System Recovery using Real Time Response

CrowdStrike Tech Center


Cyberattacks including ransomware have increased as work environments have changed, and organizations have shifted to supporting more remote personnel. With threats increasing against these remote systems, the ability to block attacks and respond rapidly in the event of a compromise is even more challenging. Do security teams have the visibility and context they need to respond? Can system rollback remediations completely restore an endpoint to a known good state? 


Next-gen prevention and complete system recovery are more important than ever

Organizations require a combination of measures to protect against today’s threat landscape. Effective prevention capabilities can block a range of threats including ransomware while advanced detection and visibility capabilities can uncover stealthy attacks and compromised systems. Complete remediation of those compromised endpoints, especially when they are remote, can be challenging. 

Automatic rollback remediation using shadow volume copies may seem like the fastest route to recovery but may not always be a viable or thorough option. Backups and volume shadow copies can be the first targets attackers disable and delete to prevent easy recovery. Malware can also be designed to tamper with or delete snapshots or even leave persistent artifacts behind.

Responders need an arsenal of response capabilities including full endpoint activity details and attack visibility to get systems back to a known good state.


The CrowdStrike Falcon® next-generation endpoint protection platform uses complementary prevention and detection methods to defend against known, unknown malware and ransomware, and fileless and malware-free attacks.

Deep endpoint and attack visibility including process timelines that display an entire attack in sequence, enable responders to rapidly investigate incidents and fully understand emerging threats. Armed with this knowledge, responders use CrowdStrike Real Time Response (available with Falcon Insight™ and Falcon Endpoint Protection Pro) to directly access distributed systems and run a wide variety of commands to completely remediate remote hosts, quickly getting them back to a known good state.

If volume shadow copies are available and the appropriate response, Real Time Response can easily restore these snapshots. When system rollback remediation simply isn’t enough, Real Time Response gives responders the surgical remediation capabilities they require including the ability to manage user accounts, kill processes, remove files or directories, manipulate the Windows registry or even run custom scripts and executables.


Get immediate time to value, extend your visibility and protect your organization regardless of physical location. Try CrowdStrike’s Falcon platform for free:

Content Provided by Anne Aarness

More resources

Related Content