Xagt.exe or FireEye EndPoint Agent is the process used by the FireEye Endpoint Security to Protect your PC against any zero-day vulnerabilities, Scanning malware in your PC, Protecting Your PC or server against any Exploits along with it’s also scanning Real-Time indicators presence based on the threat feed that they are receiving from their Threat Intelligence feeds.
I will recommend you to watch out the below-mentioned video to understand the FireEye Endpoint point security.
If you open your PC task manager you will find the Xagt process like below screenshot that is running in the Process.
or you might be seeing “FireEye Endpoint Agent” Services but the main services name is Xagt only.
Xagt.exe: How To Disable It
First thing I want to clear you, this program is really required in your PC to protect your pc against any new zero-day vulnerabilities and malware. Only disable it once it’s really required.
If you go to Services in the manager and right-click on the Xagt process, you have no option to disable it. 🙄
No worry, it’s FireEye they will not allow you to disable their agent easily and the main reason behind this security is to protect the agent itself against any malicious activity.
Follow the Below steps to disable it.
Step1:- Click on the Start button and search for cmd and right-click on it and select the option Run as Administrator,
Enter the Below command to Create a Task:-
schtasks /Create /RU SYSTEM /SC once /ST 23:00 /TN “Stop xagt” /TR “sc stop xagt” /F
Which will give you out of “SUCCESS: The scheduled task “Stop xagt” has successfully been created.” out
Step2:- Now you need to Run Task with below command.
schtasks /Run /TN “Stop xagt”
it will give you “SUCCESS: Attempted to run the scheduled task “Stop xagt”” output
Which will stop the Xagt process in your PC. 😍
Step3:- Now you can easily Verify if the agent is stopped with the below command.
sc query xagt
Now If you again go back to the Services you will find the Xagt Services is stopped like the below-mentioned screenshot. Now here you have the option to enable it also.
By default, Tamper protection is enabled to protect the Xagt client but if you are a FireEye HX admin, you are able to disable in the Policy.
Open the FireEye HX admin dashboard and navigate to the Admin > Policies and click on the policy and edit the policy that is applied on the host sets.
Here you have option to Disable Temper Protection.
Note:- Disabling tamper protection features may allow users with administrative rights, malicious actors, and/or malware to disable or weaken endpoint protection.
Xagt.exe: How To Uninstall
I faced one issue with the FireEye endpoint agent where it was installed on the PC and it was not communicating with the manager and it was password protected and i was not able to remove it.
So Here is the Way to Uninstall it, Firest navigates to the https://www.revouninstaller.com/ and download and install the Revo Installer ( Select the Free One) on the PC.
Right-Click on the “FireEye EndPoint Agent” and select the Uninstall option.
it will start the uninstallation of the client but here you need to select the “Advanced‘ option and click on the Scan Optio to scan it.
it will show you all the leftover of the program, click on the ‘Select All” option and click on the “Delete” option to delete that leftover. That’ it. 😎
if still it’s not removed then
Open/Run this Microsoft Tool ( Download here ) to verify and make sure no remnants of FireEye agent is present. If present, please remove it.
How To Check The Running Xagt Process?
If you want to know How many Process is used by the Xagt then download the Process Monitor on your PC and run it with admin rights.
Follow the below screenshot where you need to select Process Name Contains Xagt option and click on the Add after that.
it will show you all the path that xagt is scanning
in case you are suspecting xagt is scanning another antivirus then in the same window you need to select Path contains your antivirus name, like in my case it’s TrendMicro.
Click on the Add to add in the scanning.
it will show you the exact path that FireEye is scanning.
How Much Memory Xagt Process is Consuming?
In my laptop, three EDR software (FireEye, Endgame, and Trendmicro EDR) are installed and I observed Xagt is average consuming memory between 400 to 600 MB.
Look at the below screenshot of my Taskmanager, Fireye is running two processes and consuming an average 500 MB RAM and Endgame EDR is consuming 161 MB RAM.
Note:- All the module of FireEye is enabled in my PC,
Trendmicro is consuming less memory than any other EDR.
In TrendMicro, Application control, Behavior Monitoring, DLP, Endpoint Sensor, Predictive Machine learning, and smart scan feature is enabled by it’s consuming less memory than any other EDR installed in my PC.
Note:- We are not comparing which EDR is Best here, I am just explaining to you which three top EDR is consuming how much RAM in normal operations.
I know you are missing Carbon black in this memory consumption, here is the carbon black consumption.
Xagt or FireEye Endpoint Agent is a legitimate process that is running in your PC which is implemented by your Security team to protect your PC against any zero-day vulnerabilities and exploits. If it’s really not required don’t disable it or uninstall it.