Trellix EDR

Last Updated: May 23, 2025 12:34:17 PM PDT

Learn more about Trellix Endpoint Detection and Response (EDR) security software.

In response to the cybersecurity expectations issued to all UC locations by UC President Drake and the UC Regents, UC San Diego has implemented the Secure Connect program to protect the safety and security of UC systems. One of the expected cybersecurity outcomes is that all UC locations must “Deploy and manage UC-approved Endpoint Detection and Response (EDR) software on 100 percent of assets defined by UC EDR deployment standards.” Endpoint Detection and Response security software (EDR), also referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors cyber threats, like ransomware and malware, and responds by sending an alert to the security team in the Office of Information Assurance for investigation.

EDR provides next-generation Antivirus (NGAV) capabilities, advanced threat detection, investigation and response capabilities — including incident data search and investigation alert triage, suspicious activity validation, threat hunting, threat intelligence, cyber-attack response services and malicious activity detection and containment.

Trellix EDR software is a UC-approved solution that has been adopted for UC San Diego Campus to meet university cybersecurity requirements. Trellix will/must be installed on UCSD-owned laptops, desktops, and servers connected to UC San Diego trusted resources.

Important

Downloading Trellix does not constitute consent under the Privacy and Confidentiality section of the Electronic Communications Policy (ECP).

At UC San Diego, any data collected by the necessary software is considered an electronic communications record as defined by the University of California's Electronic Communications Policy (ECP). Entirely automated use of necessary software by UC San Diego, or its agents (i.e., use performed without active human intervention) will be in accordance with Section V.B of the ECP. Any guided use by UC San Diego or its agents (i.e., use performed with active human intervention) will be in accordance with Section IV of the ECP. In the event of Emergency Circumstances or Compelling Circumstances as defined in Appendix A of the ECP, UC San Diego may collect data in accordance with Section IV.B. of the ECP.

We acknowledge that the capability of the Trellix software may be broader than the intended software use as defined by UC San Diego. Learn more about Trellix's capabilities.

Note: Smartphones, tablets (e.g., Android, iPadOS, and iOS devices are excluded from this requirement.

How Trellix EDR Works

EDR software monitors computing devices looking for malicious processes and files. To do this, the Trellix agent sends security event information from the host to the Trellix cloud. It records information related to a security event, like details about who has logged in on a machine, what programs are running, and the names of files that are read or written. This information is protected in the Trellix cloud by security standards and technology.

Trellix EDR will be used to:

Monitor and block malicious activity that could harm users and/or compromise university assets.
Flag potential cybersecurity events and notify the IT security team to respond.

Note: Mobile devices are out of scope at this time.

Trellix EDR will not be used outside the ECP to:

Monitor user behavior or record user keystrokes
Obtain user activities such as websites visited except in relation to suspicious processes
Access or modify personal files
Capture Instant Messaging/Chat communications
Deliberately degrade device performance

For more details, refer to the OIA Routine System Monitoring Practices.

What You Need To Do

For Faculty & Staff

To connect to trusted resources through UCSD-PROTECTED Wi-Fi, Campus Virtual Private Network (VPN), or our Wired networks, your device must meet a set of mandated security standards.

Managed devices (by a designated Unit Information Security Lead) will be handled automatically. No action is required.
Unmanaged (personal or self-managed) devices will require installation of Microsoft Intune or an approved exception. Microsoft Intune will automate steps required to meet mandated security standards.

For Students

If you do not require access to trusted resources, simply connect to Eduroam Wi-Fi or UCSD-PROTECTED Wi-Fi and select Internet-Only Access.
If you do need access to trusted resources, your endpoint must comply with University cybersecurity requirements.

While most devices can seamlessly comply with University cybersecurity requirements, we understand that some equipment may not be compatible or require special handling. In such cases, exceptions may be granted subject to compensating controls. If your device is not compatible, your Unit Information Security Lead (UISL) can help you request an exception.

