After logging into Falcon for the first time, you’ll see a brief orientation and then be guided to download the Falcon sensor.
Installing Falcon Prevent is a lot easier than installing standard antivirus solutions. Falcon Prevent is cloud-delivered, so the backend infrastructure is already up and running; you do not need to set up a management console. The installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on-premise or virtual instances in the cloud.
*Note that while Falcon supports Windows, macOS, and Linux, this trial does not include Linux. To learn more about protecting your Linux systems, please contact us.
We recommend installing on a typical laptop or desktop in your organization that is connected to the Internet. There is no malware used in this scenario, but we will start in full prevention mode.
IMPORTANT: Before you begin, be sure to uninstall your existing AV solution. Later, we will review how using “detect only” mode allows for coexistence and easy deployment transitions.
1. Installing the Sensor
Navigate to the Download page.
a. Click the Download button and copy the Customer ID checksum (you’ll need this during the install).
b. Run the sensor installer on your device in one of these ways:
Double-click the .pkg file, or
Run this command at a terminal, replacing with the path and file name of your installer package.
sudo installer -verboseR -package -target /
c. When prompted, enter administrative credentials for the installer.
macOS 10.13 High Sierra and later: Apple requires kernel extensions to be approved before being loaded. We recommend that you use Apple’s MDM to approve the com.crowdstrike.sensor kernel extension before installing.
*Note if you are using an MDM you can follow the installation process noted in our support portal located here.
Manual Kext Approval
This scenario is also applicable if your MDM (Mobile Device Management) doesn’t support kext whitelisting or you use DevOps/scripts to deploy the product.
After entering the credential for installation, you’re prompted to approve kernel extension from Security & Privacy pane as shown on the right.
When this screen is displayed the end-user must approve the kernel extension from CrowdStrike. If you don’t see the prompt, approve the kernel extension from System Preferences:
- On the Mac where you’re installing the sensor, click the upper-left Apple icon > System Preferences
- Click Security & Privacy
- On the General tab, click Allow to approve CrowdStrike kernel extension
Note: If you don’t see this approval option, restart the machine to get the approval prompt again.
2. Grant Full Disk Access
Provide full disk access to falcon on the host:
- Open Apple System Preferences
- Open Security & Privacy
- Select the Privacy tab
- If privacy settings are locked
- Click the lock icon in the lower-left corner
- Enter your device password
- In the left pane, select Full Disk Access
- In the right pane, click the + icon
- Navigate to /Library/CS/falcond
(use Cmd-Shift-G in dialog to type in path)
- Click OpenClick Quit Now
- Click the lock in the lower-left corner to re-lock privacy settings
3. License the Sensor
When running the licensing command as part of installation, open a terminal.
Include the parameter
--password: sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX --password (replacing 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID)
When prompted, enter your local machine’s admin password.
When prompted, confirm the password.
4. Check Components Installed
To see a list of the kernel extensions installed with the CrowdStrike sensor, run this command at a terminal:
kextstat | grep crowd
The output shows the com.crowdstrike.sensor kernel extension:
190 0 0xffffff7f8351e000 0xef000 0xef000 com.crowdstrike.sensor (53.03) F356DB5C-40443DD9-810E-0620678E4A20 <189 43 7 5 4 3 2 1>
5. Confirm that the sensor is running
Run this command at a terminal:
6. Verify sensor visibility in the cloud
In the Falcon Interface go to Host Management and verify that you see your hostname listed. The “Prevention Policy” column should show “platform_default” as the assigned policy. In some cases, it might take a few minutes before you see your host fully registered.
7. Generate your first detection
To see an example of what a detection alert looks like in Falcon Prevent, run a harmless test command on your computer:
a. Open a terminal
b. Type or copy and paste this command: