Has anyone experienced Rapid7 agent installation attempting to uninstall/modify service of other security tools present on the system such as Crowdstrike?
An installation script was deployed via Ansible and my SOC team got a lot of alerts about a Rapid7 agent trying to disable CrowdStrike. Is this normal? What am I doing wrong?
We have not seen this on the few thousand Windows servers that have both.
Thanks @brandon_mcclure for your response. Could it be that the installer is corrupted (it was downloaded straight from IVM platform) or it might be the script?
You should probably open a ticket with support, because that shouldn’t be happening. They work fine together for us without any exceptions.
I haven’t seen that happen. I have seen Crowdstrike be quick to alert on application updates when they perform cleanup so maybe the alert was misinterpreted and the agent was either
- Installing for the first time and performing cleanup of temp files
- Updating the agent and performing cleanup of temp files or removing old files
Those are both guesses though.
It’s really hard to tell what might have triggered those Crowdstrike alerts. I haven’t seen the alerts again after modifying the script.