Note: More information about the exception process as well as the Exception Request Form coming soon. In the meantime please partner with your local UISL for assistance.

Why This Matters: A Shared Responsibility

UC San Diego is a leader in research, innovation, and education. Cybersecurity is a shared responsibility, and by adopting EDR, we:

Protect research and sensitive data from cyber threats
Ensure compliance with UC-wide cybersecurity policies
Preserve academic freedom while maintaining security
Maintain access to essential resources without disruption

Need IT Support?

Campus Service Desk

Web portal: https://support.ucsd.edu/its
Email: support@ucsd.edu
Phone: (858) 246-4357

Health Service Desk

Web portal: https://3help.ucsd.edu
Email: 3help@health.ucsd.edu
Phone: (619) 543-4357

Frequently Asked Questions

General

What is Trellix Endpoint Security Agent (HX) version 36.x, and how is it being used?

Trellix Endpoint Security Agent (HX) (version 36.x at the time of this writing) is an advanced cybersecurity solution designed to detect and respond to potential threats on organizational endpoints. It provides real-time threat detection, malware protection, and exploit prevention to help safeguard devices against both known and emerging cyber risks.

At UC San Diego, we use Trellix HX exclusively for threat detection and response, ensuring that security monitoring remains focused on protecting systems while maintaining alignment with the ECP.

Does downloading Trellix constitute blanket consent under Electronic Communication Policy?

No, downloading or installing Trellix HX does not imply blanket consent for unrestricted cybersecurity monitoring.

Our use of Trellix HX follows Electronic Communication Policy (ECP) and the Office of Information Assurance (OIA) standard monitoring practices, ensuring that security monitoring is targeted, event-driven, and limited to necessary security investigations.

How does Trellix HX balance security with privacy and compliance?

Trellix HX is built for cybersecurity, not surveillance. While it provides critical tools for threat detection and response, it is designed to align with institutional policies and compliance requirements.

UC San Diego's Intended Use of Trellix:

At UC San Diego, any data collected by the necessary software is considered an electronic communications record as defined by the University of California's Electronic Communications Policy (ECP). Entirely automated use of necessary software by UC San Diego, or its agents (i.e., use performed without active human intervention) will be in accordance with Section V.B of the ECP. Any guided use by UC San Diego or its agents (i.e., use performed with active human intervention) will be in accordance with Section IV of the ECP. In the event of Emergency Circumstances or Compelling Circumstances as defined in Appendix A of the ECP, UC San Diego may collect data in accordance with Section IV.B. of the ECP.

UC San Diego makes an intentional distinction between the software capabilities and the intended use.

Learn more about Trellix's capabilities.

Click here to learn more about the Office of Information Assurance's (OIA) standard monitoring practices.

How Does UC San Diego’s Use of Trellix HX Protect Privacy?

Restricted Administrative Access – at UC San Diego, administrators do not perform broad or arbitrary searches across devices outside of the Electronic Communications Policy (ECP).
Targeted Forensic Investigations – Data collection is limited to security incidents and is not used for general monitoring.
Safeguards – HX only collects necessary security-related information to investigate potential threats.

Our goal is to strengthen cybersecurity while maintaining transparency, institutional integrity, and respect for privacy.

How does the use of Trellix HX align with institutional policies and practices?

Trellix HX is implemented strictly within the guidelines of the Electronic Communication Policy (ECP) and the Office of Information Assurance's (OIA) standard monitoring practices. These policies ensure that cybersecurity tools are used responsibly, with privacy protections in place.

Key Principles Governing Trellix HX Usage:

Limited Scope of Monitoring – at UC San Diego Trellix HX is only used for detecting and responding to security threats in accordance with the ECP. Automated security monitoring is subject to ECP section V. Agent-guided searches, as a part of the incident response are subject to ECP Section IV.
No Continuous Monitoring – The system does not collect data or track user activity continuously. Monitoring is event-driven and activated only when a security threat is detected.
Compliance Protections – Security data collection aligns with institutional policies, compliance requirements, and legal standards, ensuring that cybersecurity practices are conducted transparently and ethically.

Why This Matters

By following ECP and OIA monitoring standards, Trellix HX operates within clear, predefined boundaries. This ensures that cybersecurity measures focus solely on protecting institutional systems without unnecessary intrusion into personal activity.

Is UC San Diego's implementation of Trellix EDR aligned with existing research guidelines currently in place by funding agencies (NIH, NSF, etc)?

Yes. Trellix EDR supports compliance with research security frameworks including NIH, NSF, NIST 800-171, and CMMC. Researchers with special compliance needs may request isolated or exempt environments.

Security Capabilities

What are the key features of Trellix HX?

Key Features of Trellix HX include:

Real-Time Indicator Detection: Monitors endpoint activity and analyzes system events in real-time to identify and alert on potential security threats.
Exploit Guard Protection (Windows only): Shields Windows devices from exploit attempts targeting software vulnerabilities, reducing exposure to zero-day attacks. (Not available on macOS and Linux.)
Malware Protection: Defends against various forms of malware, including viruses, trojans, spyware, and ransomware, using advanced signature-based and heuristic detection methods.
MalwareGuard (Windows only): Uses AI-driven machine learning to detect and block sophisticated malware threats, including zero-day exploits (Not available on macOS and Linux). This module is not used by UC San Diego.
Enterprise Search: Enables security teams to perform targeted searches across endpoints to identify known threat indicators and analyze system activity.
Data Acquisition: Collects critical forensic data from endpoints, aiding in security investigations and incident response.
File Acquisition: Allows security teams to retrieve specific files related to an incident, such as event logs, registry data, memory snapshots, and malicious files, to assist in forensic analysis.
Triage: Provides an initial risk assessment of security events, helping security teams prioritize response efforts based on severity.
Host Containment: Temporarily isolates compromised or high-risk endpoints from the network to prevent threat spread while remediation actions are taken.

Our implementation of Trellix HX is focused on securing systems while ensuring minimal impact on daily operations, reinforcing our commitment to cybersecurity without unnecessary intrusion. These features work together to proactively identify and neutralize potential threats before they can impact systems.

How does Trellix HX support security investigations and forensic analysis?

Trellix HX includes tools to help cybersecurity teams investigate and analyze potential threats:

Data Acquisition – Collects critical forensic data from endpoints to assist in security investigations.
File Acquisition – Retrieves specific files related to a security event, such as:
- Event logs
- Registry data
- Memory snapshots
- Malicious files
Triage – Provides an initial risk assessment of security events, helping teams prioritize response efforts based on severity.

These capabilities enable security teams to quickly assess and contain threats.

What type of data does Trellix HX collect during security investigations?

Data Acquisition in Trellix HX allows security teams to collect specific metadata from endpoints to assist in forensic investigations. Its capabilities are designed to support targeted security analysis while aligning with compliance requirements.

What Data Can Trellix HX Collect?

Please note that the below are the capabilities of the software. UC San Diego’s use of the software is guided by the Electronic Communications Policy (ECP).

Categories of the data that is collected by Trellix:

Event Category	Example Event Types	Description
General Events	Sensor Online/Offline, Last logged on user, System Identity	The basic events required to monitor Trellix agent health & to allow customers to identify devices
User Session Events	Created, Connected, Logged On/Off, Disconnected	Baseline monitoring of user sessions events w/ associated processes & threads
Process Events	Process Creation, PE Info, Sign Info, Termination	Default process data required for identification, analysis
Library Events	Library Load	Identification of software libraries related to loaded processes
Thread Events	Thread Creation, Thread Injection	Use focused on monitoring suspicious execution chains
Registry Events	ASEP* Key Updates, ASEP Value Update *Auto Start Extensibility Point	Monitoring of load points that allow attackers to establish persistence. Adding an entry to these keys will cause the program referenced to be executed when a user logs in
File Events	File Creation/Write, File Access	Triggered and used by a process inside a suspicious execution chain; scope constrained to files related to such processes
Network Events	Network Listen, Connect Outbound/Inbound, Network Close, Connection Summary	Focused on monitoring network activity for processes inside a suspicious execution chain
DNS Events	DNS Request	For non-standard DNS lookups – focused on unexpected DNS queries on Windows
Miscellaneous Events	Named Object Creation (e.g., mutexes, semaphores)	Use focused on monitoring suspicious execution chains

