How To
Summary
How does one tell whether the QRadar EDR (formerly ReaQta) Anti-Malware (Guardian) is installed and running on a Windows endpoint?
Objective
This technote is to instruct a user or QRadar EDR admin on how to tell if a particular Windows endpoint has the Anti-Malware module (or Guardian) installed and running. This check comes after enabling Anti-Malware on the QRadar EDR Hive itself:
![image-20230127110127-1](/support/pages/system/files/inline-images/image-20230127110127-1.png)
![image-20230127110127-1](/support/pages/system/files/inline-images/image-20230127110127-1.png)
There are multiple methods, and this technote lists a few options.
Environment
QRadar EDR Hive 3.x
Windows
Steps
From the QRadar EDR Hive:
In order to check whether the Anti-Malware module is installed and running on an Endpoint from the QRadar EDR backend:
In order to check whether the Anti-Malware module is installed and running on an Endpoint from the QRadar EDR backend:
- Go to the Endpoints Tab
- Select the Endpoint in question and select View Endpoint
- Look for the Anti-Malware version in the Endpoint details itself.
![image-20230127103711-2](/support/pages/system/files/inline-images/image-20230127103711-2.png)
From the Endpoint, itself:
- Checking the presence of the Anti-malware module in the Guardian Folder of the ReaQta Program file directory verifies that it is installed. This folder is typically located at C:\Program Files\ReaQta.
![image-20230127103033-1](/support/pages/system/files/inline-images/image-20230127103033-1.png)
- Another way, is to check for the ReaQta-Guardian-Installer in "Programs and Features" in the Control Panel:
![image-20230127143721-1](/support/pages/system/files/inline-images/image-20230127143721-1.png)
- Listing the Services in Windows and looking for the "Guardian" service. This check can be done by using Services window:
![image-20230127143945-2](/support/pages/system/files/inline-images/image-20230127143945-2.png)
Or by inputting sc query guardian into Window's CMD interface:
![image-20230127144240-3](/support/pages/system/files/inline-images/image-20230127144240-3.png)
![image-20230127143721-1](/support/pages/system/files/inline-images/image-20230127143721-1.png)
- Listing the Services in Windows and looking for the "Guardian" service. This check can be done by using Services window:
![image-20230127143945-2](/support/pages/system/files/inline-images/image-20230127143945-2.png)
Or by inputting sc query guardian into Window's CMD interface:
![image-20230127144240-3](/support/pages/system/files/inline-images/image-20230127144240-3.png)
Additional Information
At the time of writing, the Anti-Malware module is only available for Windows operating systems on the x86_64 architecture.
When the Anti-Malware module is enabled or disabled, it can take up to 30 minutes to upload the agent to the endpoint and install or uninstall it.
When the Anti-Malware module is enabled or disabled, it can take up to 30 minutes to upload the agent to the endpoint and install or uninstall it.
When the Anti-Malware module is installed, a notification appears on the lower right side of the screen stating that Anti-Malware is installed.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta - SSVOEH"},"ARM Category":[{"code":"a8m3p000000hBSAAA2","label":"Administrative Tasks"},{"code":"a8m3p000000hBSUAA2","label":"Agent"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
09 May 2023
UID
ibm16857855