How to Replace Traditional Antivirus (AV) with CrowdStrike Falcon

Introduction

This document will cover the simple steps of replacing your traditional antivirus (AV) vendor with CrowdStrike.

Video

Read Video Transcript

Prerequisites

This document assumes that you’re a customer with a pre-existing AV solution that you’d like to either replace or run along side Falcom.

For basic product installation please see the blog dedicated to the installation of Falcom

Windows Server Windows Mac Linux
Supported Platforms Win Server 2008R2 SP1 and above Win 7 SP1 and above OSX 10.8 and above – RHEL 7.0-7.2
– RHEL 6.2-6.8
– CentOS 7.0-7.2
– CentOS 6.2-6.8
– Ubuntu 14.04 LTS (minimum kernel version 3.13.0-32)
– SUSE Linux Enterprise Server 11.3-11.4 (minimum kernel version 3.0.101-0.47.55.1)
– SUSE Linux Enterprise Server 12-12.1 (minimum kernel version 3.12.39-47)

 

Step-by-step

Falcon’s versatility as an AV, EDR or Intel product makes it a perfect solution to install with other security technologies.  For example, if you’ve got an existing AV solution in place and would like to add Falcon Insight or Falcon Intel, they can easily be installed to provided those important layers.

However, it is not recommended to install Falcon Prevent in prevention or blocking mode simultaneous with other AV solutions also in blocking mode.

Windows Action Center

CrowdStrike Sensor in Microsoft Action Center

If you are adding Falcon Prevent to your security solution it is recommended that you install Falcon with a DETECT ONLY policy.  For more information on policies see the article on the tech center here regarding policy configuration.   Below is an example of a policy with preventions disabled.  This policy can safely be installed along side another AV solutions.  However reliance on traditional AV solutions should be temporary.  Next we’ll illustrate the removal of the old solution and implementing a blocking policy in Flacon.

Replace AV detection only policy

To remove the other AV vendor from a host machine just utilize the “Add/Remove Programs” feature in the Windows Control Panel and uninstall the application.  For an organization wide removal group policy, SCCM, or other utilities will be used to remove the old application from the production environment.

Windows control panel remove programs

Removing traditional antivirus

Once there select the previous AV vendor and then select the “uninstall” option that appears above the list of installed programs.  Different vendors may have additional steps or multiple applications that will need to be removed.

Note: In the case of McAfee uninstall the McAfee Agent last, removing all the other installed programs first.  This order seems to be the most effective in our experience (Some vendors may require a reboot.)

After a reboot, if necessary, verify that the uninstall was successful in the Action Center.  Open the Action Center and navigate to the Control Panel -> System and Security -> Action Center

Under “Virus Protection” and “Spyware and Unwanted Software protection” CrowdStrike should be the only listed vendor.

CrowdStrike as the only vendor in Action Center

Actions Center with CrowdStrike as Security Vendor

Next we’ll change the policy in Falcon from a detection policy to prevention and detection.  Doing this should be done after testing on a subset of systems in your organization to ensure the desired levels of information are received in the Falcon console.

AV replacement sampel prevention policy

sample prevention policy

Verify that the policy changes apply to the group of systems intended by clicking on the “current members” tab at the top of the policy configuration page.

AV Replacement current members tab

Before leaving any page make sure the changes are saved and that the policy has been enabled.  While policy changes happen relatively quickly moving machines from one policy to a new or different policy may take more time before changes take affect.

More resources

 

Stop Breaches with CrowdStrike Falcon request a live demo