Endpoint Detection and Response

Overview

The Information Security Office offers endpoint detection and response (EDR) for university-owned computers and servers using a threat detection and identification tool to address sophisticated or advanced persistent threat attacks with features beyond traditional malware protection capabilities. 

Privacy Statement

Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.

The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are currently reviewing our EDR program. The IRGC provides the campus framework for institutional governance of information risk under campus and systemwide privacy policies, including the Electronic Communications Policy

Features of EDR

Trellix Endpoint Security software (formerly FireEye HX) is available for University endpoint devices, including servers, workstations, and laptops.

EDR is currently being rolled out to all campus machines via BigFix. Find additional details in our project details.

How to Get Started

  • Managed University-owned machines: Starting July 2, 2024, EDR will be incrementally distributed to campus-managed machines using BigFix.

  • Self-managed, University-owned machines: Email endpoint-security@security.berkeley.edu.

Service Details and Additional Information

See our IT Catalog EDR Service page for more information, including

  • How data are collected and analyzed by EDR and the Information Security Office.
  • How UC Berkeley protects privacy.

FAQs

collapse all expand all

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

How can I tell if EDR has been installed on my machine?

Berkeley IT uses Trellix for our Endpoint Detection and Response software. To see if Trellix has been installed on your university machine, follow these steps based on your operating system.

Apple machines:

Search for a file called “FireEye Helper” in the applications folder

- or -

Open terminal and run:

ps aux | grep xagt...

How do I know if my machine is managed?

In general, you can tell if your computer is centrally managed if you see the Self Service app on your Apple machine, or the BigFix Self Service app on your Windows machine.

I am an employee performing work functions on my personal computer. Can I install EDR?

We are only installing the EDR software on campus-owned machines. Additionally, we strongly encourage staff to utilize Berkeley-owned and managed machines because IT staff will be better able to support those devices and configurations.

What can I do to protect my privacy?

Although the UC Electronic Communications Policy allows for the incidental personal use of University electronic resources, and use of EDR-collected information is limited to what is required for analysis and remediation of security incidents, you may feel that you do not want your personal online activity included in EDR data collection that security analysts could review. We recommend conducting such personal online activity on a device not owned or managed by...

What data is analyzed by the EDR software?

EDR scans continuously and keeps a 10-minute record of your machine's activity, which is saved only if a security alert is triggered.

The regular scan includes:

Network activity, such as URL data and DNS lookups File activity, such as downloads Images loaded System processes and registry events (applications and tasks running on the device)

When a security alert is triggered, EDR takes a copy of a second 10-minute interval, including:

Applications running Web sites visited File activity, such as downloads Processes running on the machine

See our detailed...

What does EDR software do?

Once installed, the software runs seamlessly in the background while you do your regular work. It uses real-time information and machine learning to detect, contain, and respond to threats quickly to mitigate further damage.

Specifically, EDR uses several techniques, including:

Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software). MalwareGuard machine learning using seeded threat intelligence. Behavior-based analytics engine to stop advanced threats....

What is the difference between Trellix and FireEye?

Trellix was formerly named FireEye. You may see references to FireEye on your computer after this product is installed on your machine. The screenshot below shows a popup message you may receive on your Apple machine after Trellix is installed via BigFix.

When will EDR be deployed to my computer?

If your desktop or laptop computer is centrally managed by campus, EDR will automatically be installed on your machine. Beginning in October 2024, ISO will be working to roll out installation across campus for workstations.

If you wish to install EDR on your server before, please email us at endpoint-security@security.berkeley.edu

Who do I contact for help with Endpoint Detection & Response (EDR)?

For questions or issues with this installation, email endpoint-security@security.berkeley.edu

Who has been involved in approving EDR?

Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.

The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are...