Compliant Product - FireEye X-Agent 28
Certificate Date: 2019.07.29CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10957-2019
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.2
CC Testing Lab: Acumen Security
The TOE is a software agent that resides on a host platform. The software exclusively interacts with the NIAP validated FireEye HX Series Appliances (NIAP VID 10892). This interaction consists of the TOE receiving policies from an external HX series appliance (validated separately) and sending any alerts that are found as a result of these scans. This is done via polling. The TOE is an enterprise managed agent that runs in the background of an endpoint platform. It is intended that the user will have no interaction with the software and will not be alerted of communications with the external HX appliance.
The frequency at which the agent communicates with the HX appliance is set by the enterprise. By default, each agent polls the HX appliance every 600 seconds (10 minutes) to obtain information and task requests and polls the appliance every 30 minutes to obtain the latest indicators. When new policies are received, they are used to identify potential intrusions on the host platform.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FireEye X-Agent was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. The product, when delivered configured as identified in the FireEye X-Agent Common Criteria Guide, satisfies all of the security functional requirements stated in the FireEye X-Agent Security Target. The project underwent CCEVS Validator review. The evaluation was completed in July 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE provides cryptographic support for the following features,
o HX Series Appliance (NIAP VID 10892)
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below. Each of these algorithms are implemented as part of the OpenSSL Cryptographic Library.
The TOE uses X.509v3 certificates as defined by RFC 5280 to authentication the TLS connection to the HX Series appliance. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.
Secure Software Update
The TOE is distributed as a Microsoft .MSI file providing a consistent and reliable versioning. After initial installation, all updates to the X-Agent are distributed as .MSI. Each TOE installation and update is signed by FireEye and can only come from the HX Series appliance associated with the TOE.
The TOE does not transmit Personally Identifiable Information (PII) over the network. This aids in protecting the privacy of users of the host platform.
Protection of the TSF
The TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE never allocates memory with both write and execute permission. The TOE is designed to operate in an environment in which the following security techniques are in effect, Data execution prevention, Mandatory address space layout randomization (no memory map to an explicit address), Structured exception handler overwrite protection, Export address table access filtering, and Anti-Return Oriented Programming. This allows the TOE to operate in an environment in which the Enhanced Mitigation Experience Toolkit is also running. During compilation the TOE is built with several flags enabled that check for engineering flaws. The TOE is built with the /GS flag enabled. This reduces the possibilities of stack-based buffer overflows in the product. The compiler enables ASLR by default. The TOE is not built with the /DYNAMICBASE:NO which would disable ASLR.