Solution
Recent updates to this article
TIS (ATD) End of Life schedule:
What is the migration path for TIS (ATD) customers?
How will TIS (ATD) customers migrate to IVX software?
A software upgrade package has been developed to assist with the migration of TIS (ATD) software to IVX software. More details on deployment and use of the software upgrade package is available on the Documentation Portal in the Product Guide Trellix Intelligent Virtual Execution (IVX) Migration Guide.
What is the technical process to migrate TIS (ATD) hardware to IVX software?
For more information, go to the Documentation Portal and see the Trellix Intelligent Virtual Execution (IVX) Migration Guide.
What are the prerequisites for customers to deploy IVX onto their TIS (ATD) hardware (3200 and 6200)?
Customers must have a valid TIS (ATD) entitlement to deploy IVX software on their TIS (ATD) hardware. Customers on legacy ATD 3000 and ATD 6000 hardware aren't supported.
How can I identify if TIS has been successfully migrated to IVX?
The migration progress can be monitored on Remote monitoring and management (RMM) software or a console connected to TIS hardware. On successful migration, you'll be presented with an IVX Login and Password prompt.
What if RMM doesn't show any IVX login/password prompt even after waiting for more than an hour, or if it shows any error?
The TIS to IVX migration should take 15–20 minutes; but, we recommend setting aside around 1 hour for the migration to complete. If the migration doesn't complete in this amount of time, allow an extra 30 minutes before trying any other option. It's advised to schedule the migration with sufficient downtime, as post-migration, the system will take some time for the initial configuration and integrations to work.
Things to try in case of migration failure:
Post-migration, TIS will be completely wiped from hardware so there'll be no image, config, or analysis results available. For future reference, take a backup of these on an external device.
Can we restore the TIS' backed-up configuration and reports to IVX post-migration?
No, IVX is a totally different product. None of the TIS configurations or reports can be restored to IVX.
Does IVX support email integration with Cisco ESA or any other Mail Transfer Agent (MTA)?
IVX doesn't support email integration through MTA. Trellix provides a virtual EX product that integrates seamlessly with Trellix IVX, which has built in sandbox capability. Contact your sales representative for further information.
Do I need to obtain a special license for using IVX after migrating from TIS?
Details of all the TIS hardware in use and their respective licenses are pre-populated in FENET. Post-migration to IVX, the system will automatically fetch the license and apply. If the license isn't being fetched properly or it shows any error, contact Customer Support and they can help you further.
NOTE: Air-gapped customers are advised to talk to their sales or account representatives to understand the process of getting the license, as well as Offline Portal Access to download Security Content and Guest Images. More details can be found on the Documentation Portal in the DTI Update Portal User Guide.
What is FENET, shown in the initial setup wizard in IVX CLI?
It's a network hosting service used by IVX to download licenses, Guest Images, and Security Content.
What does the Reset Database option in the TIS GUI do when installing the IVX migration package?
Nothing much, as the IVX migration package will flush all configs.
How will the physical network interface ports on the TIS appliance be mapped after migrating to IVX? What functionalities would those ports provide?
After migration, TIS interfaces are renamed as described in the table below:
Ether1 (eth1) is for management, while the other ports can be used for clustering and submission interfaces.
What will the IVX model number be post-migration?
Post-migration, TIS model numbers are shown in the table below. You can also see the new model number by running the CLI command:
What does 1-way license mean? What does 2-way license mean?
The Security Server appliances (physical or virtual) receive Security Content updates from the DTI, and also send Security Server Status and Configuration information to the DTI. This is necessary to identify the version of the security server for Security Content download compatibility, and to monitor the physical or virtual Security Server health.
DTI stands for Dynamic Threat Intelligence. It's similar to GTI and consolidates the reputation feeds received from various products deployed in the field. It acts as a static analysis engine.
What would ZEROCONF do during the initial CLI configuration wizard in IVX?
