On systems where the InsightVM agent is installed Defender sees it as malware.
System Center Endpoint Protection has detected malware on one or more computers in your organization
Malware Name: Exploit:Python/CVE-2021-38647!MTB
Malware file path: file:_D:\Program Files\rapid7\nexpose\updates\stagingFileData\r7$5734249391769723000.tmp
In order to correctly scan for vulnerabilities, especially remote scans, we often need to exhibit similar behaviour as the exploit in order to safely determine if an asset is vulnerable.
We also recommend disabling AV/malware detectors to prevent problems. In the case of the particular script getting quarantined, this will prevent us scanning for a particular vulnerability, which could in turn, result in a false negative
https://docs.rapid7.com/insightvm/requirements/#programs-and-services
Per the Rapid7 Endpoint Protection Software Requirements, you need add the agent to the AllowList in your AV solutions.
" Allowlist the Insight Agent within your Endpoint Protection Software
To allowlist the Insight Agent, navigate to your Endpoint Protection Platform and set up a path exclusion rule for the agent directory.
Your rule must accommodate all subdirectories contained in the agent installation path. The following paths show default agent installation locations by operating system:
** Windows - C:\Program Files\Rapid7\Insight Agent\*
** Mac and Linux - /opt/rapid7/ir_agent/"*
We recently had a similar alert pop and I appreciate the answers and what not, it really helps to have this as a resource, so thank you
but, in an attempt to satisfy my own curiosity, what is this .tmp file for and where does it come from?
Thanks,