Next-Generation Antivirus: Quick Start Guide
What is Next-Generation Antivirus?
Next-Generation Antivirus is a Rapid7 Managed Detection and Response (MDR) add-on, which makes Endpoint Prevention technology available as part of the Insight Agent.
Endpoint Prevention adds an extra layer of protection to the assets that have the Insight Agent installed on them, acting as an Endpoint Protection Platform (EPP). Endpoint Prevention also offers Endpoint Detection and Response (EDR) capabilities by integrating with InsightIDR.
Refer to the Endpoint Prevention overview to learn more about the Next-Generation Antivirus add-on and Endpoint Prevention technology.
Prevention engines
Next-Generation Antivirus is built on Rapid7’s prevention engines, which are categories of logical rules or known bad signatures designed to detect specific types of behavior at the time of initial access to your environment. When unintended behavior is detected, these prevention engines respond with an action and create an alert.
Next-Generation Antivirus grants access to all Rapid7 prevention engines, including On-Access Scanning (Antivirus). With the On-Access Scanning (Antivirus) prevention engine, Rapid7 acts as your antivirus provider, meaning that you cannot also use another third-party antivirus solution. Read about antivirus and EDR software for more information.
Install Next-Generation Antivirus
For the Next-Generation Antivirus add-on, there are two options for deployment:
Once you have decided which installation option to use, you can follow the installation instructions to install Next-Generation Antivirus for your Insight Agent.
Configure Next-Generation Antivirus
Following installation and deployment, you can configure Next-Generation Antivirus to suit your needs.
Organize assets in prevention groups
Assets that have the add-on deployed on them are managed using prevention groups, which help you logically organize your assets, defining prevention group settings and Prevention Policies that should be applied to them. Read about prevention groups in the Insight Agent Help to learn how to organize your assets with prevention groups.
Monitor initial deployment with activation modes
Next-Generation Antivirus has an organization-level setting, called activation mode, which overrides Prevention Groups. To efficiently onboard Next-Generation Antivirus on your assets, the default activation mode is set to Monitor Only.
When the activation mode is set to Monitor Only, Next-Generation Antivirus actively monitors your assets, but does not interfere with suspicious activity, even if the Prevention Group settings are set to Block. In this mode, Next-Generation Antivirus still generates alerts in InsightIDR, allowing you to learn how the product interacts with existing business workflows and applications, so an appropriate exclusion can be applied, if necessary.
The other activation mode is Active Prevention. This activation mode actively blocks any suspected malicious activity and such events will be logged and sent to InsightIDR for analysis and further action, if necessary. You should only switch to Active Prevention mode after you have completed initial deployment and validation.
Read how to change the activation mode in the Insight Agent Help documentation to learn more about activation modes.
View Endpoint Prevention detection rules in InsightIDR
In InsightIDR, you can view the detection rules that generate Endpoint Prevention alerts, which are also used for Next-Generation Antivirus.
To view Endpoint Prevention detection rules in Insight IDR, select Detection Rules in the left menu, then select the Endpoint Prevention Rules filter to narrow the list.
View Endpoint Prevention alerts in InsightIDR
By default, all Endpoint Prevention detection rules automatically generate both an alert and an investigation in InsightIDR. These alerts and investigations are also created for Next-Generation Antivirus.
Endpoint Prevention alerts, which apply to Next-Generation Antivirus, contain unique fields which can be helpful for gaining context about the alert and taking action on it. Alert details might vary based on the alert type, but this structure and raw data is fundamental to each one.
Create exclusions
Next-Generation Antivirus focuses on processes and their behavior. Because of this, you can configure exclusions so that Next-Generation Antivirus stops monitoring a process completely, or stops interfering with the actions taken by a process. Exclusions are applied to prevention groups, rather than individual assets. If an asset is moved to another prevention group, it receives the exclusions applied to that group and loses exclusions that were applied to the previous group.
After deploying Next-Generation Antivirus with activation mode set to Monitor Only, you might notice alerts in InsightIDR that show how Next-Generation Antivirus interacts with your daily processes, applications, and tasks. For activities that you determine are benign, we recommend adding exclusions before switching activation mode to Active Prevention.
Exclusions can be applied by your Managed Detection and Response team
All alerts from Next-Generation Antivirus are monitored by Rapid7’s Managed Detection and Response (MDR) service. In addition to creating exclusions on your own, you can also work with your MDR team to implement exclusions on your behalf.
Protect your assets using Tamper Protection and Password Protection
Available for Windows only
The Tamper Protection and Password Protection features are currently available for Windows operating systems only.
Attackers often attempt to tamper with endpoint security solutions, so that they can freely perform malicious activities without being detected.
The Tamper Protection engine contains rules that protect the Next-Generation Antivirus component of the Insight Agent, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Next-Generation Antivirus and the Insight Agent. It also offers the option of turning on password protection.
Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Next-Generation Antivirus service. You can activate password protection at both the organizational level and for individual prevention groups that require extra security. For more details,read about configuring Tamper Protection and Password Protectionin the Insight Agent Help documentation.
Switch to Active Prevention mode
After completing initial deployment, setting policies and exclusions, managing your assets in prevention groups, and enabling password protection, you must switch to Active Prevention mode.
The time it will take to switch from Monitor Only mode to Active Prevention mode will depend on the complexity and size of your organization (for example the number of systems, applications, and teams).