Configure Next-Generation Antivirus

Following installation, this documentation contains information that guides you through the process of configuring the Next-Generation Antivirus add-on for your organization.

How to access the Agent Management interface

All aspects of Endpoint Prevention add-ons are configurable in the Agent Management experience of Insight Platform Home. Your Insight account must have either the Platform Administrator role or a Product Administrator role to access Agent Management:

  1. Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password.
    • If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open Data Collection > Agents > Endpoint Prevention.
    • You can use the dropdown next to Agents to select the organization for which you want to configure your Endpoint Prevention add-on. If you only have access to one organization, it will already be selected.

Task 1: Configure Prevention Groups

The first configuration step for your Next-Generation Antivirus add-on configuration is determining how your assets with an Insight Agent installed should be grouped. This article explains how prevention groups work and how to create them.

Prevention group rules and characteristics

The Next-Generation Antivirus add-on requires that all eligible Insight Agents are associated with a prevention group. These groups are the object to which you attach and configure a prevention policy. For an initial deployment, all your eligible agents are automatically placed in a default prevention group. This group uses the immutable default prevention policy configured by Rapid7 to provide a baseline level of protection when your Endpoint Prevention program is in Active Prevention mode.

Assets can only belong to one Prevention Group

You can create your own custom prevention groups to configure your Next-Generation Antivirus add-on, but note that each group has exclusive control of the agents within it. An agent can only be in one prevention group at a time, and associating an agent with a new prevention group means removing it from its existing group.

Prevention Groups can be empty

Prevention groups do not require agents for the group to be created. This scenario is especially useful when your Next-Generation Antivirus add-on is already running in Active Prevention mode. Creating an empty prevention group first allows you to prepare a new prevention policy in isolation without affecting your assets and the rest of your Next-Generation Antivirus configuration. You can return to the prevention group at a later time and assign agents to it when you're ready.

Prevention Groups must be empty to be deleted

Prevention groups are considered in use as long as the group has at least one agent associated with it. Prevention groups with any agents in them are not eligible for deletion. If you decide you no longer require the prevention group, you must move all assets to another custom prevention group or the DEFAULT group before Next-Generation Antivirus allows you to delete the group.

Create a prevention group

  1. Click Endpoint Prevention in Agent Management. The Prevention Groups subtab will already be selected.
  2. Click Create Prevention Group. A window will prompt you to name and describe your group.
  3. At this point, you can move on to configure group membership, a prevention policy, and exclusions, or you can elect to finish creating the group and leave configuration for later:

Task 2: Configure Prevention Policies

The policy attached to a prevention group is composed of categories of detection logic called prevention engines. Each engine is designed to detect specific threats and instruct the Insight Agent on what action to take when a threat is detected. You can tune the behavior of each engine individually, and select which engines to use collectively, to meet the goals of your Next-Generation Antivirus add-on.

This article provides a breakdown of prevention policies in general and each prevention engine you can implement in your policies, explains what behavior they are designed to detect, covers how the agent can take action against threats, and guides you through the configuration process.

Prevention policy rules and characteristics

A prevention policy exists solely within a prevention group and has a one-to-one relationship with that group. A group's policy defines what prevention engines should be actively monitoring the prevention group's assets for threats.

You have full configuration control over the policies attached to your custom prevention groups. An exception to this is the DEFAULT prevention group and the default prevention policy attached to it. This policy is immutable and its configuration is maintained solely by Rapid7.

Agent actions

You can separately configure how the Insight Agent will respond to detected threats for each prevention engine in your policy. Overall, the Insight Agent is capable of these actions:

  • Block - The Insight Agent will actively block any threat detected by the prevention engine and generate an alert in InsightIDR. Depending on the context of the threat, this could involve terminating malicious processes, denying access to files, and other active prevention methods.
  • Disinfect - Specific to the On-Access Scanning engine, the Insight Agent will attempt to remove the detected threat from affected files and generate an alert in InsightIDR.
  • Detection Only - The Insight Agent will take no action other than generating an alert in InsightIDR.
    • This setting functionally disables Next-Generation Antivirus's ability to play an active role in safeguarding your assets. You may determine that some asset behaviors do not warrant agent intervention beyond generating alerts in your environment, but be aware that you will need to be responsible for handling threats detected in these circumstances.

