Application Resilience policies for Trellix Endpoint Security Agent
You can activate an Application Resilience policy for Trellix Endpoint Security Agent (formerly FireEye Endpoint Agent) to collect information about the functional status of Trellix Endpoint Security Agent installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.
FireEye Endpoint Agent changed its product name to Trellix Endpoint Security Agent. Trellix Endpoint Security Agent can refer to either product name, depending on the version of the application you are running.
System requirements
Application Resilience policies for Trellix Endpoint Security Agent are supported on devices running:
- a supported version of the Windows operating system
-
PowerShell version 5.1 or higher
Due to PowerShell restrictions imposed by Microsoft, Application Resilience is not supported for versions 33.x on devices running Windows 11 SE.
-
one of the following versions of Trellix Endpoint Security Agent:
-
35.31.x or higher
Significant software changes in higher versions may cause health checks to become invalid.
- 33.x
-
Health checks
Trellix Endpoint Security Agent version 35.31.x or higher
In addition to checking the version, the following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.
| Component | Test performed | ||
|---|---|---|---|
| Services | Installed | Running | Signed by |
| Trellix Endpoint Security (HX) Agent (xagt.exe) | P | P1 |
One of the signers entered in the policy configuration By default, Signers contains "FireEye, Inc.". |
1 Only checked if Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running is selected in the policy configuration
FireEye Endpoint Agent version 33.x
In addition to checking the version, the following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.
| Component | Test performed | ||
|---|---|---|---|
| Services | Installed | Running | Signed by |
| FireEye Endpoint Agent (xagt.exe) | P | P1 |
One of the following:
|
1 Only checked if Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running is selected in the policy configuration
Repairing and reinstalling
You can configure an Application Resilience policy for Trellix Endpoint Security Agent to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Trellix Endpoint Security Agent if it's not functioning, or reinstall it if it's missing or can't be repaired.
Depending on the Absolute product licenses associated with your account, the Report and repair option, and the Report, repair, and reinstall option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
Trellix Endpoint Security Agent version 35.31.x or higher
| Issue | Resolution |
|---|---|
| Repair | |
| The Trellix Endpoint Security (HX) Agent (xagt.exe) service isn't running1 |
The RAR component restarts the service. |
| The Trellix Endpoint Security (HX) Agent (xagt.exe) service isn't installed and the service's executable can be detected on the device |
The RAR component reinstalls the missing service. |
| Reinstall | |
|
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken. |
|
| The Trellix Endpoint Security (HX) Agent (xagt.exe) service isn't installed and the service's executable cannot be detected on the device |
If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application. |
| Trellix Endpoint Security Agent failed to be repaired, or the expected version isn't installed | |
1 Only checked if Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running is selected in the policy configuration
FireEye Endpoint Agent version 33.x
| Issue | Resolution |
|---|---|
| Repair | |
| The FireEye Endpoint Agent (xagt.exe) service isn't running1 |
The RAR component restarts the service. |
| The FireEye Endpoint Agent (xagt.exe) service isn't installed and the service's executable can be detected on the device |
The RAR component reinstalls the missing service. |
| Reinstall | |
|
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken. |
|
| The FireEye Endpoint Agent (xagt.exe) service isn't installed and the service's executable cannot be detected on the device |
If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application. |
| FireEye Endpoint Agent failed to be repaired, or the expected version isn't installed | |
1 Only checked if Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running is selected in the policy configuration
Preparing the installer
If you want the Secure Endpoint Agent to reinstall Trellix Endpoint Security Agent or FireEye Endpoint Agent if it is not functioning or missing, you need to make the following files available for download:
- agent_config.json
- xagtSetup.msi
To prepare the installer:
- Download the installer from the Endpoint Security console.
- Extract the contents of the ZIP file.
- Change the name of the xagtSetup MSI file included in the extracted ZIP file to xagtSetup.msi. For example, change the name of xagtSetup_30.19.8_universal.msi to xagtSetup.msi.
-
Select the agent_config.json and xagtSetup.msi files and add them to a new ZIP file.
The ZIP file can have any name.
Do not include any parent folders or subfolders in the ZIP file. Do not change the names of the agent_config.json and xagtSetup.msi files.
The ZIP file can now be uploaded to the Secure Endpoint Console or hosted on your own server.
Pre-caching installers
The RAR component looks for the following files names when checking pre-cached installers:
Trellix Endpoint Security Agent version 35.31.x or higher
| Component | File name |
|---|---|
| Installers |
TrellixAgent.zip containing:
|
FireEye Endpoint Agent version 33.x
| Component | File name |
|---|---|
| Installers |
FireEye.zip containing:
|
Configuring Application Resilience policies
Trellix Endpoint Security Agent version 35.31.x or higher
Before you activate an Application Resilience policy you need to configure the policy. In addition to the settings in Configuring Application Resilience policies, you need to configure the application version and indicate whether the Trellix Endpoint Security Agent service should be running.
To configure the application version and service check:
- Under Application version, select 35.31.* or higher from the drop-down.
-
Under Trellix Endpoint Security Agent (formerly FireEye Endpoint Agent) version, enter the version of Trellix Endpoint Security Agent you expect to be running on your devices.
- The target version must be a sequence of digits separated by a period.
- You can use wild card "*" characters after the major version, for example, 35.* or 35.31.*.
Make sure the version you are entering is consistent with version 35.31.x or higher.
-
Select Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running if you want the RAR component to check to see if the Trellix Endpoint Security (HX) Agent (xagt.exe) service is installed and running. If this option is unselected, the RAR component only checks to see if this service is installed. Don't select this option if you set the INSTALLSERVICE installation parameter to 2.
If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.
To configure the Trellix Endpoint Security Agent additional settings:
- [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration.
- [Optional] Under Additional uninstallation commands, enter the applicable uninstallation command-line parameters to configure any settings not covered by the policy configuration.
For more information on available command line parameters, see Trellix's documentation.
FireEye Endpoint Agent version 33.x
Before you activate an Application Resilience policy you need to configure the policy. In addition to the settings in Configuring Application Resilience policies, you need to configure the application version and indicate whether the FireEye Endpoint Agent service should be running.
To configure the application version and service check:
- Under Application version, select 33.* from the drop-down.
-
Under Trellix Endpoint Security Agent (formerly FireEye Endpoint Agent) version, enter the version of FireEye Endpoint Agent you expect to be running on your devices.
- The target version must be a sequence of digits separated by a period.
- You can use wild card "*" characters after the major version, for example, 33.* or 33.46.*.
Make sure the version you are entering is consistent with version 33.x.
- Select Check if the Trellix Endpoint Security (HX) Agent (formerly FireEye Endpoint Agent) service is running if you want the RAR component to check to see if the FireEye Endpoint Agent service (xagt.exe) is installed and running. If this option is unselected, the RAR component only checks to see if this service is installed. Don't select this option if you set the INSTALLSERVICE installation parameter to 2.
If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.
To configure the FireEye Endpoint Agent additional settings:
- [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration.
- [Optional] Under Additional uninstallation commands, enter the applicable uninstallation command-line parameters to configure any settings not covered by the policy configuration.
For more information on available command line parameters, see Trellix's documentation.
