Trellix Active Response is designed for efficient endpoint protection and incident handling, with features like advanced analytics and user behavior monitoring. It allows swift identification of vulnerabilities and supports effective incident management through seamless system commands.
| Product | Mindshare (%) |
|---|---|
| Trellix Active Response | 0.6% |
| CrowdStrike Falcon | 7.4% |
| Microsoft Defender for Endpoint | 5.9% |
| Other | 86.1% |
Trellix Active Response typically offers a transparent pricing model with no setup costs, ensuring a smooth integration process for users. Pricing methods usually involve subscription-based models, accommodating per-user or per-endpoint licensing options. The pricing range varies based on the specific features and level of support required, catering to diverse organizational needs and budgets.
Focused on enabling secure corporate workstations, Trellix Active Response offers quick incident responses, comprehensive threat hunting, and defense visualization. The system prioritizes rapid log collection and correlation via the ePO dashboard, aiming to protect approximately 1,300 endpoints, especially on remote worker desktops and laptops. While it brings robust monitoring and investigation capabilities, the solution seeks improvements in analytics, interface clarity, and memory performance. There is a need for enhanced integration with on-premises deployments and AI functionalities.
What are the key features of Trellix Active Response?In corporate settings, Trellix Active Response is deployed for endpoint security, particularly for remote workstations that require robust protection. Companies transitioning from existing setups to Trellix benefit from its integration capabilities and threat hunting efficiency, supporting better management of active response tasks. Industry users appreciate the visual dashboard for improved threat response.
Trellix Active Response was previously known as McAfee Active Response.
Liquor Control Board of Ontario
| Author info | Rating | Review Summary |
|---|---|---|
| Senior Manager Operational Technology and Cyber Security at Eskom Ltd | 4.0 | We use Trellix Active Response primarily for desktop endpoints, benefiting from its alerts that enhance threat detection and response efficiencies. Improvement is needed for operational technology devices. We see an ROI but didn't evaluate alternatives or use prior solutions. |
| Information Security Engineer at Nhq Distribution Ltd | 4.0 | I've used Trellix Active Response for nine years; it offers strong incident response, quick investigation reporting, and threat visualization, though the dashboard could be clearer. Setup has improved, and I rate it an eight out of ten. |
| IT Security Manager at Telecommunications Services of Trinidad & Tobago Limited (TSTT) | 3.0 | I'm in early stages with Active Response, hoping for automation and remote visibility. Setup was easy, but I found the UI not analytical enough and the price higher than expected. My initial rating is 6/10, and I advise thorough testing. |
| IT Security Manager at Telecommunications Services of Trinidad & Tobago Limited (TSTT) | 3.5 | We find McAfee improved with better analytics and a lighter footprint than older versions. However, it's not truly lightweight, lacks some features, and we're ultimately seeking a more advanced, unified next-gen AV solution with stronger AI. |
| Senior Manager Information Technology at a pharma/biotech company with 10,001+ employees | 3.0 | I find this EDR solution good, stable, and scalable, with straightforward setup. However, I am experiencing support issues and find its high resource consumption, especially memory, a significant concern. |
We use Trellix Active Response primarily for our endpoints, including desktop computers. It monitors all the tools that our users use for their day-to-day work.
The alerts provided by Trellix Active Response are its most valuable feature. They notify us immediately of any vulnerabilities on the endpoints, allowing us to deploy a response quickly. These alerts have been beneficial in terms of operational efficiencies, enhancing our ability to detect and respond to potential threats.
The only area for improvement is regarding operational technology devices, specifically the engineering automation systems. We would like Trellix to optimize the technology for these systems similarly to how it is deployed for normal endpoints.
We have been using Active Response for about two years.
Active Response is quite stable, and we haven't had any issues with it.
The scalability of Active Response is satisfactory. We can deploy it to the operational technology systems, which we didn't initially do.
We have not faced any issues with the technical support. Whenever we interface with them, we do not encounter any problems.
Positive
We did not have any solution before using Trellix Active Response.
The initial setup of Active Response was between an eight and nine in terms of ease. It took between three and six months to deploy, and we followed a typical implementation process with user acceptance tests before moving to production.
The deployment required about four people. We didn't need many people for the implementation.
While we haven't yet quantified the financial benefits, we recognize that there has been a return on investment, particularly with operational efficiencies provided by the alerts.
Based on our evaluations, Trellix Active Response's pricing was the most feasible from a cost perspective. I rate the pricing between a six and an eight. It is justified.
We did not evaluate other options or vendors before choosing Trellix Active Response.
The overall rating I would give Trellix Active Response is eight out of ten. For new users, it's a straightforward application and deployment process.
The typical use case for Trellix Active Response is to provide quick incident response, as the product collects and correlates logs with the ePO dashboard, allowing customers to get visibility of threat hunting and threat defense types of visualization, which is why they are interested in using the EDR solution.