Rule priority

Like agent actions, you can separately configure the priority level of alerts generated by each of your prevention engines in your policy. When your security team sees these alerts in InsightIDR, the priority level you assign here will be tagged in the alert itself.

The Next-Generation Antivirus add-on supports these priority levels:

  • Low
  • Medium
  • High

The context of these levels should be determined within your security team.

Prevention engine details

Prevention engines protect your assets from ransomware and other forms of malware that use common types of evasive techniques. The following prevention engines are available for use and configuration in your policies. This section provides a high-level explanation of which engines are available for each operating system and a description of what these engines detect.

On-Access Scanning (Antivirus)

Available to Windows, Mac, and Linux operating systems, the On-Access Scanning prevention engine scans local and network files for viruses in real-time when a user accesses them, such as when a file is opened, moved, copied, or executed. When infected files are detected, the On-Access Engine generates an alert that you must investigate and update the disposition for (shown as the Custom and Contextual Investigation Category in InsightIDR). The engine can also update itself automatically, providing protection against the latest viruses and other types of malware.

In addition to the Block and Detection Only agent actions, On-Access Scanning is the only engine that can also instruct the agent to run the Disinfect action, which attempts to remove the detected threat from affected files. If a signature matches a known malware, the engine will either block and/or delete the malicious code, to prevent malware from causing damage to your device. In addition to standard alert details, the alert generated will provide information about the malicious file path, the program used to access the file and the threat name and category.

The Antivirus Health indicator shown for each agent in your Agents table is tied directly to the status of this prevention engine in each of your policies.

On-Access Scanning also includes additional configuration options that allows you to tune the scope of its scanning capabilities:

These scanning options are potentially resource-intensive

Depending on the contents and behaviors of your assets, they may experience a performance impact if your policy specifies additional scanning options beyond the recommended configuration set by the default prevention policy.

  • Scan Email - Enables the scanning of plaintext emails, email databases, and disinfection inside those databases.
  • Scan Potentially Unwanted Applications (PUA) - Enables the scanning of programs that may be unwanted on the asset, such as those that come bundled with free software.
  • Scan Archives - Enables the scanning of file archives (such as "recently deleted") during a content scan.
  • Scan Packed - Enables scanning and disinfection inside packed executables.
  • Antimalware Scan Interface (AMSI) - Enables the scanning of scripts, files, and similar content coming from other programs for malware before they can make changes to the asset.

Additional Windows prevention engines

Additional to the On-Access Scan (Antivirus) prevention engine, Windows operating systems also have access to these prevention engines.

Additional Prevention Engines for Windows operating systems

Memory Injection Attacks

Some malicious software can inject and hide itself in a legitimate process. The Memory Injection Attacks prevention engine stops fileless threats and blocks code execution from the file system, causing such malware to exit or crash.

More information

Why it’s used

Previously, malware attacks typically involved malicious processes, which either carried out the attack or downloaded a file-based payload with malicious code. These processes were found by threat analysts and security software that listed running processes, distinguishing suspicious processes from legitimate ones.

How it’s used

Malware authors are now aware of this countermeasure and have created a way to circumvent it, using techniques known as process injection or memory injection.

Process and memory injection make it harder for security tools to detect malicious processes. These techniques run malicious code in the address space–the range of valid addresses in-memory, which are allocated for a particular program or process–of a legitimate process or a sensitive OS process. Sometimes, malware also unpacks malicious code into its own process as a form of self-injection, creating a skeleton process that is already present in memory.

How Next-Generation Antivirus blocks it

The Next-Generation Antivirus add-on stops fileless and other memory-resident malware from hiding in legitimate processes and evading detection. For example, Next-Generation Antivirus deceives the malware about its ability to unpack code solely in a process’ memory space without exposing or loading a dynamic link library (DLL) into the process memory, stopping the attack before it does any damage.