Zero configuration networking allows you to automatically create a network of devices without having to manually configure a DHCP server, DNS services, or network settings for each device that you want to connect to that network.
How can I check whether the security content is downloaded properly post-migration?
Before the migration of TIS, ensure the following URLs are allowed in the firewall: You can also run the below CLI commands to check and download security content if there's any issue or failure:
While a CMS isn't a requirement to use IVX, at present, it's necessary if you want to manage it through a Web UI. However, not all IVX functionalities are available on the CMS.
Does IVX support the clustering of multiple IVX appliances?
Yes, for more information, refer to the documents below available on the Documentation Portal:
Does IVX support high availability (HA)?
Yes, for HA support, a cluster needs to have multiple brokers configured.
Does the IVX cluster support redundancy?
Yes IVX cluster supports redundancy through a multiple-broker configuration.
Does IVX support a virtual IP that represents the cluster itself, similar to TIS?
No, IVX doesn't have the concept of a virtual IP. Instead, it supports multiple brokers and point products (IPS, SWG, and TIE). If one of the brokers goes down, the cluster can still be managed by the IP of another broker.
How many brokers can be configured in a cluster?
IVX doesn't have an upper limit on the number of brokers. Nodes in the IVX cluster can be categorized as broker or compute. Brokers act as cluster managers and compute nodes only perform analysis. For a large cluster, it's recommended to configure three brokers.
How long would it take for the IVX initial CLI setup wizard to complete? We need this information for scheduling downtime.
Quantifying the time during this step is difficult, as after the IP config, the license is fetched and the analyzer VM images are downloaded. The time may vary depending on Customer Networks. It's always advisable to perform migration during scheduled downtime.
How long would it take to enable integrating IVX with Trellix TIE Server? We need this information for scheduling downtime.
TIE integration with IVX is simple. It consists of configuring the IVX broker node IP address, usernames, and credentials. However, the entire integration has a lot of moving parts like TIE, ENS, and EPO's compatible versions. It's always better to schedule downtime for any new integration.
How long would it take to enable integrating IVX with Trellix IPS? We need this information for scheduling downtime.
If IPS is preconfigured with a policy, etc., then it's just a matter of configuring the username and password, along with the broker IP address of IVX. It's always better to schedule downtime for any new integration.
How long would it take to enable integrating IVX with Skyhigh SWG? We need this information for scheduling downtime.
If SWG is preconfigured with a policy, etc., then it's just a matter of configuring the username and password along with the IP address. It's always better to schedule downtime for any new integration.
How does IVX handle RBAC, which TIS used to support? Do we have a reference guide for implementing roles in IVX?
IVX comes with very basic RBAC implementation. For file submission using API, create users with the role admin and api_analyst. Other roles won't be able to submit files using APIs. As IVX is integrated with IPS, SWG, and TIE using API, while creating users for file submission using these point products, remember to create users using only admin and api_analyst.
Does IVX support URL analysis?
The current version of IVX doesn't support URL analysis. This feature is planned for the next release of IVX scheduled for 1H-24.
What are the basic commands I can use to see the system's health?
You can run CLI commands like those shown below:
IVX supports submission through REST API. You can find more details on the APIs available on the Documentation Portal in the Trellix API Reference, under Endpoints, VX API endpoints.
Which version of API should I use?
Use version 2.0.0 while using APIs.
How can we search for results for particular submissions in IVX?
Similar to the unique jobId generated by TIS for each submission, IVX generates a UUID, which is unique in a cluster. Using this UUID or the MD5 of the file, the result can be queried.
What are some basic commands to see the file analysis status in IVX?
IVX uses a combination of static engine results and predefined OS for different file types to detonate files in different combinations and provide a final verdict based on behavior analysis.
What are the static engines used by IVX and how can I check their status? How can I enable/disable them?
Use the command below to check the status of Static Engines:
Yes
What's the version of YARA supported by IVX?
