Hello. Why does rapid7 not have the ability to password protect the rapid7 agent from being disabled and/or uninstalled? This claims to be a security product but that is a massive hole. I understand this comment will be “submit a feature request” but come on…
8 Likes
While I do agree that there should be a password protect option on uninstalling the Rapid7 agent, the agent can only be uninstalled by a local administrator of the system. Ideally users should not have local admin privileges and this shouldn’t be any issue on most systems. Servers are a bigger issue and that is why I do agree with having a password protected uninstall feature.
2 Likes
Compromises start with horizontal admin movement. Rapid7 can’t detect such if it can be uninstalled by an account with administrative control. This is the first “security product” i’ve found that doesn’t support password protected uninstall/disable. Security works in layers
So, if it did have a password protected un-install, what would stop the attacker from stopping the InsightAgent service? Or disabling the service? or replacing the InsightAgent binary with their own and having it run as a Service?
The same could be said for Microsoft Sysmon. Which is pushed out by the InsightAgent. At least SYSMON can be renamed by the organization. I just have not found where the InsightAgent and InsightIDR can install, and manage a renamed SYSMON.
The same could be said about the Velociraptor Agent which is pushed out by the InsightAgent.
I welcome whatever ‘Silver Bullet’ you might have. I’d like to use it too! I’m not trying to be facetious. I do welcome learning from others.
You point is a good one for a Enhancement Request and I encourage you to create one that we might sign on to for customer support of the concept.
I hope you have a great week!
“So, if it did have a password protected un-install, what would stop the attacker from stopping the InsightAgent service? Or disabling the service? or replacing the InsightAgent binary with their own and having it run as a Service?”
Yes… that’s how all AV and advanced XDR products work. You have to “unlock” the service via command line and specified password before it can be stopped/uninstalled. Files can’t be replaced because they would remain inuse by the service. Crowdstrike, Cisco AMP, Guardicore, etc. They all have password protected services. Many even have cloud consoles where you can lock/unlock the service interaction from
Did you have a timeline for the tamper protection feature?
We currently do this by having our EDR agent alert us for process stop events and give us a daily report of endpoints missing the r7IDR agent. Not perfect by any means, but it works for until they provide tamper protection.