The most valuable feature of Trellix Active Response is that whenever any incident occurs, it allows us to disconnect from that particular network or area and shut down the system using commands.
The continuous monitoring component of this solution allows Trellix to launch the MDR solution, which correlates all incidents and provides investigation reports within a short period of time, hence offering an advantage to the customers using Trellix Active Response and its integrated products.
Trellix Active Response is significant for incident response and detection, as it provides proper visualization and logging capabilities for any incidents that happen.
For Trellix Active Response, there is room for improvement in the platform area and security area to make the dashboard visibility clearer and easier for customers to monitor malicious activities occurring in their environment.
I have been working with Trellix Active Response for nine years.
I would rate technical support from Trellix Active Response as a seven because sometimes we face difficulties finding engineers quickly, leading to customer frustration.
Positive
Regarding the initial setup of Trellix Active Response, the configuration is now better than before because previously it was complicated due to it being part of one platform with McAfee. Now it's separated into on-premises for TIE and cloud for Active Response, which allows for a more streamlined configuration process.
I am an Information Security Engineer at NHQ Distribution Limited and a partner of Trellix. I work with different products in Trellix, including Trellix EDR, SDR, and MDR.
Trellix Active Response is the EDR solution from Trellix that has moved from an on-premise solution to a cloud solution. The Trellix MDR solution is helpful for SOC analysis and is integrated with Trellix EDR and SDR capabilities, providing full visibility of threat detection and hunting and detection response correlating with other solutions like endpoint security and encryption.
On a scale of one to ten, I rate Trellix Active Response an eight.
Active Response provides endpoint protection for remote workers. It covers primarily laptops and desktops, not servers. Active Response is replacing our existing on-prem McAfee solution, and it will protect about 1,300 endpoints when fully deployed. We haven't brought in everybody. Right now, we have a parallel implementation of the old system.
We are hoping to automate detection and response and take advantage of user behavior analytics, given that we are working from home. About half of our workers are still remote, so Active Response gives us that visibility and lets us automate a number of those events.
I expected Active Response's user interface to be much more analytical.
I still haven't evaluated the ransomware features because everybody implements anti-ransomware differently. You need to see these features in action because everyone seems to have their way of doing it. That's something I still would like to evaluate.
It's only been about a week since we rolled out Active Response .
I rate McAfee support seven out of 10. We haven't opened a ticket with McAfee for the new product, but I would say there's room for improvement based on our experience with the old one.
Neutral
We're comparing this to Check Point Harmony Mobile, but we're still going through it. It's hard to say at this point if I see a lot of improvement.
Setting up Active Response is straightforward. We deployed it with Microsoft SCCM. Our team has one engineer and two specialists, and there's a fourth person who can work in either of those roles.
I expected the price to be better.
We're still in the early stages of evaluating the solution because I haven't yet fully deployed all my endpoints. At this point, I would rate Active Response six out of 10.
My advice to those considering Active Response is to do proper data testing. You should run scenarios and use cases to determine whether this solution fits your organization's needs. Make sure you do those things first because you could do a POC, but it looks different in production.
We use McAfee for our corporate-issued laptops and desktops. We use a different product on the servers, however, our use case is mostly for workstations and laptops.
With the ADR parts of it or the Active Response parts of it, we're able to get a little more information compared to the older version. Such as analytics, user behavior analytics, triaging and meaningful reporting.
It's a little lighter compared to the older version, which was mostly signature-based. It was very CPU intensive. Users used to complain about when the scan is running, that they couldn't do any work. That was one of the reasons which prompted us to upgrade, even though our intention was mostly to go to either Carbon Black or CrowdStrike.
It's still not lightweight enough and not as light as they claim to be with the McAfee area of a next-gen AV. They can do some improvements along that line.
There needs to be some improvement around the white-listing or black-listing.
The product could improve aspects around the removal of blacklisted applications, et cetera.
This was an exercise to centralize the AV cell, and that's how we ended up upgrading. The truth, however, is that I was really looking for something much more advanced with user behavior analytics and some AI features that the other competitor's next-gen AV does offer. It is okay for what it's doing now, however, it's not the ultimate software.
There are some components on the cloud that should also reside in the on-prem deployment models but don't. They should ensure they are doing parallel development for cloud and on-prem when they are doing R&D.
I've been using the solution for a long time. It's been over a decade. I'd say it's likely been about 12 years at this point. In the last three years, we've updated to the latest version.
The stability has been okay so far. The problem that I really have is that, when I was doing the POC, we used Symantec on our servers, and we use McAfee on the desktop and the laptops. I wanted a unified solution, one solution that could have worked for both. A next-gen, lightweight solution that would have given me a lot of analytics.
The engineers that actually administer that platform claim that it's pretty good at scaling. It requires a number of components to be installed, however. It is not very straightforward. They've been deploying it in one or two servers. There were databases and different components that you need to have and they need to communicate. It requires some level of advanced knowledge to deploy the solution itself, just to get the environment up. However, once it's up, it seems to be working fine.