4.X
What are the benefits of migrating TIS (ATD) to IVX?
IVX has stronger detection capabilities than TIS (ATD) and Trellix will continue to invest in IVX as a key part of the Trellix Platform portfolio. This includes built-in integrations with Email Security and Network Security products, native integration with IPS, Endpoint Security, SkyHigh SWG, etc. IVX also allows for broad third-party integrations via API, flexible deployment options, and superior architecture that allows for clustering for load balancing, fail over, and high availability. Benefits include the following:
The Q1 2024 release of IVX delivers almost all of the key outcomes of detecting new and emerging threats as good as or better than ATD. There are a few use cases that IVX doesn't replicate in the same way:
In limited circumstances, it's possible to install a fresh TIS (ATD) installer on TIS (ATD) hardware that has IVX installed on it. If customers require TIS (ATD) for a specific capability that they find is missing after deploying IVX, they can contact customer support to receive a TIS (ATD) installer file that will work on hardware that has IVX installed on it.
TIS (ATD) customers are encouraged to evaluate if IVX can meet the same outcome requirements even if the process is different. Trellix is confident that they'll see improved detection outcomes and broader deployment and integration options for their security and collaboration requirements.
| Date | Update |
| March 8, 2024 | Made the following changes:
|
| March 7, 2024 | Made the following changes:
|
Understanding Trellix Intelligent Sandbox (TIS), formerly named Advanced Threat Defense (ATD), EOL, and Migration to Trellix Intelligent Virtual Execution (IVX)
When is Trellix TIS (ATD) going to End of Life?
TIS (ATD) End of Life schedule:
| Platform | End of Sale | End of Support |
| TIS 3100 | December 31, 2020 | December 31, 2025 |
| TIS 6100 | December 21, 2020 | December 31, 2025 |
| TIS 3200 | June 30, 2023 | December 31, 2025 with TIS June 30, 2028 with IVX |
| TIS 6200 | June 30, 2023 | December 31, 2025 with TIS June 30, 2028 with IVX |
What is the migration path for TIS (ATD) customers?
- TIS (ATD) customers with valid entitlements can migrate to IVX software. This applies to on-prem and virtual deployments.
- Customers currently on ATD will have to renew with existing ATD entitlement first. Once they're migrated to IVX (software upgrade), they can renew their appliance entitlement to IVX by calling Trellix.
- vATD customers can request Virtual IVX (vIVX) once we go formally GA with the vIVX release.
How will TIS (ATD) customers migrate to IVX software?
A software upgrade package has been developed to assist with the migration of TIS (ATD) software to IVX software. More details on deployment and use of the software upgrade package is available on the Documentation Portal in the Product Guide Trellix Intelligent Virtual Execution (IVX) Migration Guide.
What is the technical process to migrate TIS (ATD) hardware to IVX software?
For more information, go to the Documentation Portal and see the Trellix Intelligent Virtual Execution (IVX) Migration Guide.
What are the prerequisites for customers to deploy IVX onto their TIS (ATD) hardware (3200 and 6200)?
Customers must have a valid TIS (ATD) entitlement to deploy IVX software on their TIS (ATD) hardware. Customers on legacy ATD 3000 and ATD 6000 hardware aren't supported.
How can I identify if TIS has been successfully migrated to IVX?
The migration progress can be monitored on Remote monitoring and management (RMM) software or a console connected to TIS hardware. On successful migration, you'll be presented with an IVX Login and Password prompt.
What if RMM doesn't show any IVX login/password prompt even after waiting for more than an hour, or if it shows any error?
The TIS to IVX migration should take 15–20 minutes; but, we recommend setting aside around 1 hour for the migration to complete. If the migration doesn't complete in this amount of time, allow an extra 30 minutes before trying any other option. It's advised to schedule the migration with sufficient downtime, as post-migration, the system will take some time for the initial configuration and integrations to work.
