I have a couple of users that have lots of files on their machines and every time the Rapid7 agent kicks off it’s incremental scan, it takes up a large amount of CPU on the machines. They caught it in action and it appears that the R7 Agent is kicking off a Powershell command and they are seeing one, sometimes two Powershell commands being run during the scans. There is pretty much no place to do any configuration on the agent scans, but what I’m looking for is a way to either bypass file scanning on the machine or exclude specific folders on a machine. Does anyone have any thoughts on how to configure the agent scanning policies? I’ve searched around and for the life of me, I can’t find an agent scan template or a way to configure anything other than Agent auto-updates and agent update throttling. We are going to have the two users uninstall/reinstall the agent to make sure this wasn’t a messed up agent update. However, I’m not expecting that to do anything to fix the issue.
For what it’s worth, this is the PowerShell command that they were able to see being run on one of the machines:
powershell.exe -Command "Set-StrictMode -Version Latest;
function Walk-FolderContents {param($folderObj);
$folderItems = $folderObj.Items();
for ($i=0;
$i -lt $folderItems.Count;
$i++) {$folderItem = $folderItems.Item($i);
$folderItem.Path;
if ($folderItem.IsFolder) {Walk-FolderContents $folderItem.GetFolder;
};
};
};
function Run-TarEngine {$tempFolder = "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\ir_agent_tmp\Rapid7-log4j-analysis-b4e943ac-cc99-4c32-8223-71c245ac68f4";
$tempFolder = [System.Environment]::ExpandEnvironmentVariables($tempFolder);
$renamedJarFile = $null;
try {if (-not (Test-Path $tempFolder)) {New-Item -ItemType Directory -Force -Path $tempFolder | Out-Null;
};
gci $tempFolder | Remove-Item | Out-Null;
$shellApp = New-Object -ComObject Shell.Application;
$tempFolderObject = $shellApp.Namespace($tempFolder);
if ($null -eq $tempFolderObject) {Write-Error "Failed to get a temp folder object for $($tempFolder)";
exit -1;
} ;
$jarFilePath = "C:\d3vsrc\Drives\d\git\workbench\build\publish\local_cache\com.rs.seagull.clients\ajax_websuite\trunk\wars\ajax_websuite-10.3941.2.758-20220909002404-clientajax.war";
if (-not (Test-Path -IsValid $jarFilePath)) {Write-Error "Invalid jar file path: $jarFilePath";
exit -1;
};
$copiedJarFile = Copy-Item $jarFilePath -Destination $tempFolder -PassThru;
if ($null -eq $copiedJarFile) {Write-Error "Failed to copy $jarFilePath to temp folder $tempFolder";
exit -1;
} ;
$renamedJarFile = $copiedJarFile | Rename-Item -NewName { $_.Name -replace ‘.[jw]ar$’, ‘.zip’ } -PassThru;
if ($renamedJarFile.FullName -notmatch ‘.zip$’) {Write-Error "Failed to rename extension of $copiedJarFile from .jar to .zip";
exit -1;
};
$zipFileFolderObject = $shellApp.Namespace($renamedJarFile.FullName);
Walk-FolderContents $zipFileFolderObject $tempFolderObject;
} finally {if ($renamedJarFile -ne $null) {$renamedJarFile | Remove-Item;
};
$tempFolder | Remove-Item -Recurse;
};
};
Run-TarEngine;
"