X
How machine learning on the Falcon sensor provides better protection
CrowdStrike is a cloud company however this doesn’t mean that in order to be protected one needs to be connected to the internet. While connected to the internet I’ll run this known malware sample from the command prompt in my test environment. It blocked the malware as identified by the access is denied message.
Now if we look at this event in Falcon Host, we can see the process tree that shows the sample being run from the command prompt, and then underneath that, a reason for the block. On the right-hand side we can get additional information about this event. Here we see the sample has been identified as malicious by 36 other AV engines. But the purpose of this demo isn’t to illustrate Falcon stoping known malware while connected to the internet.
So lets run this sample again, only this time we’ll illustrate the benefit of having ML on sensor by disconnecting our host from the internet. And then just so we know the sensors aren’t relying on a hash look-up or reputation, I’ll use a hex editor to slightly modify the files as to change the hash, but not the behavior.
I’ll also run the file two different ways, the first by double-clicking it, and the second from the command prompt similar to the first time. Notice on the double-click I receive a permission error, and then on the command prompt another access is denied message.
To see these events in the UI I’ll need to enable my network adapter, and wait a few seconds so events can be reported from the test environment to Falcon. Back in Falcon, we can see a new alert. Deeper inspection shows us both the attempts. One from the explorer.exe process, and the other from command.exe process.
We can also see that the altered file doesn’t match any other submissions in the VirusTotal on the right-hand side here where previously we saw 36 detections. With ML on sensor, customers can receive the same benefit from world-class protection even when offline.