How To Read
The intent of the CSAV tool is to recognize the registered system's antivirus product and monitor it for resource usage (disk space used, maximum CPU usage, RAM usage etc) and compare the obtained values to other AV products.
When a non-CrowdStrike antivirus product is registered on the system, results obtained from monitoring that product will be compared to values previously recorded for CrowdStrike Falcon.
When CrowdStrike Falcon is instead the primary solution on the system, values obtained from monitoring that will be compared to values previously recorded for all other antivirus products.
When you click the CSAV Resource Usage Test - Start button to begin monitoring, the tool queries the Windows Security Center for the registered antivirus product on the system through use of an "official" (although largely undocumented) API (Application Programming Interface).
Once the registered AV is known, the tool can monitor it for resource usage, which includes
- Determining how much disk space the AV application takes up.
- Monitoring the RAM usage of the components of the product.
Monitoring the CPU usage of the components of the product
Once the product has been monitored for a period of time (30 seconds, although you can choose to stop it at any time)...
Various statistics are calculated and sent to a cloud service (ThingSpeak).
Data from the same cloud service is then queried and compared against data taken during the run.
Visual cues are then displayed to show how the AV product on the user's system compares to others that we have previously monitored and recorded in the cloud.
An overall Resource Score is presented to the user.
Seen during the active resource monitoring process (after clicking Start) are the following fields.
Under the Antivirus Details group:
To determine this information, we calculate the sum of the sizes of all files in and below the same directory as the files in the paths that the application files reside, along with any other ones known to be associated with the product. It is possible that there may be other components of the AV product in other locations on disk that are not covered by the above calculation. We do not accommodate that scenario. As such, the Directory Size number should be seen as an "at least this much" value.
Under the Current AV UI Process group:
This is the path to the executable on disk responsible for the "Main Product" UI.
This name is extracted directly from the properties of the file referenced above. It would be what is seen if you right-clicked on the EXE file in Windows Explorer and selected Properties -> Details -> File description.
Similar to Product Name above, this is the version number obtained from the properties of the referenced file.
This shows the amount of RAM the that Product executable process is using. Current is the amount of RAM the Product process is using at this point in time. Min is the minimum seen RAM usage of the monitored Product process. Max is the maximum seen RAM usage of the monitored Product process.
This shows the amount of CPU the that Product executable process is using. Current is the amount of CPU (as a percentage) the process is using at this point in time Average is the average CPU usage since monitoring began. Note that zero value measurements are NOT included in this calculation due to the tendency of including zero to reduce the average to zero over time. Max is the maximum seen CPU usage of the monitored Product process.
Under the Current AVScanner Process group:
All the same values as seen for the Current AV UI Process above but instead applicable to the identified AV scanner executable. Note that for Directory Size, it is quite possible that the Main Scanner Process executable is located in the same directory as the Main Product Process executable file and thus the two values are the same.
After monitoring the AV processes for a while the user can stop monitoring by clicking the Stop button under the Control group box.
The values for RAM and CPU usage will now be locked in and in addition you'll now see a number of red/green "bars". In a nutshell they describe how well the monitored AV processes fared in comparison to others for the associated data point (Disk, RAM, CPU).
In a nutshell, red signifies CrowdStrike Falcon and green signifies the product being compared to. The longer the bar the better the process did.
How To Install
There is no installer for this tool. Simply unzip the contents of the downloaded ZIP file into a location of your choosing and launch it directly from there. Similarly for uninstalling; simply delete the file(s) you extracted by moving them to the Recycle Bin or permanently deleting them. It is possible there may be a very small number of elements that remain in the Registry. There can be safely ignored or manually deleted by using a registry editing tool (e.g. regedit) and navigating to
HKEY_CURRENT_USER\Software\CrowdStrike and noting the name of the tool there and removing the branch.