How to Replace Symantec with CrowdStrike

Introduction

This document and video will demonstrate the simple process to replace your Symantec deployment with CrowdStrike’s endpoint protection solution to gain better protection, better performance and better value.

 

Video

 

CrowdStrike Overview

CrowdStrike is a proven leader in endpoint security.  CrowdStrike has built the first cloud native endpoint security solution as an extensible platform that provides customers with proven NGAV prevention capabilities as well as a number of other modules. This provides customers with complete endpoint protection through a single lightweight agent and CrowdStrike’s event telemetry. Our award winning products are tried, tested and proven to stop breaches.

Migrating your environment from Symantec to CrowdStrike can be done in three simple steps.

  1. Install CrowdStrike in detect only mode
  2. Uninstall the Symantec agent
  3. Enable prevention mode for CrowdStrike

Installation Steps

1.  Install CrowdStrike in Detect Only Mode

It is not recommended to install CrowdStrike Falcon in prevention or blocking mode simultaneous with other AV solutions active on the endpoint. Instead, you can deploy CrowdStrike in detection only mode. This allows you to install CrowdStrike’s next generation AV solution on the endpoints without creating conflict with the existing Symantec solution for a seamless transition.

 

a.  In the CrowdStrike UI, go to the Configuration app and chose “Prevention Policies”.

menu prevention policy

 

b.  Then, click on “Add new policy”.

add new policy

 

c.  After giving the new detection policy a name and description, enable detection mode at your chosen level for next generation antivirus. You can elect a different levels for each of the three options: cloud machine learning, adware & PUP and sensor machine learning. In this case, prevention options should remain disabled. 

detection levels

 

d.  You can then create a group of hosts that should be assigned to that or any policy. In this case, we will want to create a group of systems that should initially receive the detection only policy. Go to the Hosts app and chose “Groups”.

 

e.  Then, click on “Add New Group”.

add new group

 

f.  After giving the new group a name and description, you can chose to make the group static or dynamic. The hosts in a static group can be manually added and removed. Dynamic groups use filters to automatically sort hosts into groups. You can elect different levels for each of the three options: cloud machine learning, adware & PUP and sensor machine learning.

 

g.  From the policy configuration screen, you can then assign your group of newly deployed systems to the detection only policy.

add groups to policy

 

h.  With the configuration complete, you are ready to install your first agent. The installer can be run while Symantec is still installed. With the detection only policy, there is no conflict having the two agents installed on the same system.

run install

 

i.  The Customer ID has to be entered, but that step can also be automated. The CrowdStrike agent does not require a reboot, complex tuning, or signature updates. It is always up to date and able to protect your endpoints without time consuming system scans.

install CID

 

j.  After installed, you can return to the Host Management and confirm that the system has been installed with the correct, detection only policy. Even in detection only mode, customers realize the immediate value of having visibility to the events on their endpoints.

confirm detect policy

2.  Uninstall the Symantec Agent 

For an organization wide removal, Group Policy, SCCM, or other utilities will likely be used to remove the Symantec agent from the production environment. To remove Symantec from an individual host, utilize the “Add/Remove Programs” feature in the Windows Control Panel. Select the Symantec agent and then select the “uninstall” option that appears above the list of installed programs.  

symantec uninstall

Note: A reboot after uninstall is generally recommended. You can also verify that the uninstall was successful in the Action Center.  Open the Action Center and navigate to the Control Panel -> System and Security -> Action Center.

 

3.  Enable Prevention Mode for CrowdStrike

To enable prevention mode, you have two options. You can edit your original, “detection only” policy to turn on preventions for all hosts under that policy. However, many organizations prefer a phased approach. We will walk through the phased approach by  migrating systems to a second, prevention enabled policy.

 

a.  We will follow the steps outlined in 1a and 1b to create a new prevention enabled policy. However, for this policy, we will enable prevention for cloud machine learning, adware & PUP and sensor machine learning.

turn on prevention policy

 

b.  There are also options to enable file quarantine and a number of other options including execution blocking and behavioral based preventions. These options can be enabled as desired.

turn on quarantine

 

c.  After saving and enabling the new policy, create and assign a group of hosts as outlined in steps 1d through 1g.

add group for prevention

 

d.  Once your system has been moved to the prevention group and policy, you will see the new policy applies in the Host Management app. This system is now protected by CrowdStrike’s proven, next generation antivirus solution.

confirm prevention policy

 

e.  Finally, you can look back to the endpoint and confirm that CrowdStrike Falcon is now the registered antivirus protection for the system.

security center

 

Conclusion

In this article we demonstrated a three step process to replace Symantec with CrowdStrike. We first deployed CrowdStrike in detection only mode to run alongside the Symantec agent. Second, we removed the Symantec agent. And finally, we enabled preventions for CrowdStrike.

CrowdStrike’s cloud native platform delivers proven prevention capabilities along with many other modules through one lightweight agent. Not only is it easy to replace Symantec with CrowdStrike, but organizations will ultimately benefit from better protection, better performance and better value.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial