Exploit Prevention content isn't updated in air-gapped environments
Last Modified: 10/13/2023
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Exploit Prevention content isn't updated in air-gapped environments
Technical Articles ID:
KB96730
Last Modified: 10/13/2023 Environment
Endpoint Security (ENS) Threat Prevention 10.x standalone client in an air-gapped environment
Summary
Recent updates to this article
Problem
Standalone clients in air-gapped environments see the Exploit Prevention content remain on version 10.7.0.7691 and are never updated. But, the System ChangeCauseExploit Prevention content is only provided as a repository package for use with ePolicy Orchestrator (ePO) and associated repositories such as Agent Handlers, Super Agents, or repository mirrors. For more information about ePO, see the ePO Product Guide on the Documentation Portal. If the Exploit Prevention content isn't made available on a repository that the client can access, the version will remain on the content that's bundled with the standalone installation package. Solution 1
Provision access to a repository that's accessible within the air-gapped environment where the Exploit Prevention content can be pulled by clients. This can be one of the public Trellix CommonUpdater repositories, or an ePO server within the air-gapped environment where the content is manually checked-in after being downloaded from the Security Updates page. Solution 2
Create a repository mirror accessible by other clients within the environment: Network tunnel an Agent Handler or a Super Agent, or use a single network-tunneled Agent with a connection to an external repository.
NOTE: If the applied solution is to provision an Agent Handler or Super Agent, at least one client will become a "managed client" as opposed to a standalone client. A tunneled Agent running a mirror task can remain standalone, depending on how you choose to implement that clients' update process. Similarly, an ePO server within the environment can provision the repository as a UNC location for standalone clients rather than enforcing them to become managed. Workaround |
|