NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - FireEye xAgent

Certificate Date:  2016.07.08

Validation Report Number:  CCEVS-VR-VID10697-2016

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.1

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is a software agent that resides on a host platform. The software received policies from an external HX series appliance (validated separately, VID10675). These policies are used to identify potential intrusions on the host platform. The TOE uses these policies to scan the host Operating System to identify indicators of compromise. The TOE is an enterprise managed agent that runs in the background of an endpoint platform. It is intended that the user will have no interaction with the software and will not be alerted of communications with the external HX appliance.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FireEye Endpoint Agent was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.  The product, when delivered configured as identified in the AGD, satisfies all of the security functional requirements stated in the FireEye Endpoint Agent Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in July 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE provides cryptographic support for the following features,

·         TLS connectivity with the following entities:

o   HX Series Appliance

·         Digital certificate generation

The cryptographic services provided by the TOE are described below.

Cryptographic Method

Use within the TOE

RSA Signature Services

Used in TLS session establishment.

Used in secure software update.

SP 800-90 DRBG

Used in TLS session establishment.

Used in digital certificate generation.


Used in secure software update.

Used in digital certificate generation.


Used to provide TLS traffic integrity verification.


Used to encrypt TLS traffic

Secure certificate storage

TOE Provided Cryptography

Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below. Each of these algorithms are implemented as part of the OpenSSL cryptographic library, version 1.0.1.



CAVP Certificate #



FIPS PUB 186­4 (Signature generation/verification)

Cert. #1976, 1977

Intel Xeon

SP 800-90 DRBG

SP 800-90

Cert. #1103, 1104

Intel Xeon


FIPS Pub 180­4

Cert. #3194, 3195

Intel Xeon


FIPS Pub 198­1, FIPS Pub 180­4

Cert. #2517, 2518

Intel Xeon


NIST SP 800­38A

Cert. #3873, 3874

Intel Xeon

CAVP Algorithm Testing References 

Secure Software Update

The TOE is distributed as a Microsoft .MSI file providing a consistent and reliable versioning. After initial installation, all updates to the xAgent are distributed as .MSI. Each TOE installation and update is signed by FireEye and can only come from the HX Series appliance associated with the TOE. 

Protection of the TSF

The TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE never allocates memory with both write and execute permission. The TOE is designed to operate in an environment in which the following security techniques are in effect, Data execution prevention, Mandatory address space layout randomization (no memory map to an explicit address), Structured exception handler overwrite protection, Export address table access filtering, Anti-Return Oriented Programming, and SSL/TLS certificate trust pinning. This allows the TOE to operate in an environment in which the Enhanced Mitigation Experience Toolkit is also running. During compilation the TOE is built with several flags enabled that check for engineering flaws. The TOE is built with the /GS flag enabled. This reduces the possibilities of stack-based buffer overflows in the product. 

Trusted Path/Channels

The TOE receives scanning policies from the associated HX Series appliance over the network which it uses on the host platform. This connection is always secured using TLS.

Vendor Information

FireEye, Inc.
Peter Kim
Site Map              Contact Us              Home