Categories of the data that is collected by Trellix (continued):

Full disk contents: Trellix HX supports full disk acquisition, but at UC San Diego it may only be used in accordance with the ECP.
Full memory contents: Available, but only at the time of a malicious event to help analyze security threats. At UC San Diego, the software is used in accordance with the ECP.
List of all files and directories: Available, but at UC San Diego only used in accordance with ECP.

These targeted capabilities help security teams investigate incidents efficiently without broad or intrusive data collection. If full disk imaging or complete file system access is required, organizations should use alternative forensic tools designed for that purpose.

For more details on collected data, refer to the Trellix HX Privacy Data Sheet.

For more details on how the collected data mentioned in the above Privacy Data Sheet would be used by our security team for an investigation, please refer to this video: Using Real-Time Events for Investigation - Trellix Endpoint Security (HX)

What is Trellix doing with the data?

Data is collected in real-time but only when relevant to security monitoring and threat detection.
Collected data is used solely for security purposes, including threat detection, incident response, and improving our security services.

For additional information on data handling see the following resources:

Note: UCOP’s Master Service Agreement with Mandiant and Trellix requires them to explicitly abide by ECP and our BAA. Learn more about UC's Threat Detection and Identification (TDI) system and refer to COO Nava's Letter to UC Faculty on the principles and considerations that guide the University’s efforts to respond to cyber attacks.

What happens when a compromised device is detected?

If a device is identified as compromised or at high risk, Trellix HX has a Host Containment feature that allows security teams to:

Isolate the affected endpoint from the network to prevent further spread of threats.
Maintain communication with security teams for investigation and remediation.
Restore access once the threat has been addressed.

Host Containment is used only when necessary to protect the broader network while minimizing disruption to users.

What happens during a security investigation?

The Office of Information Assurance (OIA) Threat Detection & Response (TDR) Team, when receiving a security investigation for an endpoint from our Managed Detection & Response (MDR) vendor, for most infections will ‘contain’ the infected host using the Trellix console and notify the system owner/system admin.

Subject to the Electronic Communications Policy (ECP), system data acquisition and review may be required to prevent further harm to the user or the University or to assess the scope of impact (the team does not review content of files).

For example, if the security event contains information regarding credential harvesting or evidence of lateral movement, the TDR Team will gather evidence from the infected host to understand what credentials were harvested, or what other hosts were logged onto. We also may want to understand the origination of the infection by looking at external communications or browser history.

In a rare occurrence (it has not occurred in the last 5 years) a TDR Team member may require forensic review by ourselves or our MDR vendor. In this case, a full image of the machine in question will be captured. This would be done by a Digital Forensic, Incident Response (DFIR) Tool and most likely would be when P4 data is effected.

What is File Acquisition in Trellix HX and what files can it collect?

File Acquisition in Trellix HX is designed to enhance security investigations by collecting relevant data during malicious events. This feature helps security teams analyze threats while ensuring data collection remains targeted and aligned with compliance requirements.

What Files Can Trellix HX Collect?

Logs and system snapshots to capture activity during a security event.
Details of the malicious file associated with the event.
Other security-relevant forensic data to assist in incident response.

UC San Diego’s intended use of Trellix HX does not support arbitrary file acquisition from endpoints. UC San Diego handles data in accordance with the Electronic Communications Policy (ECP). This means security teams cannot retrieve files at will—data collection is strictly focused on identified security incidents.