Resulting actions

The code injection is blocked from unpacking itself in the destination or targeted process.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the destination process and the malware targeted for injection. It also provides a list of all loaded modules (DLLs) in the process that triggered the alert.

Living-Off-the-Land Attacks

Different from classic forms of malware, a Living-Off-the-Land attack attempts to cause damage by misusing tools that are built into the system. The Living-Off-the-Land Attacks prevention engine blocks the malicious software's ability to leverage such tools to infect an asset.

More information

Why it’s used

Living off the land (LOTL or LOL) is an evasion technique that takes advantage of trusted system utilities, libraries, tools, and components, which are native to the operating system. The operations that this software performs appear to be legitimate, even though they are performed on behalf of a threat actor.

How it’s used

Malware uses LOLbins to perform operations, which appear to be typical. For example, malware can perform lateral movement, download malicious artifacts, and move to another stage of attack without triggering an alert. These operations can use trusted utilities and components, including those that are digitally signed.

How Next-Generation Antivirus blocks it

The Next-Generation Antivirus add-on stops unwanted process relationship executions by hiding LOLbins. This makes it impossible for attackers to find them and use them to continue their attack.

Resulting actions

The Next-Generation Antivirus add-on blocks processes from spawning LOLbins’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command, which executed the child process.

Malicious Document Attacks

Malicious documents can sometimes misuse features such as macros, scripts, and built-in tools. The Malicious Document Attacks prevention engine disarms the malicious documents' attempts and allows applications to operate without being infected.

More information

Why it’s used

Threat actors use documents to lure victims through phishing or social engineering attacks, allowing them to deliver malicious code and gain a foothold on a machine. Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of the document file to the malware hashes in their database.

However, it’s more difficult to detect malicious activity in popular software that’s used to open these documents, such as Microsoft Office or Adobe. This software is often misused as an evasive technique, carrying out the document’s malicious code on its behalf while remaining undetected, since the software is considered legitimate.

How it’s used

Malware uses legitimate document software to run macros, open script interpreters, obfuscate malicious code, use add-ons and extensions, download scripts, execute another executable program, and more.

How Next-Generation Antivirus blocks it

The Next-Generation Antivirus add-on isolates the document in the container software used to open it by preventing interaction with other script interpreters and executables that appear unusual or risky.

Resulting actions

The Next-Generation Antivirus add-on blocks malware from spawning risky child processes’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command that executed the child process.

OS Credential Dumping Attacks

Attackers or malware can sometimes attempt to harvest operating system credentials to gain access to an environment. The OS Credential Dumping Attacks prevention engine protects sensitive files, processes, and other key artifacts to prevent this type of threat.

More information

Why it’s used

It takes multiple steps for ransomware to be successful, including shutting down security controls and accessing restricted information to hold for ransom. Spreading through a network requires lateral movement, where attackers can attempt to dump credentials, allowing them to obtain account logins that enable their malware to move laterally.

How it’s used

Adversaries might attempt to access credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). They can deploy tools that allow them to extract this data, exploit legitimate applications and processes, and use LOLbins to dump sensitive, credential information.

How Next-Generation Antivirus blocks it

The Next-Generation Antivirus add-on cloaks sensitive files, processes, and other artifacts, preventing attackers or their malware from harvesting credentials or other sensitive data—even if the threat finds a way to run on the system.

Resulting actions

The Next-Generation Antivirus add-on monitors API calls that attempt to access credentials stored in process memory of the LSASS, preventing access to this area and snapshot dumping using an LOLbin.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the sensitive asset where credential harvesting was attempted. It also provides the block command line involved in the attempt.

File and Process Manipulation Attacks

Malicious software can attempt to manipulate other software applications and processes to gain access to an asset’s internal files. This prevention engine prevents malware from making deceptive modifications to files and processes.

More information

Why it’s used

Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of a file or process with the malware hashes in their database. Additionally, file systems often require dedicated permissions or access controls.

Making too many changes on a file system can trigger existing endpoint security controls, which block malware activity. However, legitimate programs with direct access can read and write files directly from the drive by analyzing file systems. These programs can access sensitive or vulnerable files in a way that doesn’t raise suspicion.

