Endpoint Prevention troubleshooting scenarios and solutions

Endpoint Prevention availability

Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.

This article contains solutions for common troubleshooting scenarios you may encounter during your experience with Endpoint Prevention.

I moved an agent to a different prevention group, but it's still triggering responses from the original group's policy

There is a brief delay (usually a few minutes) between the time you move an agent from one prevention group to another and the time when the agent adopts the prevention policy of the new group. During this period, you may see activity in InsightIDR that indicates the agent is still taking actions as configured by the original group's policy even though the Endpoint Prevention interface shows that the agent has moved.

What should I do if I believe an antivirus finding is a false positive?

If you feel that an Endpoint Prevention antivirus finding is a false positive, contact Rapid7's Support team by creating a case on the Customer Portal, which you can access directly from the Insight Platform:

  1. Sign in to the Insight Platform using your Insight account email address and password.
  2. Click the ? icon in the upper right corner of the screen to view support options.
  3. Click Create a Support Case or Idea.

My agents are showing the "Poor" Antivirus Health status

As stated in the Antivirus Health status article, the "Poor" status indicates that the antivirus signatures associated with the On-Access Scanning prevention engine are more than 7 days old. The Endpoint Prevention component routinely updates these signatures automatically, so a "Poor" status is likely the result of connectivity issues with the URL the agent must be able to communicate with to update these signatures.

Verify that your assets can communicate with the URL noted in the antivirus capabilities section of the connectivity requirements documentation.

I installed Endpoint Prevention, but Microsoft Defender Antivirus is still appearing as the primary antivirus software on the asset

After installing Endpoint Prevention on an asset running an edition of Windows Desktop, it can take up to 10 minutes for Endpoint Prevention to assume its role as the primary antivirus solution. Windows will continue to show Microsoft Defender Antivirus as the primary antivirus solution during this period, but will update automatically to reflect Endpoint Prevention's role afterwards.

When installing Endpoint Prevention on an asset running an edition of Windows Server, you must uninstall Microsoft Defender Antivirus beforehand as noted in the antivirus and EDR compatibility requirements. In this Windows Server scenario, Endpoint Prevention cannot automatically assume its role as the primary antivirus if Defender Antivirus is still installed.