Install Ransomware Prevention

Ransomware Prevention is available to Managed Threat Complete (MTC) Ultimate and Managed Detection and Response (MDR) customers who have purchased the Ransomware Prevention add-on.

Ransomware Prevention is an add-on to your Insight Agent that provides Endpoint Prevention capabilities. Review the requirements for the Ransomware Prevention add-on.

Deployment options

There are two deployment options available for Ransomware Prevention:

Once you have decided which deployment option you will use, follow the instructions to install Ransomware Prevention as an add-on for your Insight Agent.

Option 1: Deploy using managed updates

If you have managed updates enabled for the organization you want to deploy Ransomware Prevention on, Rapid7 can deploy the add-on for you. To request that Rapid7 deploy Ransomware Prevention on your Insight Agent, create a support ticket for your Customer Advisor.

Option 2: Deploy using an installation package

If you have disabled managed updates for the organization you want to deploy Ransomware Prevention on, you must use the following instructions to deploy the add-on.

Deploy using an installation package

Task 1: Download the Insight Agent with Ransomware Prevention

You will need to download a bundle with the Insight Agent and Ransomware Prevention add-on. To attain the files required for this step, create a support ticket for your Customer Advisor.

Task 2: Decide which installation option to use

There are two main Agent Installation options available that can be used interchangeably:

What is a Token?

A token is your organization’s unique identifier that links the installed Insight Agents to your organization. When installing using the token, the Insight Agent reaches out to the Insight Platform to download the certificate files necessary for successful installation. This installation option requires connectivity to the Insight Platform directly through a Rapid7 Endpoint or a Collector.

If you are installing the agent in an environment with stricter network requirements, we recommend using the Certificate Package.

Your token consists of two parts:

  • The region identifier - This portion identifies the region where your organization is located. For example, us is the region identifier for the United States, while ca is the region identifier for Canada.

  • The Universally Unique Identifier (UUID) - The UUID represents the token itself. The API request initiated by the installer sends this UUID to the Insight Platform in order to retrieve the JSON document that contains all the necessary dependencies noted previously.

A fully generated token appears in the following format:

<region_id>:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Note that the process of installation with a token, the Insight Agent installer will download the following dependencies onto your asset. All together, these dependencies are no more than 20KB in size:

  • client.key
  • client.crt
  • config.json
  • cafile.pem

If you intend to install the Insight Agent using your organization’s token:

  • Your assets must be able to communicate with the Insight Platform in order for the installer to download its necessary dependencies.
  • If your assets are deployed in a network with strict URL filtering rules in place, you may need to allowlist the following token resource endpoint to ensure that the installer can pull its configuration files from the Insight Platform. Substitute <REGION> with the code that applies to your data region:
 
1
1
2
https://<REGION>.deployment.endpoint.ingress.rapid7.com/api/v1/get_agent_files

What is the Certificate Package?

Certificate installation terminology

Note that the certificate installation was previously referred to under Advanced within the Insight Agent installation options.

The Certificate Package contains your unique organization's configuration files, which are required for successful installation of the agent. These files are downloaded seamlessly when installing with a token, but are provided here for easy access in case some of the assets in your environment don't have direct connectivity the Insight Platform through a Rapid7 Endpoint or a Collector. We recommend installing the Insight Agent using the Certificate Package in environments with stricter network requirements.

Your Certificate Package ZIP file contains the following security files in addition to the installer executable:

  • client.key
  • client.crt
  • config.json
  • cafile.pem

Expired Certificates

If you use the certificate package installation option to install the Insight Agent, your certificates will expire after 5 years. Insight Agents that were previously installed with a valid certificate are not impacted and will continue to update their SSL certificates. New installations of the Insight Agent using an expired certificate will not be able to fully connect to the Insight Platform to run jobs in InsightVM, InsightIDR, or InsightOps.

Refresh your Certificates

If you host your certificate package on a network share, or if it is baked into a golden image for a virtual machine, redownload your certificate package within 5 years to ensure new installations of the Insight Agent run correctly.

Task 3: Install the Insight Agent with Ransomware Prevention

Once you have determined which option you would like to use in task 2, you’re ready to install the Insight Agent with the Ransomware Prevention add-on.

