Rapid7 agent installation attempting to uninstall/modify service of other security tools present on the system such as Crowdstrike

luggyd · January 24, 2024, 9:51pm

Hi,

Has anyone experienced Rapid7 agent installation attempting to uninstall/modify service of other security tools present on the system such as Crowdstrike?

An installation script was deployed via Ansible and my SOC team got a lot of alerts about a Rapid7 agent trying to disable CrowdStrike. Is this normal? What am I doing wrong?

brandon_mcclure · January 25, 2024, 2:20pm

We have not seen this on the few thousand Windows servers that have both.

luggyd · January 25, 2024, 5:11pm

Thanks @brandon_mcclure for your response. Could it be that the installer is corrupted (it was downloaded straight from IVM platform) or it might be the script?

brandon_mcclure · January 25, 2024, 5:18pm

You should probably open a ticket with support, because that shouldn’t be happening. They work fine together for us without any exceptions.

Ralph · January 27, 2024, 5:48am

I haven’t seen that happen. I have seen Crowdstrike be quick to alert on application updates when they perform cleanup so maybe the alert was misinterpreted and the agent was either

Installing for the first time and performing cleanup of temp files
Updating the agent and performing cleanup of temp files or removing old files
Those are both guesses though.

luggyd · January 30, 2024, 7:33pm

Thanks @Ralph!
It’s really hard to tell what might have triggered those Crowdstrike alerts. I haven’t seen the alerts again after modifying the script.