We are currently experiencing what appears to be a widespread false positive affecting Rapid7 Insight Agent and I'm trying to determine whether other customers are seeing the same behavior.
Over the last few hours, multiple customers in different environments have started receiving AV/EDR detections against the following Insight Agent component:
The detections are coming from several different security products, including:
Microsoft Defender
Sophos Endpoint/XDR
Examples of the reported malware signatures include:
Trojan:Win32/Wacatac.H!ml
Trojan:Win32/Wacatac.C!ml
Mal/Generic-S
In some cases the file is simply detected, while in others it is being quarantined or removed, which is causing Insight Agent health issues and generating a significant number of alerts.
The file appears to be legitimately signed by Rapid7, and the fact that we're seeing the same executable flagged across multiple unrelated customers and different AV vendors makes this look very much like a false positive rather than a compromise.
Questions for the community:
Is anyone else seeing detections against token_handler.exe?
Did this start recently for you as well?
Have you received any communication from Rapid7 regarding this issue?
Has anyone identified a specific agent update, certificate change, or component modification that may have triggered these detections?
Are there any official recommendations beyond excluding the Insight Agent installation directory from AV scanning?
We've already opened a support case with Rapid7, but I wanted to check whether this is an isolated issue or something affecting a larger number of customers.
Yes, same issue here with Sophos. However, our alerts have now stopped and a forced Sophos scan of the file on my system (which wasn’t turned on until a few minutes ago) says no problems. I’ve also run the file through Sophos Intelix - the Cloud Lookup reports it as Suspicious\Unknown (which may be normal if the token_handler file is new) but the more detailed reports show as ‘Likely Clean’ with no issues, so I guess it’s possible this has already been resolved by Sophos?
Hi everyone, just want to confirm that Rapid7 engineering are aware that a new process (token_handler.exe) introduced in Agent version 4.1.1.55 released yesterday is flagging as a trojan through various security providers.
We are working together with security vendors currently to have this resolved.
I’ll update here when we have something more concrete, but creating a support case for tracking will be the best way to receive updates.
Appreciate your patience on this one, just to update you all.
We can confirm at this stage that this is a false positive, and we have submitted requests to have these false positives cleared up.
Currently we're only see two vendors (Rising & SecureAge) still flagging the token_handler.exe for Windows 64bit architecture as malicious, and we are awaiting feedback.
Sophos have now also confirmed the issue was detected by them and resolved within a couple of hours, which explains why only a subset of our systems were affected.