Things to try in case of migration failure:
- It's possible the migration didn't begin due to an unfulfilled pre-requisite condition in TIS. If the TIS Web UI is still accessible, check the log at Manage, Logs, System for more information.
- Try rebooting the appliance from the RMM and observe the RMM console for possible errors. Take a screen capture of the error and share it with Customer Support.
- To recover the system, reinstall the TIS using the ISO available from Support and after doing the basic configuration like IP, Gateway, and Netmask assignment, run the atdtoivxmigration.msu again.
- NOTE: There's a specific ISO created for this purpose; so regular TIS Installer ISOs won't work. Owing to the installation of the IVX disk partition, it requires specific handling which we have taken care of on this ISO.
Post-migration, TIS will be completely wiped from hardware so there'll be no image, config, or analysis results available. For future reference, take a backup of these on an external device.
Can we restore the TIS' backed-up configuration and reports to IVX post-migration?
No, IVX is a totally different product. None of the TIS configurations or reports can be restored to IVX.
Does IVX support email integration with Cisco ESA or any other Mail Transfer Agent (MTA)?
IVX doesn't support email integration through MTA. Trellix provides a virtual EX product that integrates seamlessly with Trellix IVX, which has built in sandbox capability. Contact your sales representative for further information.
Do I need to obtain a special license for using IVX after migrating from TIS?
Details of all the TIS hardware in use and their respective licenses are pre-populated in FENET. Post-migration to IVX, the system will automatically fetch the license and apply. If the license isn't being fetched properly or it shows any error, contact Customer Support and they can help you further.
NOTE: Air-gapped customers are advised to talk to their sales or account representatives to understand the process of getting the license, as well as Offline Portal Access to download Security Content and Guest Images. More details can be found on the Documentation Portal in the DTI Update Portal User Guide.
What is FENET, shown in the initial setup wizard in IVX CLI?
It's a network hosting service used by IVX to download licenses, Guest Images, and Security Content.
What does the Reset Database option in the TIS GUI do when installing the IVX migration package?
Nothing much, as the IVX migration package will flush all configs.
How will the physical network interface ports on the TIS appliance be mapped after migrating to IVX? What functionalities would those ports provide?
After migration, TIS interfaces are renamed as described in the table below:
| TIS interfaces | IVX Interfaces |
| eth0 | eth1 |
| eth1 | eth2 |
| eth2 | eth3 |
| eth3 | eth4 |
Ether1 (eth1) is for management, while the other ports can be used for clustering and submission interfaces.
What will the IVX model number be post-migration?
Post-migration, TIS model numbers are shown in the table below. You can also see the new model number by running the CLI command:
show version, where you will find the model number under the product model category.| ATD/TIS Model Number | IVX Model Number |
| ATD-3100 | VX3100 |
| ATD-6100 | VX6100 |
| ATD-3200 | VX3200 |
| ATD-6200 | VX6200 |
What does 1-way license mean? What does 2-way license mean?
The Security Server appliances (physical or virtual) receive Security Content updates from the DTI, and also send Security Server Status and Configuration information to the DTI. This is necessary to identify the version of the security server for Security Content download compatibility, and to monitor the physical or virtual Security Server health.
- With a 2-way DTI license, the appliances receive Security Content updates from DTI and send information such as malware hashes and callbacks to DTI.
- With a 1-way license, DTI information exchanges don't include sending threat data to DTI. This mode requires customers to purchase a separate license for each Security Server. There's a separate configuration for Security Content Updates and Security Server Support.
DTI stands for Dynamic Threat Intelligence. It's similar to GTI and consolidates the reputation feeds received from various products deployed in the field. It acts as a static analysis engine.
What would ZEROCONF do during the initial CLI configuration wizard in IVX?
Zero configuration networking allows you to automatically create a network of devices without having to manually configure a DHCP server, DNS services, or network settings for each device that you want to connect to that network.
