only provided as a repository package for use with ePolicy Orchestrator (ePO) and associated repositories such as Agent Handlers, Super Agents, or repository mirrors. For more information about ePO, see the ePO Product Guide on the Documentation Portal.

If the Exploit Prevention content isn't made available on a repository that the client can access, the version will remain on the content that's bundled with the standalone installation package.

Solution 1

Provision access to a repository that's accessible within the air-gapped environment where the Exploit Prevention content can be pulled by clients.

This can be one of the public Trellix CommonUpdater repositories, or an ePO server within the air-gapped environment where the content is manually checked-in after being downloaded from the Security Updates page.

Solution 2

Create a repository mirror accessible by other clients within the environment:

Network tunnel an Agent Handler or a Super Agent, or use a single network-tunneled Agent with a connection to an external repository.

NOTE: If the applied solution is to provision an Agent Handler or Super Agent, at least one client will become a "managed client" as opposed to a standalone client. A tunneled Agent running a mirror task can remain standalone, depending on how you choose to implement that clients' update process. Similarly, an ePO server within the environment can provision the repository as a UNC location for standalone clients rather than enforcing them to become managed.

Knowledge Center

Exploit Prevention content isn't updated in air-gapped environments

Environment

Summary

Problem

System Change

Cause

Solution 1

Solution 2

Workaround

Affected Products

Title

Title

Knowledge Center

Exploit Prevention content isn't updated in air-gapped environments

Environment

Summary

Problem

System Change

Cause

Solution 1

Solution 2

Workaround

Affected Products

Choose your region

Title

Title