For more details on how the collected files would be used by our security team for an investigation, please refer to this video: Endpoint Security (HX) - Using Real-Time Events for Investigation

What is Triage in Trellix HX and what data does it collect during security investigations?

Triage in Trellix HX is a security feature that automatically collects key forensic data when alerts are triggered. This helps security teams quickly assess and investigate potential threats without manual intervention.

What Data Does Triage Collect?

Active Users: Captures information on users logged into the affected machine at the time of an alert, helping security teams determine user activity and potential involvement in an incident.
Visited Websites: Records URLs of recently accessed websites, providing visibility into web activity that may have contributed to the security event.
Downloaded Files: Logs details of files downloaded to the endpoint, helping identify potential malware or unauthorized downloads.

These triage collections occur automatically when an alert is triggered, ensuring security teams receive crucial data in real time. Additionally, security teams can initiate manual triage requests for deeper forensic analysis when necessary.

This targeted approach enhances security investigations while maintaining alignment with privacy and compliance standards.

For additional details, please refer to Trellix Endpoint Security (HX) Documentation.

Limitations & User Protections

How does Trellix ensure its subcontractors comply with UC requirements?

Trellix has a comprehensive process for identifying and auditing their subcontractors' compliance. Here are the key points:

Supplier Documentation and Management:

Trellix maintains a Supplier Compliance document that details all vendors, their compliance status, and risk assessments
The assessments are performed by the Trellix Assessment Team
Their cyber supply chain risk management practices have been deemed effective by CyberCX

Regular Monitoring and Review:

Trellix management reviews third-party provider documentation at least annually
Key subcontractors identified include AWS (cloud hosting) and Okta (identity management)
Management monitors compliance with security and confidentiality policies and pre-defined performance metrics

Documentation Review Process:

Management reviews multiple types of compliance documentation, including:

SOC 2 examinations
ISO 27001 certifications
Master service agreements (MSAs)
Statements of work (SOWs)
Risk assessment questionnaires

Issue Management:

When issues are detected during monitoring activities, Trellix management follows up with the subservice organization until resolution
A formal process exists for tracking deficiencies from identification to resolution
Issues are reported to both the responsible individual and their superior

What safeguards exist given EDR's ability to remotely delete data?

While EDR software includes the technical capability to remove malicious files remotely, any such action is only taken by authorized security personnel and is subject to strict protocols.

At UC San Diego, actions like remote deletion are never performed automatically or without human review. The process is governed by UC policy and emphasizes transparency, accountability, and minimizing disruption.

Does Trellix have access to confidential information (FERPA, student information, patient/subject information, institutional review board, sensitive research data)?

No. At UC San Diego, Trellix does not collect, transmit, or store educational records. It is limited to system-level data and does not process content protected by FERPA. Nor does it have access to research content or patient data. In sensitive environments (e.g., IRB-approved studies) telemetry is minimized and data remains within protected enclaves. Security controls are aligned with HIPAA, FISMA, and other relevant standards.

Will I still have superuser credentials, and will I still be able to install software?

You will still have super user credentials. You will still be able to install/update/remove software. There is always the risk of false positives (e.g. like the malwarebytes example).

Can one temporarily suspend virus protection to install software?

The system tray (Windows) will tell the user if a file gets sent to quarantine and the user can pause scanning up to 8 times every 30 minutes.

Can the user/owner/manager of the computer uninstall Trellix at any time?

Yes. The software can be uninstalled any time.

Can Trellix HX search across all devices for specific text or files?

Yes, however UC San Diego’s Security Team does not use Enterprise Search across all devices for specific text or files contrary to the Electronic Communications Policy (ECP). We do not use this feature and only respond to security events. This feature is slow, i.e., would take a few days to run across the campus and the TDR Team needs to respond immediately. We have not had a use-case for this tool either, as we do not do any proactive actions. Our MDR vendor may use the Enterprise Search tool to perform searches for specific Indications of Compromise (IoCs) like a file hash algorithm.