How it’s used

To avoid detection, adversaries abuse programs that already have direct access to file systems and can read and write files directly from the drive. These programs can be used to access sensitive files and then read, write, or execute on the malware’s behalf. This technique can bypass Windows file access controls and file system monitoring tools.

How Next-Generation Antivirus blocks it

To prevent the evasive techniques that exploit access to a file system, Next-Generation Antivirus can control access to the file system, making it inaccessible or unchangeable.

Resulting actions

The Next-Generation Antivirus add-on blocks attempts from the malicious process to access restricted file systems by manipulating the access controls to the file or path.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked path that the process attempted to reach.

Data Encryption Attacks

Malicious software, particularly ransomware, can introduce processes that silently encrypt files. If this behavior is detected, Next-Generation Antivirus will terminate the destructive process.

More information

Why it’s used

Encryption occurs often in a Windows OS and is not necessarily malicious. Many built-in and third-party tools use native OS functions and methods of encryption to meet their functional requirements. These encryption methods, which are usually unmonitored, are often time and resource intensive.

Encryption makes it harder for endpoint security tools and threat analysts to identify ransomware as malicious. However, once the ransomware is detected, a signature is immediately created, preventing further infections.

How it’s used

Malware authors are aware of this technical challenge and have created a way to avoid it, using hidden or nested threads that allow them to execute their malicious code quickly while remaining unnoticed.

How Next-Generation Antivirus blocks it

The Next-Generation Antivirus add-on blocks ransomware’s attempts to hide in process threads. Instead of monitoring the encryption method itself, Next-Generation Antivirus monitors suspicious thread activities, rendering this technique ineffective.

Resulting actions

The Next-Generation Antivirus add-on terminates the process initiating hidden or nested threads.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the process that initiated the attack.

Configure a prevention policy

  1. Click Endpoint Prevention in Agent Management. The Prevention Groups subtab will already be selected.
  2. In your Prevention Groups table, browse to the custom prevention group you want to configure a policy for and click its table row. An interface with the prevention group details will display.
  3. Click Prevention Policy in the left navigation. The policy will be locked initially, so click Edit to unlock all configuration options.
  4. Use the sliders to select which prevention engines the policy should use.

Make your engine choices carefully!

If you turn off an engine for this policy, agents associated with this prevention group will be unable to detect, and therefore, unable to alert and act on any threat this engine would have otherwise detected. If you choose to turn off a prevention engine, do so carefully and with clear intentions.

As an alternative to turning off a prevention engine, consider keeping it enabled in Detection Only mode so you continue to receive alerts on detected activity.

  1. Configure what action the Insight Agent should take for each engine and what priority their corresponding alerts should be tagged with.
    • For the On-Access Scan prevention engine, use the check boxes to configure the scope of the engine's scanning functionality.
  2. Click Save when finished, or Cancel to abandon your progress and return the policy to its prior saved state.

The Agents table in your Agent Management experience indicates the Antivirus Health status of each Insight Agent you have deployed in your currently selected organization.

Antivirus Health statuses

The Antivirus Health indicator specifically tracks the status of the On-Access Scanning prevention engine attached to the prevention policy that each of your agents is subject to. There are four possible health statuses:

  • Good - The On-Access Scanning prevention engine is enabled running successfully.
  • Poor - The On-Access Scanning prevention engine is enabled and running, but the antivirus signatures are more than 7 days old.
  • Not Monitored - An Endpoint Prevention add-on is installed on this agent, but its prevention policy does not have the On-Access Scanning prevention engine enabled or the engine has encountered an internal error.
    • If this status appears unexpectedly, verify that the On-Access Scanning prevention engine is enabled in your policy first before moving on to troubleshooting steps.
  • N/A - An Endpoint Prevention add-on is not installed due to an incompatible operating system. Check the requirements for antivirus eligibility details.
    • Any Insight Agent installed on an operating system that's ineligible for an Endpoint Prevention add-on will have this status.

Task 3: Configure Tamper Protection and Password Protection

Windows-only feature

Tamper Protection and Password Protection are currently only available for assets running Windows operating systems.