How can I check whether the security content is downloaded properly post-migration?
Before the migration of TIS, ensure the following URLs are allowed in the firewall: You can also run the below CLI commands to check and download security content if there's any issue or failure:
show fenet statusshow fenet security-content statusfenet security-content download-updateshow fenet security-content status progress
While a CMS isn't a requirement to use IVX, at present, it's necessary if you want to manage it through a Web UI. However, not all IVX functionalities are available on the CMS.
Does IVX support the clustering of multiple IVX appliances?
Yes, for more information, refer to the documents below available on the Documentation Portal:
- Information about APIs to form an IVX cluster can be found in the Trellix API Reference under Endpoints, Cluster Management.
- CLI commands for IVX cluster creation can be found in the document CLI Command Reference under mvx cluster.
- See the article Useful CLI commands for Intelligent Virtual Execution for a list of useful IVX commands.
- Brokers expose ports 25672 and 4369 for inter-broker communication. They also expose port 5671 for communication with compute nodes.
- Ports 25672 and 5671 are SSL-encrypted.
- Port 4369 is protected by key hash.
- Sensors and compute nodes connect to brokers using SSH (port 22).
- The cluster database uses TCP port 7001.
- Cluster management communication uses TCP and UDP ports 18300 through 18303.
Does IVX support high availability (HA)?
Yes, for HA support, a cluster needs to have multiple brokers configured.
Does the IVX cluster support redundancy?
Yes IVX cluster supports redundancy through a multiple-broker configuration.
Does IVX support a virtual IP that represents the cluster itself, similar to TIS?
No, IVX doesn't have the concept of a virtual IP. Instead, it supports multiple brokers and point products (IPS, SWG, and TIE). If one of the brokers goes down, the cluster can still be managed by the IP of another broker.
How many brokers can be configured in a cluster?
IVX doesn't have an upper limit on the number of brokers. Nodes in the IVX cluster can be categorized as broker or compute. Brokers act as cluster managers and compute nodes only perform analysis. For a large cluster, it's recommended to configure three brokers.
How long would it take for the IVX initial CLI setup wizard to complete? We need this information for scheduling downtime.
Quantifying the time during this step is difficult, as after the IP config, the license is fetched and the analyzer VM images are downloaded. The time may vary depending on Customer Networks. It's always advisable to perform migration during scheduled downtime.
How long would it take to enable integrating IVX with Trellix TIE Server? We need this information for scheduling downtime.
TIE integration with IVX is simple. It consists of configuring the IVX broker node IP address, usernames, and credentials. However, the entire integration has a lot of moving parts like TIE, ENS, and EPO's compatible versions. It's always better to schedule downtime for any new integration.
How long would it take to enable integrating IVX with Trellix IPS? We need this information for scheduling downtime.
If IPS is preconfigured with a policy, etc., then it's just a matter of configuring the username and password, along with the broker IP address of IVX. It's always better to schedule downtime for any new integration.
How long would it take to enable integrating IVX with Skyhigh SWG? We need this information for scheduling downtime.
If SWG is preconfigured with a policy, etc., then it's just a matter of configuring the username and password along with the IP address. It's always better to schedule downtime for any new integration.
How does IVX handle RBAC, which TIS used to support? Do we have a reference guide for implementing roles in IVX?
IVX comes with very basic RBAC implementation. For file submission using API, create users with the role admin and api_analyst. Other roles won't be able to submit files using APIs. As IVX is integrated with IPS, SWG, and TIE using API, while creating users for file submission using these point products, remember to create users using only admin and api_analyst.
Does IVX support URL analysis?
The current version of IVX doesn't support URL analysis. This feature is planned for the next release of IVX scheduled for 1H-24.
What are the basic commands I can use to see the system's health?
