How to use Uninstall Protection for the Falcon Agent
The greatest minds in cybersecurity are at Fal.Con in Las Vegas, Sept. 18-21.
Register now to build skills at hands-on workshops and learn from skilled threat hunters.
Introduction
Crowdstrike offers an easy to use Uninstall Protection process for the Falcon Agent. Uninstall Protection can be controlled by policy, making it easier to lock down sensitive devices. Once enabled in the policy, helpdesk teams can provide one-time device-specific maintenance tokens as needed. Uninstall Protection also adds a layer of protection that prevents unauthorized users from removing the sensor.
Maintenance Manager Role
The “Maintenance Manager” role is available which grants permission to access the maintenance tokens. This role must be enabled against the Falcon user’s account in order to obtain maintenance tokens or manage policy related to Uninstall Protection.
Uninstall Protection Policy
Within the Falcon Update Policy, Sensor Uninstall Protection is configurable (Configuration > Sensor Update Policies > [Policy] > Sensor Protection). With this policy applied to our devices, an uninstall will now require a token to complete.
Falcon Uninstall Workflow with Protection Enabled
To simplify the management of protected Falcon Agent installations, maintenance tokens can be accessed from the Hosts app. Navigate to Host App > Host Management, then select the host of interest and click “Reveal maintenance token” and you are presented with the one-time maintenance token, which can be given to the end-user/technician updating or uninstalling the Falcon Agent.
Even if the device is offline, the token will allow the uninstall/update to proceed.
When Uninstall Protection is enabled and an uninstall is initiated, users are presented with the setup dialog and are required to input the token obtained from the Falcon UI.
Windows
Open add/remove programs and select the Falcon Agent, and click uninstall:
Mac OS
# Uninstall Falcon Agent sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token INPUT_YOUR_TOKEN
Further Reading on Uninstall Steps
For a full listing of commands and scenarios, see the Deployment guide for Windows and Mac OS.
https://falcon.crowdstrike.com/support/documentation/23/falcon-sensor-for-windows-deployment-guide
https://falcon.crowdstrike.com/support/documentation/22/falcon-sensor-for-mac-deployment-guide
If you are interested in enabling uninstall protection but also require manual updates of the Falcon Agent, please see: our article on How to configure Manual Updates.
API
Through use of the Falcon API’s, the Uninstall Protection workflow can be integrated into any existing processes to make things easier. For example, Maintenance tokens can be accessed programmatically over the Falcon API in conjunction with your internal ticketing system. Additionally the Sensor Update Policies can be modified over the Falcon API in the event that you already integrate with the Sensor Update Policy modifications.
Conclusion
Uninstall protection prevents unauthorized users from uninstalling the Falcon Agent, but also streamlines the workflow for helpdesk teams to uninstall the Falcon Agent in the case of necessary maintenance.