Attackers often attempt to tamper with endpoint security solutions, so that they can freely perform malicious activities without being detected.

The Tamper Protection engine contains rules that protect the Next-Generation Antivirus add-on component of the Insight Agent, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Next-Generation Antivirus. It also offers the option of turning on Password Protection.

Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Next-Generation Antivirus add-on. You can activate password protection at both the organizational level and for individual prevention groups that require extra security.

Types of password protection

You may find that you are unsure when to choose between a one-time passcode and a fixed password. Use this guidance to help you make the right decision and provide maximum protection for your assets:

  • One-Time Passcode (recommended) - After you enable Password Protection, the system begins generating a passcode at regular intervals. This passcode can be viewed and used for a limited amount of time to update, stop, or uninstall Next-Generation Antivirus (see the steps for setting the validation window). After the passcode expires, a newly generated passcode can be used. This passcode is valid even when the machine is disconnected from the Insight Platform.
  • Fixed Password - In addition to the one-time passcode, you can set an optional, fixed password. Having a fixed password is useful when you want to update your Insight Agents or uninstall them, because these tasks can take some time to complete and the OTP becomes impractical. You can use a fixed password across the entire organization, which covers all prevention groups, or you can specify a password for individual prevention groups, which will override the central password. This is useful in situations where your organization has a large number of prevention groups and multiple group administrators, because each admin can use a specific password to manage the groups that are assigned to them.

Password Protection is dependent on Tamper Protection being active

Password Protection can be enabled and configured only when Tamper Protection is turned on.

How to turn Tamper Protection on or off

Tamper Protection is enabled by default, both at the organizational level and for any newly created prevention group. For continuous protection from attacks, it is recommended that you keep it enabled. However, there are some situations where you might need to turn it off.

To turn Tamper Protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Turn the Tamper Protection toggle on or off.

Tamper Protection actively protects all of the prevention groups in your organization. However, if you decide that one or more prevention groups require no protection, you can turn it off.

To turn Tamper Protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Turn the Tamper Protection for Windows toggle on or off.

Tamper Protection works in Active Prevention mode only

For Tamper Protection to be effective, ensure that the activation mode is set to Active Prevention. Read more about activation modes.

How to turn Password Protection on or off

Password protection ensures that users cannot update, stop, or uninstall Next-Generation Antivirus without either a passcode or a password.

Password protection is disabled by default and must be switched on before you can use it.

You can apply password protection to the entire organization or set a specific password on an individual prevention group.

To turn password protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Ensure that the Tamper Protection toggle is turned on.
  4. Turn the Password Protection toggle on or off.

To turn password protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Ensure that the Tamper Protection toggle is turned on.
  6. Turn the Password Protection toggle on or off.

Get the one-time passcode

The one-time passcode is the most secure option, because the passcode refreshes after a short interval and cannot be guessed by attackers.

Because you must enter the passcode in the update, stop, or uninstall commands, you must decide the validation window that you can allow before the passcode expires.

To get the one-time passcode:

  1. Click Data Collection > Agents.
  2. Select the Endpoint Prevention tab and click Security Settings.
  3. Under Password Protection, click Get One-Time Passcode.
  4. The One-Time Passcode modal displays, where you can copy and paste the passcode into a text editor or directly into your command prompt.

The remaining time is displayed, which tells you how much time you have to use that passcode before it expires and a new one is generated.

To set the validation window:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Edit Validation Window.
  4. Select a time frame.
  5. Click Save.

Use a short validation window for better protection

To limit the security risk, it is recommended that you select the shortest feasible validation window.

Create a fixed password

The fixed password is an optional setting for the Next-Generation Antivirus add-on. It isn't required, because by configuring a fixed password, you increase the risk of a security breach. By comparison, one-time passcodes are more secure and are therefore recommended.

However, a fixed password can be useful when your Insight Agent configuration work will take longer than a one-time passcode will allow. For example, updating or uninstalling Next-Generation Antivirus Insight Agents can take some time and sometimes require multiple users to complete.

When you no longer need your fixed password, it is best to remove it and use a one-time passcode.

