How to install Endpoint Prevention

Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.

Endpoint Prevention's capabilities are delivered as an independent component packaged with the Insight Agent itself. This article will guide you through the process of installing this bundled edition of the Insight Agent on the assets you intend to monitor with Endpoint Prevention.

Installer characteristics

The Endpoint Prevention edition of the Insight Agent installer is an MSI that includes these independent components:

  • Component Manager
  • Insight Agent
  • Endpoint Broker
  • Endpoint Communicator
  • Endpoint Prevention

This installer is of the token variety, meaning you must provide it with a unique token that corresponds to your organization during an installation. This token allows the installer to retrieve the configuration files it needs from the Insight Platform.

Post-installation behavior

Be aware that after installing Endpoint Prevention on an asset, it may take up to 10 minutes for Endpoint Prevention to assume its role as the active antivirus solution, and likewise, for Windows to reflect that information. During this period, Windows may indicate that Microsoft Defender Antivirus is still the active antivirus solution:

  • When installing Endpoint Prevention on an asset running a supported edition of Windows Desktop, this transition will take place automatically.
  • When installing Endpoint Prevention on an asset running a supported edition of Windows Server, note that Microsoft Defender Antivirus must be uninstalled beforehand. Endpoint Prevention will not be able to assume its role as the active antivirus solution if Defender Antivirus is still installed. This scenario is covered in step 1 of the installation procedure.

How to install

Follow these steps to install Endpoint Prevention on your Windows assets.

Step 1: Uninstall Windows Defender Antivirus (if necessary)

As noted in the Endpoint Prevention requirements and the post-installation behavior, Endpoint Prevention must be able to assume its role as the active antivirus solution on your asset. If you are installing Endpoint Prevention on an asset running Windows Server, uninstall Microsoft Defender Antivirus first.

If you are installing Endpoint Prevention on an asset running Windows Desktop, no action is required here and you can proceed to the next step.

Step 2: Acquire the installer from Rapid7

For this Early Access program, Rapid7 will provide an Endpoint Prevention-edition Insight Agent installer to you directly. Contact your Rapid7 deployment representative if you still need an installer.

Step 3: Copy your installer token

Since Endpoint Prevention uses a token-based Insight Agent installer, you will need to locate (or generate, if necessary) your token from your Agent Management interface. You will provide this token during the installation step.

To locate and copy your token:

  1. Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password
    • If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open the Data Collection tab in the left menu and click Agents.
    • Use the dropdown next to Agent Management to select the organization you want the newly installed Insight Agent to be associated with. If you only have access to 1 organization, it will already be selected.
  3. Open the Add New dropdown in the upper right corner of the screen and click Agent.
  4. Click Windows.
  5. On the Download tab, scroll to the Token Management dropdown and click to open it. Your existing token will display.
    • Click Copy and proceed to the installation step.
    • If no token is displayed, generate one now and copy it for the installation step.

Step 4: Install the Insight Agent

  1. Extract the contents of the ZIP file you downloaded in step 2 to a directory that you can easily access with a command prompt. The extracted ZIP file will contain these files (this example is for the 64-bit installer variety):
    • rapid7_endpoint_prevention_installer.bat
    • MVArmorInstallation_x64.msi
    • manifest.json
    • agentInstaller-x86_64.msi
  2. Open a command prompt as an Administrator and navigate to the extraction folder that contains these files. Run the following command, substituting the {token} portion with the token you copied in step 3. rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN={token}
    • If you already have an Endpoint Prevention program deployed and you want to associate this agent with an existing prevention group other than the default group, you can do so by providing an additional DESIRED_GROUP option. As long as the group name you provide matches an existing prevention group, the agent will automatically become a member of that group once installed. If no group matches the name you provide here, the agent will become a member of the default group according to its standard behavior. rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN={token} DESIRED_GROUP=MyGroupName

How to update

If you enabled managed agent updates, you don't need to perform any manual tasks to update Endpoint Prevention. However, if you need to manually update the service while password protection is on, you must include either the one-time passcode or fixed password as the final parameter of the command you run.

To update the service:

  1. Obtain the zip file with the latest version of Endpoint Prevention as described in step 2.
  2. Obtain the installer token as described in step 3.
  3. Extract the contents of the zip file to a directory that you can easily access with a command prompt.
  4. Open a command prompt as an Administrator and navigate to the extracted folder, which contains the rapid7_endpoint_prevention_installer.bat file.
  5. Run this command, replacing the <token> and the <passcode or password> parameters with the installer token and either the one-time passcode or a fixed password: rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN=<token> stop_service_password= <passcode or password>

How to stop and restart

If you need to troubleshoot a problem, you can stop Endpoint Prevention on an asset, even if the asset's offline or has been disconnected.

With password protection turned on, you will need to either get the one-time passcode or know the fixed password, if one is configured. The fixed password might be the organization-wide fixed password or one that is specific to the prevention group that the asset belongs to.

To stop Endpoint Prevention:

  1. Log into the asset on which you want to stop the Endpoint Prevention service.
  2. Open a command prompt as an Administrator and run this command, replacing <passcode or password> with either the one-time passcode you obtained from the Security Settings page or a fixed password that you configured: C:\Program files\rapid7\Insight Agent\components\armor\common\armor\MVarmorService32.exe --stop_service <passcode or password> Note: The service can take several minutes to stop.

To restart Endpoint Prevention:

  1. In your Start menu, select Run > services.msc.
  2. Depending on your asset, start either the Rapid7 Endpoint Prevention 64bit service or the Rapid7 Endpoint Prevention 32bit service.

How to uninstall

If you need to uninstall an existing Insight Agent to install Endpoint Prevention, or if you want to uninstall the Endpoint Prevention component while leaving the rest of the agent intact, this section covers these scenarios.

How to uninstall Endpoint Prevention while leaving the agent intact

If you want to uninstall the Endpoint Prevention component but leave the Insight Agent intact for use with other Rapid7 products or services, run a command in an Administrator command prompt.

Note: If your asset is a 32-bit machine, use the installer name MVArmorInstallation_x86.msi in the command.

  1. In the command prompt, navigate to the directory where your Endpoint Prevention installer is located.
  2. Run one of these commands:
    • If password protection is turned on: Msiexec /x MVArmorInstallation_x64.msi /qn stop_service= <passcode or password>
    • If password protection is turned off: Msiexec /x MVArmorInstallation_x64.msi /qn
    • If you want to generate a log file when the uninstallation finishes, you can run a modified edition of this command for that purpose. Substitute the {log-path} portion with the path where you want the log file to be placed: Msiexec /x MVArmorInstallation_x64.msi /qn /L*V {log-path}

How to uninstall an existing Insight Agent entirely

If you want to uninstall the Insight Agent entirely, note that you'll need to uninstall Endpoint Prevention first, then uninstall the rest of the Insight Agent second. The Insight Agent will not allow itself to be uninstalled if Endpoint Prevention is still present.

After uninstalling Endpoint Prevention, you can uninstall the Insight Agent using the Add or remove programs tool in Windows:

  1. In your Start menu, select Control Panel.
  2. Under Programs, click Uninstall a program.
  3. Browse to Rapid7 Insight Agent and select it, then click Uninstall.