Endpoint Detection and Response


The Information Security Office offers endpoint detection and response (EDR) using a threat detection and identification tool, Trellix. Trellix Endpoint Security software (formerly known as FireEye HX) is designed to address sophisticated or advanced persistent threat (APT) attacks with features that go beyond the capabilities of traditional malware protection. 

Features of EDR

  • Available for University  endpoint devices including servers, workstations, and laptops

  • Supported on Windows, MacOS, and Linux devices

  • Compliant with regulations such as PCI-DSS and HIPAA

How to Enroll Today

EDR Expansion Program

EDR software is required as part of the campus information security investment plan required by UC President Michael Drake to help manage and reduce cybersecurity risk. EDR will be pushed out to all Berkeley-managed machines by August 1, 2024. Employees who manage their own machines will be able to install EDR at a date to be determined. 

EDR Project Milestones


Due Date

Project Planning and Requirements




Testing & Remediation


Implementation for managed machines


Self-service available for self-managed machines


EDR Project Overview

The university currently faces significant security vulnerabilities due to the absence of robust endpoint protection measures across centrally managed systems. Therefore, the implementation of EDR represents a critical initiative to address vulnerabilities and transition the university to a more secure environment.


What does EDR software do?

EDR runs in the background of a system to detect and block attacks using several techniques including:

  • Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software)

  • MalwareGuard machine learning using seeded threat intelligence

  • Behavior-based analytics engine to stop advanced threats

  • Real-time discovery of Indicators of Compromise (IOC) using frontline threat intelligence

Additionally, EDR enables automatic real-time monitoring and investigation of ongoing security events, greatly expediting incident response and containment.

In layman's terms, what does the above mean?

Once installed, the software runs in the background while you do your normal work. What's unique about this software (compared to other malware or antivirus programs) is that it uses real-time intel in conjunction with machine learning to quickly detect threats and immediately act to mitigate any damage.  

What data is analyzed by the EDR software?

How is data collected and analyzed by EDR and the Information Security Office?

  • The application collects system information in 10 minute intervals including application processing information, such as website URL addresses.

  • IF an alert is triggered, another 10 minute interval is captured and both intervals are downloaded to a monitoring center for forensic purposes and reviewed by an ISO Security Analyst.

  • IF a security incident is determined, EDR will try to mitigate and/or block the attack. ISO will also proceed to gather additional forensic information from the system for the purposes of investigating the incident and containing the  compromise. ISO will notify you when additional forensic information is gathered, and inform you of steps you need to take, if any. If no security incident is determined the data is deleted.

How does UC Berkeley protect my privacy?

UC Berkeley takes your privacy very seriously:

  • Security alert data collected from endpoint devices is only stored for the duration of the investigation of the alert or as required by law or policy. 

  • All data acquisition events are reviewed by the Information Security Office, logged, and follow guidelines established by the IT Policy Office and Campus Privacy Office to ensure the acquisition is warranted. Participants will be notified of security events according to ISO’s normal security operations processes. 

  • ISO security analysts and EDR Managed Defense analysts use the concept of least perusal in accordance with the UC Electronic Communications Policy (ECP) to perform only those searches that are necessary to confirm if there is a potential compromise or breach.

Can I request an exemption from EDR?

An exception request process will be available for limited situations, to be determined. The IT Risk and Governance Committee is reviewing options and will advise the Information Security Office on requirements as this project moves forward. Effective August 2024, most campus users will be required to use this service.


If you have any questions, including about the type of data collected email us at: endpoint-security@security.berkeley.edu.

Related Resources:

UC’s Threat Detection and Identification (TDI) initiative:

FireEye (Trellix)  HX Endpoint Security Data Sheet