How to Prevent Malware Infections with Machine Learning in CrowdStrike Falcon

Introduction

In this document, we are going to focus specifically on how to use the machine learning capability of Falcon to prevent malware. Machine Learning allows Falcon to protect against known and unknown malware without using signatures. As a reminder, Falcon uses multiple methods to prevent and detect malware. Those methods include Machine Learning, but also exploit blocking, blacklisting and indicators of attack.

Instructions

1: Go to the prevention settings of the Falcon User Interface

You can configure prevention features in the Configuration App. Once in the App, the default page is the Prevention Policy. Please note that you need Admin privileges to configure the prevention features on the Prevention App settings page. Also, the configuration changes are almost immediate and only take a couple of seconds to be updated on the endpoints.

prevention-policy

2: Configure Machine Learning

Let’s start by configuring Machine Learning. Machine Learning allows Falcon to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files. The File Attribute Analysis provides machine learning analysis on file metadata, while Static File Analysis provides analysis on features extracted from executable files.

This represents a major shift in malware detection, because it allows you to determine when they want a file sample to be deemed malicious, finally giving you a way to control and fine-tune results to increase protection or reduce false positives.

Notice that you can set up independent thresholds for detection and for prevention. So, you could, for example, choose to receive detection alerts for any suspicious files, even if it’s a just a little bit suspicious by selecting Aggressive. You can also choose to automatically receive detection alerts for suspicious files only if the machine learning is very sure that it’s malicious, by selecting Cautious. To edit those settings, click edit. Chose the setting you want. You can set prevention and detection separately to either Disabled, Cautious, Moderate, or Aggressive, but Logically, the Detection settings always have to be stronger or equal to the Prevention setting.
Click Save when you are done.

file-attribute-analysis

file-analysis

3: Settings Descriptions

Screen Shot 2016-07-25 at 8.55.41 PM

This is what a Machine Learning Block will display in the Falcon User Interface.

machine-learning-alert

Conclusion

Using a unified array of methods for malware prevention is the best approach. Remember, Machine Learning  is a subset of Falcon, CrowdStrike’s next-generation endpoint protection solution. Machine Learning is one of the many methods used in the Falcon Platform to prevent and detect malware, and more widely, to stop breaches.

Falcon uses an array of methods to protect you against known malware, unknown malware and file-less malware. Those methods include:

  • Machine Learning
  • Exploit Blocking
  • Indicators of attack
  • Blacklisting and whitelisting

Falcon uniquely combines these powerful methods into an integrated approach that protects endpoints more effectively against both malware and breaches.

More Resources

 

Stop Breaches with CrowdStrike Falcon request a live demo