Note: Because your password is used as a parameter in a command, it must not contain characters that will abort the command. For example, these characters are invalid for a fixed password: < > " : * ? \ / |

To create a password:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Create Password.
  4. Enter a password and confirm the password you entered.
  5. Click Save.

To create a password for a prevention group:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Under Password Protection, click Create Password.
  5. Enter a password and confirm the password you entered.
  6. Click Save.

Task 4: Create Exclusions

You can instruct your Next-Generation Antivirus add-on to exclude asset behavior that would otherwise trigger a response from your prevention policies.

Exclusions are dependent on the prevention engines included in your license

Each prevention engine detects and alerts on certain asset behaviors, so exclusions are relative to those behaviors. If some of the exclusions documented here do not appear in your environment, check your license or contact Rapid7 if you wish to upgrade.

Exclusion rules and characteristics

In general, exclusions in Next-Generation Antivirus should be approached with more caution and consideration than similar exclusion capabilities offered by other Rapid7 features.

At its strictest level, Next-Generation Antivirus is designed to intervene automatically when a threat is detected. Excluding certain behavior from this intervention also means increasing the risk to your assets.

Ultimately, your business is in the best position to know what level of risk is acceptable in your environment and what asset behaviors can be safely ignored, but any exclusions you create in Next-Generation Antivirus should be clearly intentioned nonetheless.

Exclusion types

While you may want to create some exclusions proactively, you may also need to create them after you receive an alert in InsightIDR about benign activity.

When creating an exclusion proactively, without the context of a given alert, the available exclusion types are Path and Hash, and Extension. However, when creating an exclusion from an alert you received in InsightIDR, the Insight Platform will provide the applicable exclusion type based on the alert type and associated Prevention Engine.

That means not all exclusion types are available for every alert. In addition, in some cases the process that triggered an alert is a container, sensitive, or generic process. The Insight Platform may adjust the applicable exclusion for these processes to give more granular exclusion. This is intended behavior to avoid security exposure.

Criteria you can exclude

You can exclude these types of detectable criteria from the Next-Generation Antivirus add-on:

  • SHA256 hash values
  • Paths - Allows you to exclude a file path on your assets.
    • This exclusion type is useful if your assets run software or services at a specific location and you want to ensure that Next-Generation Antivirus does not impact how these tools operate.
  • Extensions - Allows you to exclude an entire file type.
    • This exclusion type is useful if your assets use a specific file format regularly that you don't want Next-Generation Antivirus to scan.
    • You can, therefore, create an extension exclusion with only the Deflect scanning purpose.
  • Process - Allows you to exclude an executable (.exe) process path on your assets.
  • Certificate - Allows you to exclude a digitally signed process by its certificate details. You can also choose the level at which the process certificate details are identified:
    • Publisher - Any executable process signed by the publisher information found in the certificate is excluded.
    • Product - Any executable process signed by the publisher and with the product definition found in the certificate will be excluded.
    • File name - Any executable process signed by both the publisher and product and file name will be excluded.
  • Script - Allows you to exclude a specific script or command that a process is attempting to execute.
  • File Access - Allows you to exclude specific directories or files that a process is attempting to reach.

Supported criteria for prevention engines

Depending on the alert type and context, this table indicates the attributes that prevention engines are monitoring and the types of exclusions that are allowed:

Prevention EnginePathHashProcessExtensionScriptFile AccessCertificate
On-Access ScanningXXXX
Memory InjectionXXX
Malicious DocumentXX
Living-0ff-the-LandX
OS Credential DumpingXXX
File and Process ManipulationXX
Data EncryptionXXX

Set the purpose

If you have the On-Access Scanning (Antivirus) prevention engine, you can tune your exclusions to get more granular control.

Only applies with the On-Access Scanning (Antivirus) engine

If the On-Access Scanning prevention engine is not included in your environment, this setting does not apply.

The 3 available options are:

Scope of exclusions

You can apply exclusions to all of the prevention groups in your organization – these are called 'global exclusions'. You can also apply them to individual prevention groups during the creation or editing process, meaning the exclusions will apply only to the agents within that group.

