The Trellix (formerly FireEye and McAfee Enterprise) Offline GTI tool is a command-line utility that enables organizations to fetch Global Threat Intelligence (GTI) reputation ratings for files and certificates without requiring Internet connectivity. This makes it particularly well suited for Critical National Infrastructure (CNI) environments, where systems are often isolated, segmented, or fully air-gapped.
Under normal circumstances, Trellix GTI operates as a cloud-based reputation service, returning risk scores — such as trusted, unknown, or malicious — for executables and certificates during runtime. However, when endpoints cannot communicate directly with the GTI cloud, the Offline GTI tool bridges that gap by pre-fetching reputation data that can later be imported into Trellix Application Control or ePolicy Orchestrator (ePO).
This offline workflow allows organizations to maintain effective threat intelligence even on segregated networks — a common requirement across defense, critical infrastructure, and industrial control system (ICS) environments.
How the Offline GTI Tool Works (Command Line)
To run the Offline GTI tool, the process is performed on a Windows system with Internet access and connectivity to Trellix GTI services.
- Configure Java Environment
The Offline GTI tool runs on Java, so the Java Runtime Environment (JRE) must be available on the system. Configure the Java path using the following command:
SET GTI_TOOL_JAVA_HOME=C:\Program Files\Java\jre1.8.0_XXXThis sets the GTI_TOOL_JAVA_HOME environment variable and ensures the tool can correctly launch the Java runtime.
- Open a Command Prompt
Open a Windows Command Prompt (CMD) with administrative privileges. Ensure that both Java and the Offline GTI tool are accessible from the working directory.
- Run the Offline GTI Utility
From the directory where the Offline GTI tool is located, execute the following command:
runOfflineGTITool.cmd <Inventory file path>Once executed, the tool connects to Trellix GTI services, fetches reputation ratings for all listed items, and writes them into the specified output file.
The output file is generated in the following format:
GTI-Result-<year>-<month>-<day>_<hour>-<minute>-<second>.zip- Review and Transfer the Result File
The generated ZIP file contains all GTI reputation data retrieved during the offline session. This file must be securely transferred to the isolated environment where Trellix Application Control (or ePO with Application Control) is deployed.
To import the results:
- Log in to the management console (ePO or on-prem Application Control UI).
- Navigate to Menu → Application Control → Inventory.
- Select the By Applications tab.
- Choose Actions → Import GTI ratings.
- Browse to the offline GTI result file and select it for import.
Once imported, the local reputation database is updated with the fetched GTI ratings, enabling policy enforcement without requiring real-time cloud connectivity.
Why This Matters in OT / Industrial Control Systems
In Operational Technology (OT) and Industrial Control Systems (ICS) — including power grids, manufacturing systems, water treatment plants, and other critical infrastructure — systems are commonly:
- Air-gapped for safety and regulatory reasons
- Restricted from outgoing Internet traffic
- Running legacy or specialized applications
These environments cannot rely on real-time cloud-based threat intelligence, yet they still require strong malware protection and strict software validation. The Trellix Offline GTI tool enables organizations to safely introduce up-to-date reputation intelligence into these restricted networks without compromising isolation.
How to Get the Trellix Offline GTI Tool
The Trellix Offline GTI tool is not a standalone public download. It is available only to licensed Trellix customers and is distributed as part of the Trellix Application Control product.
The primary and supported method to obtain the tool is through the Trellix Customer Support Portal.
Steps:
- Log in to the Trellix Support Portal using your Grant Number and licensed account email address.
- Navigate to Downloads or Product Updates.
- Select Application Control for Windows.
- Locate the Offline GTI Tool or related utilities bundled with Application Control resources.
- Download the package to a system with Internet access.
