NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - FireEye X-Agent 28

Certificate Date:  2019.07.29

Validation Report Number:  CCEVS-VR-VID10957-2019

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is a software agent that resides on a host platform. The software exclusively interacts with the NIAP validated FireEye HX Series Appliances (NIAP VID 10892). This interaction consists of the TOE receiving policies from an external HX series appliance (validated separately) and sending any alerts that are found as a result of these scans. This is done via polling. The TOE is an enterprise managed agent that runs in the background of an endpoint platform. It is intended that the user will have no interaction with the software and will not be alerted of communications with the external HX appliance.

The frequency at which the agent communicates with the HX appliance is set by the enterprise. By default, each agent polls the HX appliance every 600 seconds (10 minutes) to obtain information and task requests and polls the appliance every 30 minutes to obtain the latest indicators. When new policies are received, they are used to identify potential intrusions on the host platform.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FireEye X-Agent was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the FireEye X-Agent Common Criteria Guide, satisfies all of the security functional requirements stated in the FireEye X-Agent Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in July 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE provides cryptographic support for the following features,

  • TLS connectivity with the following entities:

o   HX Series Appliance (NIAP VID 10892)

  • Digital certificate validation

Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below. Each of these algorithms are implemented as part of the OpenSSL Cryptographic Library.




CAVP Cert. #


FIPS 197

SP 800-38A

CBC 128, CBC 256

C779 (AES)


FIPS 180-4

SHA-1, SHA-256

C779 (SHS)


FIPS 186-4

n = 2048 SHA-256

C779 (RSA)


FIPS 198-1


C779 (HMAC)


SP 800-90A


C779 (DRBG)

Table 1 CAVP Certificate References

Identification and Authentication

The TOE uses X.509v3 certificates as defined by RFC 5280 to authentication the TLS connection to the HX Series appliance. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.

Secure Software Update

The TOE is distributed as a Microsoft .MSI file providing a consistent and reliable versioning. After initial installation, all updates to the X-Agent are distributed as .MSI. Each TOE installation and update is signed by FireEye and can only come from the HX Series appliance associated with the TOE.


The TOE does not transmit Personally Identifiable Information (PII) over the network. This aids in protecting the privacy of users of the host platform.

Protection of the TSF

The TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE never allocates memory with both write and execute permission. The TOE is designed to operate in an environment in which the following security techniques are in effect, Data execution prevention, Mandatory address space layout randomization (no memory map to an explicit address), Structured exception handler overwrite protection, Export address table access filtering, and Anti-Return Oriented Programming. This allows the TOE to operate in an environment in which the Enhanced Mitigation Experience Toolkit is also running. During compilation the TOE is built with several flags enabled that check for engineering flaws. The TOE is built with the /GS flag enabled. This reduces the possibilities of stack-based buffer overflows in the product. The compiler enables ASLR by default. The TOE is not built with the /DYNAMICBASE:NO which would disable ASLR.

Trusted Path/Channels

The TOE receives scanning policies from the associated HX Series appliance over the network which it uses on the host platform. This connection is always secured using TLS.

Vendor Information

FireEye, Inc.
Jim Waggoner
Site Map              Contact Us              Home