At the time we installed the solution, we had about 3000 users. In the last three years, however, our numbers are now down to somewhere around 1400 or something like that. That said, we still have the same amount of licenses being used as we sometimes have a high influx of consultants with our contact centers that we outsource to partners, retail partners that we have, that we have to deploy systems on their premise. We utilize that difference of the license in those scenarios. We don't see a need to increase usage as we still have so many licenses available.
So far, the engineers that manage this solution claim that they're pretty good in terms of technical support. If they need to raise anything through the partner, the local reseller, they haven't had any issues. Prior to the pandemic, we used to have periodic visits from the partner and McAfee directly, however, of course, that has eased up. Things are a bit slow now with the relationship, owing to the pandemic itself, and everybody is just dealing with their own level of crisis.
Overall, I would say we are satisfied with the level of service.
No, we have always used McAfee.
We actually had an engineer on-site that came from McAfee.
We did the rollout using the global policy. We did a combination as well. We used the scan to also push it out. Our company had training as part of that implementation, as a knowledge transfer. For that reason, we really didn't face many difficulties. It was relatively straightforward.
The difficulties we had were more due to the older versions, where they sometimes did not receive an update. Due to that, you could not have pushed the new update to them. One of the challenges we had was that we had to actually go to those systems and uninstall the older model before we could install the newer one.
The deployment was done in phases. We did a sample of about a hundred, and then after that, we rolled it out within two weeks to the rest of the organization.
We have two staff that actually manage that environment itself. They manage the operations and the upkeep, and liaison with the Defender, and with the staff. If there are any issues, they handle them.
I also have my team, which is comprised of four of us that actually manage the system more from a governance perspective, handling policies that need to be implemented, or issues where there may be a breach of policy and those kinds of tasks.
A McAfee engineer assisted us in the implementation process.
We had a reseller help us get someone directly from McAfee. They flew in and came on-site as we also wanted to do in-depth training as well. The reseller didn't do too much work. It was the McAfee engineer that did the heavy lifting.
They only had a three to seven-day window that we had to work with. We had purchased two weeks. We got a one-week on-prem, and the other week where they couldn't install some of the stuff, as far as the rollout, as that was done remotely. The training also was done remotely. The experience was pretty good overall.
We pay for the solution yearly.
Our costs were somewhere around $600K in Trinidad dollars, which might be about $100K US. We have the ETP plus the EDR. Our recent renewal was 1800 licenses as opposed to the full amount. Our transaction cost was about $600K Trinidad dollars, which is somewhere around $90-100K US.
There were extra costs around implementation and training.
With our long-term goal of getting a unified next-gen AV, I've looked t other options.
I would have looked at Carbon Black, before they were acquired by VMware. Now we also have VMware within our private clouds. We have two cloud environments. We resell cloud solutions, and our virtualized vendor is VMware. We have an active partnership with VMware. And, and now that VMware has acquired Carbon Black, they have approached us to use Carbon Black, and also to resell Carbon Black. That is an ongoing discussion.
We have looked at CrowdStrike, and well, and we have looked at the Check Point solution too. It is my understanding that we may have looked at Cylance as well.
In terms of evaluation criteria, we're looking at the analytics aspects of it, and if there is AI built into it. We want to move away from the old, signature-based type solution. We're looking for a very lightweight solution that was lower CPU resource intensive.
We were looking at features pertaining to quarantining an endpoint, in the event of infection. We want solutions that maintained some level of connection back to the command-and-control, in order for us to remediate, as we didn't have the staff to go out to physical locations.
We were looking for the white-listing. We were looking for features like being able to remove an app if we find it violates the policy of allowed applications on the endpoint. We were also looking for features that would prevent the users from uninstalling the endpoint itself.
We're just a customer.
I'm not sure which version of the solution we're using.
This solution is fine for now. However, our long-term goal is really to get a unified next-gen AV.
I'd advise potential new users that they do extensive research. Do some POC among some of the top vendors out there, probably in the Magic Quadrant. They should have developed some sort of criteria as to what they're looking for. As you evaluate each product, you can then tick off requirements and compare options. Ask about support and how fast a solution can get issues resolved. That's important.
I would rate the solution at a seven out of ten.
We make use of the latest version.
I don't consider any one specific feature to be the most valuable, but I look at the advantages inherent in EDR holistically.
While the product is good, we are currently facing support issues. We are working with McAfee on that front.
When it comes to technical support, we face slowdown issues in respect of the EDR with some of our machines.
The consumption of resources should be lower. What I mean is that the product requires a lot of memory. Cloud-based products are much better by comparison.
We have been using McAfee Active Response for almost a year.
The solution is stable.
The solution is scalable.
We are working with McAfee on support issues that we have encountered.
The initial setup is straightforward.
The product itself is good.
I rate McAfee Active Response as a six out of ten.