Insight Agent version

Ransomware Prevention for Windows operating systems require an Insight Agent version of 4.0.0.0 or higher. For more information, read the Ransomware Prevention requirements.

Installation services and folders

Ransomware Prevention is installed as a service on your assets named Rapid7 Endpoint Prevention. Ransomware Prevention runs as two services on a 64-bit OS and as a single service on a 32-bit OS.

The Ransomware Prevention installation folder is located in C:\Program Files\Rapid7\Insight Agent\components\armor. Refer to the Endpoint Prevention overview for more information on how Ransomware Prevention works.

Install using a Token (Windows)
  1. Locate (or generate, if necessary) your organization's token by navigating to insight.rapid7.com > Data Collection > Agents > Agent Installer > Token Management.
  2. Extract the contents of the ZIP file you downloaded to a directory that you can access with the Windows command prompt (cmd). The extracted ZIP file will contain these files (this example is for the 64-bit installer variety):
    • agentinstaller-x86_64.msi
    • rapid7_endpoint_prevention_installer.bat
    • armor (folder)
  3. Open a command prompt as an Administrator and navigate to the extraction folder that contains these files.
  4. Run the following command, substituting the {token} with your organization’s token you located in step 1:
 
1
rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN={token}
Install using a Certificate Package (Windows)
  1. Obtain the ZIP file with the latest version of Ransomware Prevention.
  2. Download the latest Certificate Package from insight.rapid7.com > Data Collection Management > Agent Installer > Install the Insight Agent using the Certificate Package > Download Certificate.
  3. Extract the contents of the ZIP file you downloaded in step 1 add the files included in the Certificate Package from step 2 to the same folder that you can easily access with the Windows command prompt (cmd). Once both ZIP files are extracted, the folder will contain these files:
    • client.key
    • client.crt
    • config.json
    • cafile.pem
    • agentinstaller-x86_64.msi
    • rapid7_endpoint_prevention_installer.bat
    • armor (folder)
  4. Open the Windows command prompt (cmd) as an Administrator and navigate to the extracted folder, which contains the rapid7_endpoint_prevention_installer.bat file.
  5. Open a command prompt as an Administrator and navigate to the extraction folder that contains these files.
  6. Run the following command:
    • If you extract the contents of the certificate ZIP file to a different directory than the default one, you will need to run the following command when running the batch script, substituting <PATH> with the path to the certificate directory: CUSTOMCONFIGPATH=<PATH>
 
1
 rapid7_endpoint_prevention_installer.bat

Install Ransomware Prevention on a different Prevention Group than the DEFAULT group

If you want to associate this Insight Agent with an existing Prevention Group other than the DEFAULT group, you can do so by providing an additional DESIRED_GROUP option. As long as the group name you provide matches an existing prevention group, the Insight Agent will automatically become a member of that group once installed. If no group matches the name you provide here, the Insight Agent will become a member of the default group according to its standard behavior.

For a Token installation:

 
1
rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN={token} DESIRED_GROUP=MyGroupName

For a Certificate Package installation:

 
1
rapid7_endpoint_prevention_installer.bat 
2
DESIRED_GROUP=MyGroupName

Verify Ransomware Prevention is deployed

Go to Data Collection > Agents to view the Endpoint Prevention tab. To verify if Ransomware Prevention has been deployed successfully, you must check if assets added to either the DEFAULT Prevention Group or a custom Prevention Group are visible here.

Update Ransomware Prevention

If you have enabled managed agent updates, you don't need to perform any manual tasks to update Ransomware Prevention. However, if you need to manually update the service while password protection is on, you must include either the one-time passcode or fixed password as the final parameter of the command you run.

Update Ransomware Prevention for Windows operating systems (Token Installation)
  1. Obtain the ZIP file with the latest version of Ransomware Prevention.
  2. Locate (or generate, if necessary) your organization's token by navigating to insight.rapid7.com > Data Collection > Agents > Agent Installer > Token Management.
  3. Extract the contents of the ZIP file to a directory that you can easily access with a command prompt.
  4. Open a command prompt as an Administrator and navigate to the extracted folder, which contains the rapid7_endpoint_prevention_installer.bat file.
  5. Run this command, replacing the <token> and the <passcode or password> parameters with the installer token and either the one-time passcode or a fixed password:
 
1
rapid7_endpoint_prevention_installer.bat CUSTOMTOKEN=<token> stop_service_password= <passcode or password>
Update Ransomware Prevention for Windows operating systems (Certificate Package Installation)
  1. Obtain the ZIP file with the latest version of Ransomware Prevention.
  2. Download the latest Certificate Package from insight.rapid7.com > Data Collection Management > Agent Installer > Install the Insight Agent using the Certificate Package > Download Certificate.
  3. Extract the contents of the ZIP file you downloaded in step 1 add the files included in the Certificate Package from step 2 to the same folder that you can easily access with the Windows command prompt (cmd). Once both ZIP files are extracted, the folder will contain these files:
    • client.key
    • client.crt
    • config.json
    • cafile.pem
    • agentinstaller-x86_64.msi
    • rapid7_endpoint_prevention_installer.bat
    • armor (folder)
  4. Open the Windows command prompt (cmd) as an Administrator and navigate to the extracted folder, which contains the rapid7_endpoint_prevention_installer.bat file.
  5. Run this command, replacing the <passcode or password> parameter with either the one-time passcode or a fixed password:
    • If you extract the contents of the ZIP file to a different directory than the default one, you will need to run the following command when running the batch script, substituting <PATH> with the path to the certificate directory. CUSTOMCONFIGPATH=<PATH>
 
1
rapid7_endpoint_prevention_installer.bat stop_service_password= <passcode or password>

Stop and restart Ransomware Prevention

If you need to troubleshoot a problem, you can stop Ransomware Prevention on an asset, even if the asset's offline or has been disconnected.

With password protection turned on, you will need to either get the one-time passcode or know the fixed password, if one is configured. The fixed password might be the organization-wide fixed password or one that is specific to the prevention group that the asset belongs to.

To stop Ransomware Prevention:

  1. Log into the asset on which you want to stop the Ransomware Prevention add-on.
  2. Open a command prompt as an Administrator and run this command, replacing <passcode or password> with either the one-time passcode you obtained from the Security Settings page or a fixed password that you configured:
 
1
C:\Program files\Rapid7\Insight Agent\components\armor\common\armor\MVarmorService32.exe --stop_service <passcode or password>

Note: The service can take several minutes to stop.

To restart Ransomware Prevention:

  1. In your Start menu, select Run > services.msc.
  2. Depending on your asset, start either the Rapid7 Endpoint Prevention 64bit service or the Rapid7 Endpoint Prevention 32bit service.

Uninstall Ransomware Prevention while leaving the agent intact

If you want to uninstall the Ransomware Prevention add-on but leave the Insight Agent intact for use with other Rapid7 products or services, run the following command in an Administrator command prompt.

Note: If your asset is a 32-bit machine, use the installer name MVArmorInstallation_x86.msi in the command.

  1. In the command prompt, navigate to the directory where your Ransomware Prevention add-on is located.
  2. Run one of these commands:
    • If password protection is turned on: Msiexec /x MVArmorInstallation_x64.msi /qn stop_service= <passcode or password>
    • If password protection is turned off: Msiexec /x MVArmorInstallation_x64.msi /qn

If you want to generate a log file when the uninstallation finishes, you can run a modified edition of this command for that purpose. Substitute the {log-path} portion with the path where you want the log file to be placed:

 
1
Msiexec /x MVArmorInstallation_x64.msi /qn /L*V {log-path}

Uninstall an existing Insight Agent entirely

If you want to uninstall the Insight Agent entirely, note that you'll need to uninstall the Ransomware Prevention add-on first, then uninstall the rest of the Insight Agent. The Insight Agent will not allow itself to be uninstalled if any Endpoint Prevention add-on is still present.

You can uninstall the Insight Agent using the Add or remove programs tool in Windows:

  1. In your Start menu, select Control Panel.
  2. Under Programs, click Uninstall a program.
  3. Browse to Rapid7 Insight Agent and select it, then click Uninstall.