Configure an exclusion

  1. In your Agent Management experience, click Endpoint Prevention.
  2. Determine whether you want the exclusion to be Global or prevention group-specific:
    • For Global exclusions, click the Global Exclusions subtab and click Create Global Exclusion. The exclusion creating window appears.
    • For prevention group-specific exclusions, click the Prevention Groups subtab and click on the prevention group for which you want to create an exclusion. Select Exclusions from the left navigation and click Create Exclusion. The exclusion creation window appears.
  3. Select the operating system.
  4. Select the exclusion type.
  5. Based on the type you selected, enter a value as prompted by the example shown.
  6. If desired, give the exclusion a description.
  7. If you have the On-Access Scanning (Antivirus) engine, select the purpose of the exclusion.
    • Exclusions of the Extension type will have the Deflect scanning option already selected. This is the only purpose available for this exclusion type.
  8. Click Save when finished.

You can edit both Global and prevention group-specific exclusions from the same location you create them from.

Wildcards

Exclusion data will often need to be flexible due to dynamic paths and command line arguments. Exclusions for Rapid7's Next-Generation Antivirus supports path-based wildcards and wildcards for script/file access based exclusions.

Asterisks can be used to replace any character following it. For example, c:\{myfolder}\*\abc.exe will replace anything from the asterisk until the next character.

Question marks are used to replace a single character. For example, ?:\{myfolder}\abc.exe could apply to both C:\{myfolder}\abc.exe and D:\{myfolder}\abc.exe.

Wildcards for path-based exclusions

Excluding a process or file path may need to be flexible since paths may differ, or may be dynamically used by the same process.

You can use an asterisk wildcard in the path to represent any folder and sub-folders. If you need to exclude an entire folder, you must place the wildcard at the end of your exclusion path.

For example, C:\{myfolder}\* would apply to any executable that resides directly in the {myfolder} folder and all its sub-folders.

Required formatting

Creating a path-based exclusion without an asterisk at the end will not have an effect.

Wildcards for script/file access based exclusions

When you recieve an alert from one of the Prevention Engines that can be excluded using script or file access (see table above), wildcard exclusions can be used to replace strings in the blocked command or path that are likley to be changed every time the alert is triggered.

You can use wildcards so they match multiple alerts (multiple blocked comman lines or blocked paths), so a single exclusion will cover all potentially similar alerts.

Sometimes the same process will produce multiple alerts that appear the same, however the excluded command or path are slightly different. You can use wildcards to replace the section of the exclusion that will dynamically change. For example, if you have two alerts that contain process.123.exe and process.456.exe, you can use process.*.exe to exclude both these alerts at once.

Task 5: Change the Activation Mode

Your Next-Generation Antivirus add-on can operate in one of two possible activation modes: Monitor Only and Active Prevention. Like all settings in Agent Management, you configure this activation mode on a per-organization basis:

  • Monitor Only - Your Insight Agents will not take any of the actions dictated by your prevention policies when threats are detected, but monitoring will continue nonetheless. When threats are detected, these events will be logged and alerts will still be generated.
    • This is the default mode for Next-Generation Antivirus and allows you to complete all necessary configuration tasks before you're ready to switch to Active Prevention.
    • If you need to troubleshoot your Next-Generation Antivirus add-on configuration, you can switch back to Monitor Only for this purpose.
  • Active Prevention - Your Insight Agents will actively respond to detected threats with the actions dictated by your prevention policies. As such, events will be logged and sent to InsightIDR for analysis and further action, if necessary.

How to switch between activation modes

You can switch between Monitor Only and Active Prevention at any time in the Endpoint Prevention tab:

  1. In your Agent Management experience, click Endpoint Prevention.
  2. Click Activation Mode.
  3. Change your activation mode selection as necessary.
    • If you've finished configuring your Next-Generation Antivirus add-on and you're ready to enable Active Prevention for the first time, do so now.
    • If you need to troubleshoot your Next-Generation Antivirus add-on, switch to Monitor Only for the duration to avoid any disruption in your environment.
  4. Click Save Changes to finish.