How to Install the Falcon Host Sensor

Introduction

In this document and video, we’ll demonstrate how to install CrowdStrike’s Falcon Host sensor on an individual system. We will then validate installation and verify that system can be seen from the Falcon Host management interface.

Video

 

Read Video Transcript

Prerequisites

List of supported OS: https://www.crowdstrike.com/products/falcon-host-faqs/

Unlike traditional AV products, the Falcon Host Sensor can run alongside existing security software. This means there is no need to uninstall existing anti-virus products before installing the Falcon Host Sensor.

Google Chrome is the only supported browser.

Step 1: Activating the account

After purchasing Falcon Host or starting a product trial, an email will be sent that includes a link to the activation process.

intro letter

The activation process includes:

1. Setting up a password

2. Establishing a method for 2-factor authentication

Once the account has been activated access to the Falcon UI can be reached through https://falcon.crowdstrike.com using Google Chrome.

Login

The next page is where you’ll enter in your desired method for 2-factor authentication. We recommend Google’s Authenticator app. However, Duo Mobile, WinAuth, and JAuth will also work.

Google Authenticator is available in the app store for both iOS and Android

Google Authenticator Android Google Authenticator Apple

After the password page, the next screen will ask for your desired method of 2-factor authentication

2 Factor Authentication

Step 2: Download and install the sensor

Upon verification the Falcon Host UI will open to the Activity App. To download a sensor navigate to Support App by selecting the dialogue bubbles, the last icon on the left. Then select “support”. On the support page, find the desired sensor version and click the red “Download” text on the right.

support and downloads

Windows and Mac

Obtain admin privileges. Run the installer for your platform. If prompted, accept the end user license agreement.

Linux (Ubuntu)

Run
$ sudo dpkg -i falcon-sensor_1.0.7-804_amd64.deb

Linux (RHEL or CentOS)

Run
$ sudo yum install falcon-sensor-1.0.0-407.el 6.x86 _64.r pm

After you install the sensor, it will connect to the cloud and check for updates. This process typically takes less than five minutes. Note that a reboot is not required as part of the Falcon Host Sensor installation or update process.

 

Step 3: Confirm that the sensor is running

Unlike legacy endpoint security products, Falcon Host does not have a user interface on the endpoint. There are no icons in the Windows System Tray or on any status or menu bars on Mac or Linux. Use the following methods to verify that the sensor is properly installed:

Windows

From the windows promptrRun the following command to ensure that “STATE” is “RUNNING”

$ sc query csagent

 

Mac

To output a list of details about the sensor running on the host, from the terminal run

$ sysctl cs.

 

Linux (all distros)

To see if the sensor process is running,run

$ sudo ps -e | grep falcon-sensor

 

Step 4: Verify sensor visibility in the cloud

Finally, verify that newly installed sensor in the Falcon Host UI. To view a complete list of newly installed sensors in the past 24 hours, go to https://falcon.crowdstrike.com.

Navigate to
Events App > Sensors > Newly Installed Sensors

The hostname of your newly installed sensor will appear on this list within five minutes of installation. If you don’t see your host listed, read through the Sensor Deployment Guide for your platform to troubleshoot connectivity issues.

 

Conclusion

At this point you should have activated your Falcon Host account, deployed a sensor in your organization, and verified that system can be seen in your Falcon Host UI.

 

More resources

 

See How You Can Stop Breaches request a live demo