INSTALLATION GUIDE

The installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on-premise or virtual instances in the cloud.

Step-by-step instructions

Estimated Time

10 minutes

Requirements

Typical device, Mac or Windows
OS and Google Chrome browser

While we can coexist with another AV solution in Detect Only Mode, our trial is set for prevention, therefore we recommend uninstalling your existing AV solution when testing with the default settings.

An approved trial is required in order to utilize this guide. If you have not registered yet please do so here.

Windows
Mac

1Download and install the Falcon sensor


  • Navigate to Sensor Downloads page.
  • Copy the Customer ID checksum (you’ll need to enter this value when installing)
  • Click the Download button.

  • Run the downloaded installer on the target computer to begin the installation process.
  • Accept the license agreement and paste the customer ID checksum you copied earlier.
  • Click Install to continue.

Falcon keeps a low profile and does not show a Windows system tray icon or Application in Mac. You can ensure that your newly installed sensor is running and has connected to the cloud via the Falcon interface.

2Verify the sensor installation in the Falcon interface


  • Verify that you see the test computer’s hostname listed. The Prevention Policy column should show platform_default as the assigned policy.
  • In some cases, it might take a few minutes before you see your host; refresh the page if needed.

3Verify registered AV


Within Windows, you can verify that Falcon Prevent is the active anti-virus product for the system.

  • Locate the Security and Maintenance section of the Windows Control Panel.
  • Depending on your version of Windows, it may be easiest to search for Security and maintenance.
  • Review the Security Section. You may need to dismiss existing notifications and/or expand the Security Section in order to locate the Virus protection section.
  • Confirm that CrowdStrike Falcon is listed under Virus protection.

This step does not apply to Windows Server installations: Windows Server does not feature a control panel module that shows virus protection status.

4Adding team members (optional)


  • If you would like to add additional team members to your account you can do so under User Management section.
  • Click the plus sign in the top right corner and complete the user’s information and select their role.

You can only add users with the same email domain as the one you used to register for the trial. If you need to add additional email domains you can do so after purchasing.

  • After clicking add user you should see this new user under Users.


1Download and install the Falcon sensor


We strongly recommend you use an MDM solution to distribute the profile we provide to your endpoints prior to the deployment process. See Recommended installation method: using an MDM to sync profiles. If you prefer not to use a MDM you can follow the steps below to manually install.

  • Navigate to Sensor Downloads page.
  • Copy the Customer ID checksum (you’ll need to enter this value when installing).

  • Run the sensor installer on your device using one of these two methods: Double-click the .pkg file, or run this command at a terminal, replacing <installer_filename> with the path and file name of your installer package: sudo installer -verboseR -package <installer_filename> -target /
  • When prompted, enter your local machine’s admin password


For macOS Mojave 10.14 through macOS Catalina 10.15, after entering the credential for installation, you’re asked to approve the kernel extension on each host. The Apple message on the host identifies the CrowdStrike kernel extension as a blocked system extension signed by CrowdStrike Inc. For macOS Big Sur 11.0 and later scroll to the next Note.

  • In the message, click Open Security Preferences. If the message no longer appears on the host, click the Apple icon and open System Preferences, then click Security & Privacy.
  • On the General tab, click Allow to allow the CrowdStrike kernel extension.
  • Kernel extension approval is required only once. If the Falcon sensor is subsequently reinstalled or updated, you will not see another approval prompt.

This approval prompt is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the kernel extension, future load attempts will cause the approval prompt to reappear but will not trigger another user alert. If you don’t see this approval option, restart the machine to get the approval prompt again.

  • Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CCID). This command is slightly different if you’re installing with uninstall protection. In this example, replace 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID: sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX. Your CID is the string that you copied in the first bullet point.

For macOS Big Sur 11.0 and later, after providing your CID with the license command, you’re asked to approve the system extension on each host.

  • In the message, when asked to filter network content, click Allow.
  • When the System Extension Blocked message appears, click Open Security Preferences.
  • On the General tab, click Allow to allow the Falcon system extension. You may need to click the lock icon to enable you to make security changes.
  • If you do not approve the Falcon system extension when prompted on the host and see the system extension block message, run the falconctl load command to load Falcon again and show the prompts on the host for approval: sudo /Applications/Falcon.app/Contents/Resources/falconctl load

 

2Grant Full Disk Access


Full Disk Access is recommended for Mojave and required for Catalina and later. You must grant Full Disk Access on each host. Administrator account permission is required.

  • Provide full disk access to falcond on the host: Open Apple System Preferences > Security & Privacy.
  • Select the Privacy tab. If privacy settings are locked click the lock icon in the lower-left corner and enter your device password.
  • In the left pane, select Full Disk Access.
  • In the right pane, click the + icon. Navigate to /Library/CS/falcond (use Cmd-Shift-G in dialog to type in path).
  • Click Open. Click Quit Now.
  • Click the lock in the lower-left corner to re-lock privacy settings.

3Confirm that the sensor is running


  • Run this command at a terminal: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

4Verify sensor visibility in the cloud


  • In the Falcon Interface go to Host Management and verify that you see your hostname listed.
  • The “Prevention Policy” column should show “platform_default” as the assigned policy.
  • In some cases, it might take a few minutes before you see your host fully registered.

5Generate your first detection


  • To see an example of what a detection alert looks like in Falcon Prevent, run a harmless test command on your computer:
  • Open a terminal
  • Type or copy and paste this command: /bin/echo crowdstrike_sample_detection

  • Switch back to the Falcon Interface and go to Detections to inspect the new alert.

NEED HELP?

If you have any questions, reach out and we'll be in touch soon.

TAKE-AWAYS

In this section, you downloaded and installed Falcon Prevent. Did you notice that the sensor was small, took very little time to download, and didn’t require a reboot?

This is because CrowdStrike’s unique architecture allows us to provide all the functionality of a traditional antivirus solution while consuming a fraction of the system resources.

Next, let’s look at the Falcon interface to see how detections will appear.

WAS THIS SECTION HELPFUL?

Your feedback is highly appreciated and will help us to improve our ability to serve you and other users of our web sites. Please send feedback about this section of the trial guide to falcontrial@crowdstrike.com.