After the successful deployment and initial configuration of Trellix EDR, you'll want to test whether the product is functioning correctly. To test, trigger a dummy endpoint detection, and verify whether the alert is accurately shown in the Trellix EDR workspace.
Steps to perform in Windows Operating System:
You can verify that the Trellix EDR client is correctly generating Trace detections. Use
PowerShell to execute an encoded command that creates and then deletes a dummy registry value in:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Press Windows+R, type cmd, and press Enter.
- Download and unzip the sample Windows threat.zip file attached to this article.
- Copy the command in the unzipped file and paste it in the command prompt window.
Then, press Enter and wait for the command prompt window to exit.
- Navigate to the Monitoring tab of the Trellix EDR workspace.
- Wait for the trace detection to process and display in the EDR workspace.
The result looks similar to the following image. Note the section highlighted in red.
Steps to perform in a Linux operating system:
- Download the sample Linux threat.zip file attached to this article and copy it to the Linux host.
- Extract the archive. The extracted file is php-fpm.
- Open a command-line session, and navigate to the folder containing php-fpm.
- Provide full file access:
Type chmod 777 php-fpm and press Enter.
- Run the executable:
Type ./php-fpm and press Enter.
- Wait for the Trace detection to process and display in the Monitoring Dashboard of the Trellix EDR workspace.
You see a result looking similar to the following:
