IBM Security QRadar

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

------------------------------
Iqra Haq
------------------------------

I've pinged a few people looking for advice on this post. Stay tuned. 

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Tue February 13, 2024 10:32 AM
From: Iqra Haq
Subject: IBM Security EDR (ReaQta) Advice

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

------------------------------
Iqra Haq
------------------------------

Hi Iqra,

Giuseppe Bonfa here, ReaQta co-founder and tech lead for support.
Below you my answers.

> Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security?
Yes this is the expected behavior, ReaQta  is not yet in the Windows Security Product list, this implies, in future once Microsoft adds it, Microsoft Defender will automatically switch off.

> I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too.

This applies to ReaQta as well, multiple EDR on the same endpoint might introduce, instability, performance degradation and odd behaviors since both act at very low level.

> In that case, should I disable Windows Defender or is it okay to put it in passive mode?

Microsoft Defender can stay on as an added layer of detection, ReaQta is also able to receive the broadcasted AV events sent bt Microsoft Defender, they are called AMSI (Anti-Malware Scan Interface).

I hope the above replies clarifies your doubts, please don't hesitate to reach out in case of further questions.

Kinds Regards,
Giuseppe

------------------------------
Giuseppe Bonfa
------------------------------

Original Message:
Sent: Tue February 13, 2024 10:32 AM
From: Iqra Haq
Subject: IBM Security EDR (ReaQta) Advice

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

------------------------------
Iqra Haq
------------------------------