QRadar EDR (formerly ReaQta): Installing and uninstalling Windows agents

Downloading the Windows agent

The agent can be downloaded from the Hive Dashboard, by using the following steps:

1. Log in to the Hive Dashboard
2. Go to Administration > Update Manager
3. Click the wanted Windows package (32-bits or 64-bits)
4. Click the Installer Download tab and then choose download
5. A sha256 hash is available under the Installer Download tab to verify file integrity after you download it

1. Once the package is downloaded and copied over to the Windows endpoint in question, run the installer with elevated rights
2. The installation wizard requires a set of parameters to continue, the following is a general example:

   https://backend_url:port --gids [your tenant gids]

   • The Hive Dashboard URL (Hive Backend URL) or IP
   • The agent registration port
   • Group IDs (GIDS), if this is a multi-tenant environment (optional)
   • Proxy information, if the endpoint needs to go through a proxy in order to reach the Hive Dashboard (Optional)
   • Whether the Windows agent is being installed on a Server (Optional)
   • Is the agent being installed in a virtual machine belonging to a VDI infrastructure? (Optional)

1. From an administrative command line:

   msiexec /I [package name].msi IPFORM="https://server_url:port" /qb

2. In the event this is a multi-tenant environment and group IDs (GIDS) are provided

   msiexec /I [package name].msi IPFORM="https://server_url:port --gids ID" /qb

1. Ensure you have the Windows agent installer file downloaded and copied
2. Edit the batch file attached and change “https://hive-server:4443 --gids 123456789012345678” with the actual Backend URL and port. Additionally, change the “\\path\to\rqt.xml” to the full path of the rqt.xml file on the network share.

   sha256sum install_batch.zip
   fae42dd640848150f88d4736e9a68610fc7314c8e737359968606c776b73d677
   install_batch.zip (Password = reaqta)

3. Upload the ReaQta-Hive installation packages (.msi file), the edited installation batch file (.bat), and the rqt.xml file on a network-shared drive where local SYSTEM and Authenticated User accounts have at least read-only and execute privileges
4. The rqt.xml file is the export of a scheduled task to ensure that QRadar EDR components are running healthy. This scheduled task runs every day at 12am. If you want to change the timings, import the xml to your scheduled task, amend the timings according to your requirements, then export it as rqt.xml to replace the original copy.
5. Go to the domain controller. Start Group Policy Editor GPMC.msc.
6. Create a new policy under the domain.
7.  Right-click on the policy to edit and when the Group Policy Management Editor opens navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
8. Right-click on Scheduled Tasks and choose Immediate Task (At least Windows 7)
   
9. Add a name for the policy, select SYSTEM as the user to run the task and choose Windows 7, Windows server2008R2 as the Configure for field.
   
10. Under the Actions tab, create a new action to start the installation batch file from the network share and click OK to complete the creation of the policy.
    
11. The policy is pushed to the endpoints connected to the domain controller and the installation is started immediately.
12. Go to the Hive dashboard, if the policy is working, you should see new endpoints registered to the hive server.

Uninstalling from the Hive Dashboard

This should be the method used in all circumstances unless the agent is unreachable or offline.

1. Log in to the Hive Dashboard and click the Endpoints tab
2. Locate the endpoint in question and click View Endpoint
3. Once the endpoint details page opens, click Uninstall

1. As local or Domain Administrator, open the Control Panel
2. Select Programs > Uninstall a program > ReaQta-Hive-Installer

1. Log in to the Hive Dashboard and remove the endpoint as described using the previous steps
2. On the endpoint, open a command prompt as an Administrator
3. Stop and remove these services

   sc stop keeper
   sc delete keeper
   
   sc stop rqtsentry
   sc delete rqtsentry
   
   sc stop rqtnetsentry
   sc delete rqtnetsentry
   
   sc stop i00
   sc delete i00
4. Delete the following files and folders.
   Note: If the Anti-Malware Module (Guardian) is installed and running, it may need to be removed also, as it will prevent deleting the above files and folders. It can be removed by uninstalling from the Control Panel.
   To check for the presence of the Anti-Malware module, review the steps here: How to confirm Anti-Malware is actually installed on an Endpoint

   c:\Program Files\ReaQta
   c:\windows\system32\drivers\rqtsentry.sys
   c:\windows\system32\drivers\rqtnetsentry.sys
   c:\windows\system32\drivers\i00.sys
   

5. Open the Registry Editor using the keyboard shortcut Windows Key + R and then typing regedit
6. Right-click on HKEY_LOCAL_MACHINE and click Export to back up the registry file
7. Choose a name and location for the backup file and click Save
8. Once the backup is complete, search for ReaQta in HKEY_LOCAL_MACHINE and remove the registry keys found

Agent Registration Errors

The registration error log file is located in the %TEMP% folder under  C:\Users\<Username>\AppData\Local\Temp and starts with rqt_installer. When opening the log file, look for the status code

#Show proxy
netsh winhttp show proxy

#Delete proxy
netsh winhttp reset proxy

#Configure proxy
netsh winhttp set proxy <proxy>:<port>

1. As an Administrator, open the Registry Editor by using the keyboard shortcut Windows Key + R and then typing regedit
2. Navigate to  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
3. Delete any registry keys related to ReaQta
4. Attempt to reinstall the agent once again.