This document will cover the simple steps of replacing your traditional antivirus (AV) vendor with CrowdStrike.
Falcon’s versatility as an next-gen antivirus (NGAV), endpoint detection and response (EDR) or cyber threat intelligence product makes it a perfect solution to install with other security technologies. For example, if you have an existing AV solution in place and would like to add Falcon Insight or Falcon X, it can easily be installed to provided those important layers.
However, it is not recommended to install CrowdStrike Falcon in prevention or blocking mode simultaneous with other AV solutions also in blocking mode.
If you are adding a Falcon solution to your existing security product it is recommended that you install Falcon in DETECT ONLY policy (default policy). For more information on policies see the article on the tech center here regarding policy configuration. Below is an example of a policy with preventions disabled. This policy can safely be installed alongside another AV solutions. However reliance on traditional AV solutions should be temporary. Next we’ll illustrate the removal of the old solution and implementing a blocking policy in Flacon.
For an organization wide removal, Group Policy, SCCM, or other utilities will be used to remove the old application from the production environment. To remove other AV vendors from an individual host, utilize the “Add/Remove Programs” feature in the Windows Control Panel and uninstall the application.
Select the previous AV vendor and then select the “uninstall” option that appears above the list of installed programs. Different vendors may have additional steps or multiple applications that will need to be removed.
Note: In the case of McAfee, uninstall the McAfee Agent last, removing all the other installed programs first. This order seems to be the most effective in our experience (Some vendors may require a reboot).
After a reboot, if necessary, verify that the uninstall was successful in the Action Center. Open the Action Center and navigate to the Control Panel -> System and Security -> Action Center.
Under “Virus Protection” and “Spyware and Unwanted Software protection” CrowdStrike should be the only listed vendor.
Next change the policy in Falcon from a detection policy to prevention and detection. Doing this should be done after testing on a subset of systems in your organization to ensure the desired levels of information are received in the Falcon console.
Verify that the policy changes apply to the group of systems intended by clicking on the “current members” tab at the top of the policy configuration page.
Before leaving any page, make sure the changes are saved and that the policy has been enabled. While policy changes are in effect relatively quickly, moving machines from one policy to a new or different policy may take more time.
You should now have a good idea of how to run in parallel or replace your existing endpoint security product with CrowdStrike’s Falcon Prevent and Falcon Insight.
How to replace traditional AV with CrowdStrike
Crowdstrike offers additional visibility and EDR capability beyond what most traditional AV solutions can offer. This made Falcon an attractive product to run along side other AV products. To make the product more flexible and meet the needs of customers the Falcon offers AV, EDR, IT Hygiene and Intel solutions either as stand alone products or as a bundle.
In this situation we have a traditional AV product installed with CrowdStrike. This scenario is great for those who may still be under contract with their existing solution but would like to add CrowdStrike’s market leading EDR solution for additional visibility.
We can clearly see that an AV solution is installed on this host and the same host is also in the Falcon console. But I’d like to point out an important detail. In the Policy page we have a policy called “Detect Mode” and looking at the details of this policy only the detection capabilities are enabled. This is important because of Falcon’s prevention capabilities. If there are two AV solutions on the same host, both with prevention or blocking capabilities this may create a race condition that may cause problems.
In situations where you’d like to replace an existing solution the recommended order is to install Falcon with a detect only policy, then uninstall the old AV solution. In this case I’m just going to the Programs and features section, then uninstall or remove a program, and removing the old solution.
In most cases a reboot is required after the old solution has been uninstalled. Once the host is up we’ll go back to the Falcon UI and into the Detect Mode policy. Toward the top of the page there is a current members tab where we can see the members of the policy and also remove them by selecting the system and the “Unassign from Policy” button.
Once that has been completed add it to your desired policy. In this case I have chosen the platform default. To visually inspect that the system has been correctly assigned select your desired policy and then the “Current Members” tab toward the top. You can filter by hostname at the top or use the faceted search criteria provided, in our case the host is the first in the list.
Back on the host itself, opening the Action Center we can see that CrowdStrike is now listed as the Virus and Spyware protection.