How to Install the Falcon Agent
In this document and video, you’ll see how the CrowdStrike Falcon agent is installed on an individual system and then validated in the Falcon management interface. If you’d like to get access to the CrowdStrike Falcon Platform, get started today with the Free Trial.
Additional installation guides for Mac and Linux are also available:
List of supported OS: https://www.crowdstrike.com/endpoint-security-products/crowdstrike-falcon-faq/
Supported browser: Chrome
Step 1: Activate the account
After purchasing CrowdStrike Falcon or starting a product trial, look for the following email to begin the activation process.
The activation process includes:
- Setting up a password
- Establishing a method for 2-factor authentication
Active accounts go to URL https://falcon.crowdstrike.com/login/ using Google Chrome to access the UI.
The next page is where you’ll enter your desired method for 2-factor authentication. We recommend Google’s Authenticator app. However, Duo Mobile, WinAuth, and JAuth will also work.
NOTE: Single sign-on or SAML options also exist for the Falcon Interface but go beyond the scope of this article. Reach out to support for configuration options in your environment.
Google Authenticator is available in the app store for both iOS and Android
The password screen appears first, followed by the screen where you select a method of 2-factor authentication.
Step 2: Download and install the agent
Upon verification, the Falcon UI will open to the Activity App. To download the agent, navigate to Host App. Then select “Sensor Downloads.
The downloads page consists of the latest available sensor versions. Select the correct sensor version for your OS by clicking on the download link to the right. At the top of the downloads page is a Customer ID, you will need to copy this value as it is used later in the install process.
Next, obtain admin privileges. Run the installer for your platform. When prompted, accept the end user license agreement and click “INSTALL.”
Step 3: Confirm that the sensor is running
Unlike legacy endpoint security products, Falcon does not have a user interface on the endpoint. There are no icons in the Windows System Tray or on any status or menu bars.
From the windows command prompt, run the following command to ensure that “STATE” is “RUNNING”: $ sc query csagent
Step 4: Verify sensor visibility in the cloud
Finally, verify that newly installed agent in the Falcon UI. To view a complete list of newly installed sensors in the past 24 hours, go to https://falcon.crowdstrike.com/login/.
Navigate to: Events App > Sensors > Newly Installed Sensors
The hostname of your newly installed agent will appear on this list within five minutes of installation. If you don’t see your host listed, read through the Sensor Deployment Guide for your platform to troubleshoot connectivity issues.
The resulting actions mean Falcon is active, an agent is deployed and verified, and the system can be seen in the Falcon UI.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
Installing a New Falcon Sensor
Hi there. Today we’re going to show you how to get started with the CrowdStrike Falcon sensor. We’ll show you how to download the latest sensor, go over your deployment options, and finally, show you how to verify that the sensors have been installed. So let’s get started.
Now, in order to get access to the CrowdStrike Falcon sensor files, you’ll first need to get access to your Falcon instance. This access will be granted via an email from the CrowdStrike support team and will look something like this. Now, once you’ve received this email, simply follow the activation instructions provided in the email. This will include setting up your password and your two-factor authentication.
Now, once you’ve been activated, you’ll be able to log into your Falcon instance. We recommend that you use Google Chrome when logging into the Falcon environment. And once you’ve logged in, you’ll initially be presented with the activity app. In the left side navigation, you’ll need to mouseover the support app, which is in the lower part of the nav, and select the Downloads option. You’ll then be presented with all your downloads that are pertinent to your Falcon instance, including documentation, SIM connectors, API examples, sample malware.
You will also find copies of the various Falcon sensors. Find the appropriate OS version that you want to deploy and click on the download link on the right side of the page. In our example, we’ll be downloading the windows 32-bit version of the sensor. So I’ll click on the Download link and let the download proceed.
We are also going to want to download the malware example, which we’ll use towards the end of this video to confirm that our sensor is working properly. Once the download is complete, you’ll see that I have a Windows MSI file. The file itself is very small and light. And once it’s installed, it will actually connect to our cloud and download some additional bits of information so that it can function properly.
Now, you can use this file to either install onto a single system like we will in this example, or you can deploy to multiple systems via group policy management, such as Active Directory. So let’s go ahead and install the sensor onto the system. Installation of the sensor will require elevated privileges, which I do have on this demo system. So I’ll launch the installer by double clicking on it, and I’ll step through the installation dialog.
You will want to take a look at our Falcon Sensor Deployment Guide if you need more details about some of the more complex deployment options that we have, such as connecting to the CrowdStrike cloud through proxy servers, or silent mode installations. These deployment guides can be found in the Docs section of the support app. OK. Let’s get back to the install.
I’ve completed the installation dialog, and I’ll go ahead and click on Finish to exit the Setup Wizard. Now, at this point, the sensor has been installed, and it is now connecting to the CrowdStrike cloud to pull down additional data. Now that the sensor is installed, we’re going to want to make sure that it installed properly. And there’s several different ways to do this.
First, you can check to see if the CrowdStrike files and folders have been created on the system. I’m going to navigate to the C-drive, Windows, System 32, Drivers. And in here, you should see a CrowdStrike folder. If you navigate to this folder soon after the installation, you’ll note that files are being added to this folder as part of the installation process.
So this is one way to confirm that the install has happened. Another way is to open up your system’s control panel and take a look at the installed programs. You’ll see that the CrowdStrike Falcon sensor is listed. Yet another way you can check the install is by opening a command prompt. Type in SC Query CS Agent. This will return a response that should hopefully show that the services state is running.
So everything seems to be installed properly on this end point. Let’s go into Falcon and confirm that the sensor is actually communicating to your Falcon instance. Once you’re back in the Falcon instance, click on the Investigate app. Along the top bar, you’ll see the option that will read Sensors. Click on this.
And then click on the Newly Installed Sensors. This will show you all the devices that have been recently installed with the new Falcon sensors. So let’s take a look at the last 60 minutes. And you can see my end point is installed here.
Now. Let’s verify that the sensor is behaving as expected. Earlier, I downloaded a sample malware file from the download section of the support app. The file is called DarkComet.zip, and I’ve already unzipped the file onto my system. So let’s go ahead and launch this program.
Now let’s take a look at the activity app on the Falcon instance. As you can see here, there does seem to be some detected activity on my system related to the Dark Comet Remote Access Tool. The tool was caught, and my end point was protected all within just a few minutes without requiring a reboot. Thanks for watching this video.