Taegis NGAV FAQ

Do I need to install the Red Cloak Endpoint Agent with Taegis NGAV? ⫘

Yes, Secureworks® Taegis™ NGAV is an add-on with the Red Cloak™ Endpoint Agent.

Which operating systems are the Taegis NGAV agent supported on? ⫘

See Red Cloak Endpoint Agent Supported Operating Systems and System Requirements.

Does the Taegis NGAV agent support non-persistent VDI or Remote Desktop environments? ⫘

Not at this time.

What are the supported browsers for the Taegis NGAV Management Console? ⫘

• Chrome 64+
• Microsoft Edge version 79 and later (Chromium-based)
• Firefox 52.6+

How often is file reputation updated? ⫘

Automatic checks are performed to avoid potential false positives or false negatives (for example, if a file gets cached and then its classification is changed).

How often are models updated? ⫘

Models typically get updated every three months.

Is file reputation on the endpoint or in the Cloud? ⫘

File reputation is through the Cloud.

What type of tamper protection is in place? ⫘

Install/Uninstall requires administrator access. Optionally, you can configure policy-based password protected uninstalls, even to particular groups within your deployment.

What is the false positive rate? ⫘

For each of the models there is a different detection and false positive rate. Our models balance detection and false positives with two levels of aggressiveness with each of the models in the policy. ACL checks on folders, the Certificate list that is synced to the clients, and File Reputation are methods to reduce this ahead of the machine learning models even inspecting the files. Documents aren't signed, are not in file reputation, and are typically not in SYSTEM protected folders - even still they are less than a 0.5% False Positive rate.

How do we process known bad files? ⫘

Known malicious files are caught either through file reputation, tenant level block lists, or machine learning models. If a policy is configured for IPS then we would block a process and quarantine. For file system detections the file is quarantined. For in-memory the script is blocked.

What is the CPU and network usage? ⫘

CPU usage is typically 0-1%. During heavy I/O—for example, OneDrive syncing large amounts of files—it may use up to one core. Typical network usage is < 1 MB per day.

Do the Windows and Linux agents support auto-updates? ⫘

Windows provides automatic updates. Applications on Linux do not automatically update; those running on critical servers are updated through package manager repo updates. Running an apt-get update or zypper update on Linux usually updates the Linux version of the agent without needing any additional commands.

What is the recommended best practice for running the limited test pilot on the endpoint? ⫘

You typically need a week of sampling to appropriately simulate an environment. For example, if you have 100 identical Dell XPS laptops all on Windows 10 running the exact same software, you won’t need more than two or three days. On the other hand, if your environment is a collection of Windows and Linux of various versions and software, it will take longer. Ideally, you can cover every use case in testing in order to minimize compatibility issues or false positives when you roll out.

The Taegis NGAV agent is blocking something that it should not. What do I do? ⫘

Please refer to the Taegis NGAV Enterprise Administration Guide , to the sections named False Positives & Alerts on Benign Applications/Programs for steps on how to add Applications/Programs to the Allow list.