Accelerated live response

Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

With Redline, you can:

  • Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
  • Analyze and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
  • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
  • Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

In addition, users of FireEye’s Endpoint Threat Prevention Platform can open triage collections directly in Redline for in-depth analysis allowing the user to establish the timeline and scope of an incident.

Download Redline


Release notes

Current Version: Redline 2.0
Release Date: April 28, 2020

Redline 2.0 is now able to collect investigative artifacts available from OS X and Linux environments. Redline will also import and analyze triages and acquisitions from the FireEye Endpoint Security audit viewer.

  • File Size: 80 MB
  • Integrity Hashes:
    • MD5: 85508f2c168ea83a0809bdd5523916de
    • SHA-1: 40258383c3ec02822d49aab798ed6a4c04ffe9ff

Current Version: Whitelist 1.0 for Redline**
Release Date: July 11, 2012

  • File Size: 31.6 MB
  • Integrity Hashes:
    • ZIP
      • MD5: 0e8fdc80faffe72bb02799d6cdc75d0a
      • SHA-1: 22eb80e40ea3a84b0ed3d821730485253ab31738
    • Extracted
      • MD5: 8448C5E5D4F9273DFA15F00D708F9173
      • SHA-1: F2A9E7A87BAB4AC41E893EB721739E41226D2BDC

Data collection is supported in the following OS environments:

Windows OSX Linux

Windows 8

OS 10.9 (Mavericks)

RHEL 6.8-6.10, 7.1-7.6, 8

Windows 8.1 Update 1

OS 10.10 (Yosemite)

CentOS 6.8-6.10, 7.1-7.6

Windows 10

OS 10.11 (El Capitan)


Server 2008 R2

OS 10.12 (Sierra)


Server 2012, 2012 R2

OS 10.13 (High Sierra)


Server 2016

OS 10.14 (Mojave)


Server 2019


** A set of hashes from common (known good) executable files, used by Redline 1.6 (and newer versions) to filter out some of the memory analysis entries. Includes known good dlls and executable hashes from the Microsoft Windows Server Update Service and the National Software Reference Library.

The product includes a small subset of these hashes. In this file, a more extensive list is included.

To use, download the attached file to your favorite location, on the same host that Redline was installed on. Verify the MD5 /SHA1 hashes to ensure you have the correct file. Start Redline. In the Options > Whitelist Management screen, there is an option to import a new whitelist. Following the procedure will completely replace the previous whitelist in Redline. Note that when doing so, your old whitelist is lost. You may choose to save the old whitelist, again from Whitelist Management, under Redline Options.