We install the scan Agent onto all Employee and Contractor laptops, and it runs active scans and submits the result via the cloud. This then auto-creates objects in InsightVM.
However, one of our contractors left, and did not remove the agent from her laptop. We now can no longer contact her, but it is still sending us regular reports from vulnerability scans and appearing in our InsightVM. If we remove the Asset, it just re-creates the next time it reports.
How can we blacklist this asset so that it stops coming back? Ideally, we’d unauthenticate it, or send some command to the Agent to disable itself but that seems not to be possible.
I would reach out to Rapid7 support to see if they can disconnect this agent. They should be able to do something with the Rapid7 UUID that you can find in InsightVM. With you having no control over the device, your only bet would be Rapid7 or the contractor.
If you have Rapid7 IDR, you could theoretically quarantine the device to force the user to uninstall the software, This is probably a last resort solution as it is pretty impactful for the owner of the laptop (I’m assuming it is one).
I have asked our local support provider,but unfortunately have not yet received any suggested course of action to take I am really surprised there is no way to deregister an existing client from the server end. We do not have IDR so the last part is not an option for us.
Hi @sshipway! Iam not sure if you have a chance, but by default, Iam not aware of a way to disable/remove the agent from a computer from the R7 Insight Platform side itself. In my optinion, the agent should only be installed on company owned devices anyway, thus access is always granted because BYOD from employees/contractors needs to be treated differently than company owned devices.
However, this might be a worthy request for Rapid7: The ability to uninstall an Insight Agent via the R7 Insight Platform, just like other AV/EDR/XDR solutions offer it for their clients. Oh, and tamper protection so Users/Admins can’t just kill/disable/remove it without disabling the tamper protection before
I am really surprised there is no way to deregister an existing client from the server end. We do not have IDR so the last part is not an option for us.