You can run CLI commands like those shown below:
show versionshow mvx node statusshow health all
IVX supports submission through REST API. You can find more details on the APIs available on the Documentation Portal in the Trellix API Reference, under Endpoints, VX API endpoints.
Which version of API should I use?
Use version 2.0.0 while using APIs.
How can we search for results for particular submissions in IVX?
Similar to the unique jobId generated by TIS for each submission, IVX generates a UUID, which is unique in a cluster. Using this UUID or the MD5 of the file, the result can be queried.
What are some basic commands to see the file analysis status in IVX?
- To check cumulative submissions:
show mvx submissionshow submission
- To show the list of submissions completed with UUID and details:
show mvx submission done
- To filter submissions based on UUID:
show mvx submission uuid d2512e42-bab9-42ee-b947-368699f11de5
- To filter submissions based on md5sum:
show mvx submission md5sum b3bdb39b28b335379ad9d3f77a1fda2c
- To filter submissions based on time range:
show mvx submission from 2023/11/26 06:08:14 to 2023/11/27 06:08:14
- To filter submissions with a since clause. Can be used with days, hours, or mins:
show mvx submission since 1 days
IVX uses a combination of static engine results and predefined OS for different file types to detonate files in different combinations and provide a final verdict based on behavior analysis.
What are the static engines used by IVX and how can I check their status? How can I enable/disable them?
Use the command below to check the status of Static Engines:
show static-analysis config
no static-analysis sa-clam enableno static-analysis enable
Yes
What's the version of YARA supported by IVX?
4.X
What are the benefits of migrating TIS (ATD) to IVX?
IVX has stronger detection capabilities than TIS (ATD) and Trellix will continue to invest in IVX as a key part of the Trellix Platform portfolio. This includes built-in integrations with Email Security and Network Security products, native integration with IPS, Endpoint Security, SkyHigh SWG, etc. IVX also allows for broad third-party integrations via API, flexible deployment options, and superior architecture that allows for clustering for load balancing, fail over, and high availability. Benefits include the following:
- Better overall detection efficacy through proven VX multi-session execution engine technology:
- Support for over 200 files types.
- Support for static and dynamic analysis of macOS and Linux malware.
- No additional license fees for Windows, MacOS guest images.
- The Guest images are hardened, tuned and OS/application updates provided by Trellix. No need for customers to maintain Guest images (yes, customization is possible).
- Patented technology to run multiple versions of an application within the same Guest OS. Example: Multiple versions of Office, Java, PDF reader, Flash, etc. on the same guest image for higher chance of exploit execution.
- Future R&D and new features will be for IVX going forward. Example: Adding a native ICAP interface.
The Q1 2024 release of IVX delivers almost all of the key outcomes of detecting new and emerging threats as good as or better than ATD. There are a few use cases that IVX doesn't replicate in the same way:
- WebUI - WebUI that shows submissions via API from supported product integrations
- Custom operating systems - IVX doesn't support custom operating system images for detonation
- Private GTI Support (specialized use case for air-gapped environments) - IVX doesn't support Private GTI
- IVX has granular options to customize images that address the majority of use cases for customers who upload custom operating system images in TIS (ATD) to get virtualization-aware malware to execute.
- IVX has robust capabilities to simulate a real user environment, including running common apps that require user inputs, so that malware executes and exposes its behavior.
- Additional customizations that are possible in IVX that address the need for custom images are as follows:
- Specific language pack
- Presence of specific file
- OS or App versions
In limited circumstances, it's possible to install a fresh TIS (ATD) installer on TIS (ATD) hardware that has IVX installed on it. If customers require TIS (ATD) for a specific capability that they find is missing after deploying IVX, they can contact customer support to receive a TIS (ATD) installer file that will work on hardware that has IVX installed on it.
TIS (ATD) customers are encouraged to evaluate if IVX can meet the same outcome requirements even if the process is different. Trellix is confident that they'll see improved detection outcomes and broader deployment and integration options for their security and collaboration requirements.