How to Install the Falcon Agent

Introduction

In this document and video, you’ll see how the CrowdStrike Falcon agent is installed on an individual system and then validated in the Falcon management interface.

Video

Read Video Transcript

Prerequisites

List of supported OS: https://www.crowdstrike.com/products/crowdstrike-falcon-faq/

Unlike traditional AV products, the Falcon Sensor can run alongside existing security software.  Consequently, there is no need to uninstall existing antivirus products before installing the Falcon agent.

Supported browser: Chrome

Installation Steps

Step 1: Activate the account

After purchasing CrowdStrike Falcon or starting a product trial, look for the following email to begin the activation process.

intro letter

The activation process includes:
1. Setting up a password
2. Establishing a method for 2-factor authentication

Active accounts use the URL https://falcon.crowdstrike.com using Google Chrome to access the UI.

 

First time sign-in

Falcon2FactorAuthentication

The next page is where you’ll enter your desired method for 2-factor authentication. We recommend Google’s Authenticator app. However, Duo Mobile, WinAuth, and JAuth will also work.

Google Authenticator is available in the app store for both iOS and Android

Google Authenticator Android Google Authenticator Apple

The password screen appears first, followed by the screen where you select a method of 2-factor authentication

Step 2: Download and install the agent

Upon verification, the Falcon UI will open to the Activity App.  To download the agent, navigate to Support App by selecting the dialogue bubbles the last icon on the left.  Then select “support”.  In the support app there are multiple sub-pages, the different versions of the Falcon Sensor are available on the “Downloads” page.

Downloads page in UI

The downloads page consists of available sensor versions.  Select the correct sensor version for your OS by clicking on the download link to the right.

Download sensor page

At the top of the downloads page is a Customer ID, copy this value, it’s used during the install process.

CID Checksum

Windows and Mac: Next, obtain admin privileges. Run the installer for your platform. When prompted, accept the end user license agreement and enter the checksum from the downloads page of the Falcon UI.

Install screen

Linux (Ubuntu): Run: $ sudo dpkg -i falcon-sensor_1.0.7-804_amd64.deb

Linux (RHEL or CentOS): Run: $ sudo yum install falcon-sensor-1.0.0-407.el 6.x86 _64.r pm

After you install the agent, it will connect to the cloud and check for updates.  This process typically takes less than five minutes and no reboot is required.

Step 3: Confirm that the sensor is running

Unlike legacy endpoint security products, Falcon does not have a user interface on the endpoint. There are no icons in the Windows System Tray or on any status or menu bars on Mac or Linux.

Installation verification methods are as follows:

Windows: From the windows promptrRun the following command to ensure that “STATE” is “RUNNING”: $ sc query csagent

Mac: To output a list of details about the sensor running on the host, from the terminal run: $ sysctl cs.

Linux (all distros): To see if the sensor process is running, run: $ sudo ps -e | grep falcon-sensor

Step 4: Verify sensor visibility in the cloud

Finally, verify that newly installed agent in the Falcon UI. To view a complete list of newly installed sensors in the past 24 hours, go to https://falcon.crowdstrike.com.

Navigate to: Events App > Sensors > Newly Installed Sensors

The hostname of your newly installed agent will appear on this list within five minutes of installation. If you don’t see your host listed, read through the Sensor Deployment Guide for your platform to troubleshoot connectivity issues.

Conclusion

The resulting actions mean Falcon is active, an agent is deployed and verified, and the system can be seen in the Falcon UI.

More resources

 

Stop Breaches with CrowdStrike Falcon request a live demo