In this document and video, you’ll see how the CrowdStrike Falcon agent is installed on an individual system and then validated in the Falcon management interface.
List of supported OS: https://www.crowdstrike.com/products/falcon-host-faqs/
Unlike traditional AV products, the Falcon Host Sensor can run alongside existing security software. Consequently, there is no need to uninstall existing antivirus products before installing the Falcon agent.
Supported browser: Chrome
Step 1: Activate the account
After purchasing CrowdStrike Falcon or starting a product trial, look for the following email to begin the activation process.
The activation process includes:
1. Setting up a password
2. Establishing a method for 2-factor authentication
Active accounts use the URL https://falcon.crowdstrike.com using Google Chrome to access the UI.
The next page is where you’ll enter your desired method for 2-factor authentication. We recommend Google’s Authenticator app. However, Duo Mobile, WinAuth, and JAuth will also work.
Google Authenticator is available in the app store for both iOS and Android
The password screen appears first, followed by the screen where you select a method of 2-factor authentication
Step 2: Download and install the agent
Upon verification, the Falcon UI will open to the Activity App. To download the agent, navigate to Support App by selecting the dialogue bubbles the last icon on the left. Then select “support”. On the support page, find the desired sensor version and click the red “Download” text on the right.
Windows and Mac: Next, obtain admin privileges. Run the installer for your platform. If prompted, accept the end user license agreement.
Linux (Ubuntu): Run:
$ sudo dpkg -i falcon-sensor_1.0.7-804_amd64.deb
Linux (RHEL or CentOS): Run:
$ sudo yum install falcon-sensor-1.0.0-407.el 6.x86 _64.r pm
After you install the agent, it will connect to the cloud and check for updates. This process typically takes less than five minutes and no reboot is required.
Step 3: Confirm that the sensor is running
Unlike legacy endpoint security products, Falcon does not have a user interface on the endpoint. There are no icons in the Windows System Tray or on any status or menu bars on Mac or Linux.
Installation verification methods are as follows:
Windows: From the windows promptrRun the following command to ensure that “STATE” is “RUNNING”:
$ sc query csagent
Mac: To output a list of details about the sensor running on the host, from the terminal run:
$ sysctl cs.
Linux (all distros): To see if the sensor process is running, run:
$ sudo ps -e | grep falcon-sensor
Step 4: Verify sensor visibility in the cloud
Finally, verify that newly installed agent in the Falcon UI. To view a complete list of newly installed sensors in the past 24 hours, go to https://falcon.crowdstrike.com.
Events App > Sensors > Newly Installed Sensors
The hostname of your newly installed agent will appear on this list within five minutes of installation. If you don’t see your host listed, read through the Sensor Deployment Guide for your platform to troubleshoot connectivity issues.
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch CrowdCast
Installing a New Falcon Host Sensor
Hi there. Today we’re going to show you how to get started with the CrowdStrike Falcon Host sensor. We’ll show you how to download the latest sensor, go over your deployment options, and finally, show you how to verify that the sensors have been installed. So let’s get started.
Now, in order to get access to the CrowdStrike Falcon Host sensor files, you’ll first need to get access to your Falcon Host instance. This access will be granted via an email from the CrowdStrike support team and will look something like this. Now, once you’ve received this email, simply follow the activation instructions provided in the email. This will include setting up your password and your two-factor authentication.
Now, once you’ve been activated, you’ll be able to log into your Falcon Host instance. We recommend that you use Google Chrome when logging into the Falcon Host environment. And once you’ve logged in, you’ll initially be presented with the activity app. In the left side navigation, you’ll need to mouseover the support app, which is in the lower part of the nav, and select the Downloads option. You’ll then be presented with all your downloads that are pertinent to your Falcon Host instance, including documentation, SIM connectors, API examples, sample malware.
You will also find copies of the various Falcon Host sensors. Find the appropriate OS version that you want to deploy and click on the download link on the right side of the page. In our example, we’ll be downloading the windows 32-bit version of the sensor. So I’ll click on the Download link and let the download proceed.
We are also going to want to download the malware example, which we’ll use towards the end of this video to confirm that our sensor is working properly. Once the download is complete, you’ll see that I have a Windows MSI file. The file itself is very small and light. And once it’s installed, it will actually connect to our cloud and download some additional bits of information so that it can function properly.
Now, you can use this file to either install onto a single system like we will in this example, or you can deploy to multiple systems via group policy management, such as Active Directory. So let’s go ahead and install the sensor onto the system. Installation of the sensor will require elevated privileges, which I do have on this demo system. So I’ll launch the installer by double clicking on it, and I’ll step through the installation dialog.
You will want to take a look at our Falcon Host Sensor Deployment Guide if you need more details about some of the more complex deployment options that we have, such as connecting to the CrowdStrike cloud through proxy servers, or silent mode installations. These deployment guides can be found in the Docs section of the support app. OK. Let’s get back to the install.
I’ve completed the installation dialog, and I’ll go ahead and click on Finish to exit the Setup Wizard. Now, at this point, the sensor has been installed, and it is now connecting to the CrowdStrike cloud to pull down additional data. Now that the sensor is installed, we’re going to want to make sure that it installed properly. And there’s several different ways to do this.
First, you can check to see if the CrowdStrike files and folders have been created on the system. I’m going to navigate to the C-drive, Windows, System 32, Drivers. And in here, you should see a CrowdStrike folder. If you navigate to this folder soon after the installation, you’ll note that files are being added to this folder as part of the installation process.
So this is one way to confirm that the install has happened. Another way is to open up your system’s control panel and take a look at the installed programs. You’ll see that the CrowdStrike Falcon sensor is listed. Yet another way you can check the install is by opening a command prompt. Type in SC Query CS Agent. This will return a response that should hopefully show that the services state is running.
So everything seems to be installed properly on this end point. Let’s go into Falcon Host and confirm that the sensor is actually communicating to your Falcon Host instance. Once you’re back in the Falcon Host instance, click on the Investigate app. Along the top bar, you’ll see the option that will read Sensors. Click on this.
And then click on the Newly Installed Sensors. This will show you all the devices that have been recently installed with the new Falcon Host sensors. So let’s take a look at the last 60 minutes. And you can see my end point is installed here.
Now. Let’s verify that the sensor is behaving as expected. Earlier, I downloaded a sample malware file from the download section of the support app. The file is called DarkComet.zip, and I’ve already unzipped the file onto my system. So let’s go ahead and launch this program.
Now let’s take a look at the activity app on the Falcon Host instance. As you can see here, there does seem to be some detected activity on my system related to the Dark Comet Remote Access Tool. The tool was caught, and my end point was protected all within just a few minutes without requiring a reboot. Thanks for watching this video.