Our website uses cookies to enhance your browsing experience.



After logging into Falcon for the first time, you’ll see a brief orientation and then be guided to download the Falcon sensor.

Installing Falcon Prevent is a lot easier than installing standard antivirus solutions. Falcon Prevent is cloud-delivered, so the backend infrastructure is already up and running; you do not need to set up a management console. The installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on-premise or virtual instances in the cloud.

Frequently Asked Questions

*Note that while Falcon supports Windows, macOS, and Linux, this trial does not include Linux. To learn more about protecting your Linux systems, please contact us.

We recommend installing on a typical laptop or desktop in your organization that is connected to the Internet. There is no malware used in this scenario, but we will start in full prevention mode.

IMPORTANT: Before you begin, be sure to uninstall your existing AV solution. Later, we will review how using “detect only” mode allows for coexistence and easy deployment transitions.

Step-by-Step Instructions

1. Installing the Sensor

Navigate to the Download page.

a. Click the Download button and copy the Customer ID checksum (you’ll need this during the install).

b. Run the sensor installer on your device in one of these ways:

Double-click the .pkg file, or
Run this command at a terminal, replacing with the path and file name of your installer package.
sudo installer -verboseR -package -target /

c. When prompted, enter administrative credentials for the installer.

macOS 10.13 High Sierra and later: Apple requires kernel extensions to be approved before being loaded. We recommend that you use Apple’s MDM to approve the com.crowdstrike.sensor kernel extension before installing.

*Note if you are using an MDM you can follow the installation process noted in our support portal located here.

Manual Kext Approval

This scenario is also applicable if your MDM (Mobile Device Management) doesn’t support kext whitelisting or you use DevOps/scripts to deploy the product.

After entering the credential for installation, you’re prompted to approve kernel extension from Security & Privacy pane as shown on the right.

When this screen is displayed the end-user must approve the kernel extension from CrowdStrike. If you don’t see the prompt, approve the kernel extension from System Preferences:

  • On the Mac where you’re installing the sensor, click the upper-left Apple icon > System Preferences
  • Click Security & Privacy
  • On the General tab, click Allow to approve CrowdStrike kernel extension

Note: If you don’t see this approval option, restart the machine to get the approval prompt again.

2. Grant Full Disk Access

Provide full disk access to falcon on the host:

  • Open Apple System Preferences
  • Open Security & Privacy
  • Select the Privacy tab
  • If privacy settings are locked
  • Click the lock icon in the lower-left corner
  • Enter your device password
  • In the left pane, select Full Disk Access
  • In the right pane, click the + icon
  • Navigate to /Library/CS/falcond
    (use Cmd-Shift-G in dialog to type in path)
  • Click OpenClick Quit Now
  • Click the lock in the lower-left corner to re-lock privacy settings

3. License the Sensor

When running the licensing command as part of installation, open a terminal.

Include the parameter --password: sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX --password (replacing 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID)

When prompted, enter your local machine’s admin password.

When prompted, confirm the password.

4. Check Components Installed

To see a list of the kernel extensions installed with the CrowdStrike sensor, run this command at a terminal:

kextstat | grep crowd

The output shows the com.crowdstrike.sensor kernel extension:

190 0 0xffffff7f8351e000 0xef000 0xef000 com.crowdstrike.sensor (53.03) F356DB5C-40443DD9-810E-0620678E4A20 <189 43 7 5 4 3 2 1>

5. Confirm that the sensor is running

Run this command at a terminal:
sysctl cs

6. Verify sensor visibility in the cloud

In the Falcon Interface go to Host Management and verify that you see your hostname listed. The “Prevention Policy” column should show “platform_default” as the assigned policy. In some cases, it might take a few minutes before you see your host fully registered.

7. Generate your first detection

To see an example of what a detection alert looks like in Falcon Prevent, run a harmless test command on your computer:

a. Open a terminal

b. Type or copy and paste this command:
/bin/echo crowdstrike_sample_detection

c. Switch back to the Falcon Interface and go to Detections to inspect the new alert.