Trellix HX does not support free-form text searches across all devices.

Can Trellix HX search across all machines for any type of data?

Yes, however the Enterprise Search tool is limited to specific fields. As stated in the above statement this is not done by the TDR Team, nor outside the Electronic Communications Policy (ECP), and may sometimes be used by our MDR vendor to search for IoCs.

Trellix HX does not support arbitrary searches across all machines.

What can be searched?

Trellix HX enables targeted threat detection based on predefined security indicators (e.g. malware signatures, suspicious behaviors).
It does not function as a general-purpose search tool and cannot be used for unrestricted keyword or file searches.

This ensures that investigations remain focused on security threats rather than broad system monitoring.

Does Trellix HX allow administrators to actively search endpoints or access user data?

No, Trellix HX does not support active or proactive endpoint searches. The system is designed to respect user privacy while ensuring security by following a strict, event-driven approach to data collection.

Can Trellix HX access users' web browsing history and downloaded files?

Trellix HX does not provide full access to web history or all downloaded files.

What data is collected?

URLs and downloaded files are only captured if they are associated with a security threat.
Trellix HX does not track general browsing history or allow unrestricted access to user downloads.
This data is collected only during an active security event to help analysts determine potential risks.

By restricting data collection to security-relevant events, Trellix HX ensures that user privacy is maintained while still providing critical information for threat investigations

Can administrators access or download the full contents of a disk using Trellix HX?

No, Trellix HX does not allow administrators to download the full contents of a disk.

Why?

Trellix HX is designed for targeted security investigations, not for broad data retrieval. It only collects forensic metadata related to security alerts, ensuring that data collection remains focused on responding to cyber threats while following compliance requirements.

For more information, please refer to the Office of Information Assurance (OIA) standard monitoring practices.

Does Trellix HX allow full memory acquisition?

Memory acquisition is limited and only occurs during a detected malicious event.

What does this mean for users?

Trellix HX does not continuously capture memory data.
Full memory acquisition cannot be triggered arbitrarily—it is only performed when an active security event is detected.
This approach ensures that memory data is collected only when necessary for investigating threats, minimizing unnecessary data access.

This targeted approach enhances security investigations while maintaining alignment with privacy and compliance standards.

For additional details, please refer to the Trellix Endpoint Security (HX) Documentation.

Does Trellix/Mandiant share data about UC users with government agencies? What are its policies about letting UC respond to government requests both formal and informal, from National Security Letters (NSLs) and subpoenas to casual inquiries, before responding?

Mandiant: No user information is shared with any 3rd party entity including the US government.

Trellix has strict formal processes for handling government requests and does not share data informally or voluntarily with government agencies. All requests must go through proper legal channels with appropriate oversight and documentation.

Here is a summary of Trellix's policies regarding government data requests:

All Law Enforcement Requests must be:

Received and responded to in writing
Reviewed and approved by Trellix Legal Department before any disclosure
Documented and tracked (no informal/casual disclosures allowed)
Subject to Data Minimization Principles

Trellix's Stance:

Does not voluntarily permit United States or other governmental agencies access to its infrastructure
Assesses all requests on a case-by-case basis
Follows strict need-to-know principles with regular audits
Requires foreign law enforcement (except UK under CLOUD Act) to go through Mutual Legal Assistance Treaties (MLAT) process

Transparency:

Publishes annual Transparency Reports on its public website showing number and types of requests
For US national security requests (NSLs, FISA orders), reports in bands of 500 over 6-month periods
Documents all requests and responses unless prohibited by court order
Makes records available to data exporters who can share with data subjects when permitted

Special Handling for EU Data:

Requires Data Protection Officer review for EU Personal Data requests
Assesses necessity against EU-recognized objectives
May need to notify EU Supervisory Authorities
Implements additional safeguards as needed