How to Prevent Malware Infections with Machine Learning in CrowdStrike Falcon


In this document, we are going to focus specifically on how to use the machine learning capability of Falcon to prevent malware. Machine Learning allows Falcon to protect against known and unknown malware without using signatures. As a reminder, Falcon uses multiple methods to prevent and detect malware. Those methods include Machine Learning, but also exploit blocking, blacklisting and indicators of attack.


Navigate to the Policy

You can configure prevention features in the Configuration App. Once in the App, the default page is the Prevention Policy. Please note that you need Admin privileges to configure the prevention features on the Prevention App settings page. Chose to edit an existing policy by clicking on the icon on the right.

Prevention Policies Page 12-2018

Configure Machine Learning

Machine Learning allows Falcon to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files. The File Attribute Analysis provides machine learning analysis on file metadata, while Static File Analysis provides analysis on features extracted from executable files.

This represents a major shift in malware detection, because it allows you to determine when they want a file sample to be deemed malicious, finally giving you a way to control and fine-tune results to increase protection or reduce false positives.

CrowdStrike offers two options for machine learning – cloud and on sensor.  For each, notice that you can set up independent thresholds for detection and for prevention. So, you could, for example, choose to receive detection alerts for any suspicious files, even if it’s a just a little bit suspicious by selecting Aggressive. You can also choose to automatically receive detection alerts for suspicious files only if the machine learning is very sure that it’s malicious, by selecting Cautious. To edit those settings, click edit. Chose the setting you want. You can set prevention and detection separately to either Disabled, Cautious, Moderate, or Aggressive, but Logically, the Detection settings always have to be stronger or equal to the Prevention setting.

Click Save when you are done.

ML Toggles

The chart below provides descriptions and use cases for the specific machine learning settings.

Settings Description 12-2018

This is what a Machine Learning Block will display in the Falcon User Interface.



Using a unified array of methods for malware prevention is the best approach. Remember, Machine Learning  is a subset of Falcon, CrowdStrike’s next-generation endpoint protection solution. Machine Learning is one of the many methods used in the Falcon Platform to prevent and detect malware, and more widely, to stop breaches.

Falcon uses an array of methods to protect you against known malware, unknown malware and file-less malware. Those methods include:

  • Machine Learning
  • Exploit Blocking
  • Indicators of attack
  • Blacklisting and whitelisting

Falcon uniquely combines these powerful methods into an integrated approach that protects endpoints more effectively against both malware and breaches.

More resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial