Deploying Falcon Prevent across your environment is easy, fast and safe. In this section, we provide tips and best practices for rapid deployment of Falcon Prevent, as well as guidance on how to replace your legacy antivirus with Falcon Prevent.
We recommend deploying Falcon Prevent on as many systems as you can. There are some product features that can be tested successfully by running use cases on a small number of systems. However, key use cases like scalability, ease of management and compatibility can only be tested if you deploy the product to a larger group of systems.
Running Falcon Prevent in parallel with existing AV - Falcon Prevent is designed to run safely alongside your existing AV solution. For optimal experience, we recommend using the default Falcon Prevent policy (detect-only mode) until the existing AV solution is uninstalled. This maximizes compatibility and also makes it very easy to see and understand the threats that are bypassing the existing AV solution.
Replace your existing AV - Replacing your existing AV solution with Falcon Prevent is a simple, three step process.
- 1. Deploy Falcon Prevent with the default "Detect Only" policy.
- 2. Uninstall your existing AV solution.
- 3. In the Falcon UI, move all the systems from the "Detection" policy to the "Prevention" policy.
Because the hosts protected by Falcon Prevent maintain a persistent connection to the Falcon UI, the policy update will be immediately applied and your AV replacement project will be complete.
Key to any AV replacement project is rapid deployment. Falcon Prevent makes this easy by having a small installer and providing flexible command line switches.
Deployment tools Tools like Microsoft’s System Center Configuration Manager (SCCM) are often used in large Organizations to deploy the Falcon sensor. Smaller organizations may use something like PDQ Deploy to accomplish the same goal. Any deployment tool that allows you to run an EXE installer with command line switches will be able to deploy Falcon Prevent.
Silent Sensor Installation You can run the Falcon sensor installer in silent mode to enable installation via software deployment tools or from the command line.
WindowsSensor.exe /install /quiet CID=MyCIDWithChecksumValue
1. CID=<Checksummed Customer ID>
Required for initial installation (available on the Sensor Download page).
2. /install | /repair Installs or repairs the sensor.
3. /quiet Displays no UI and no prompts.
Password Protected Installation
The Falcon sensor allows you to set a password during installation. Once a password has been set on a host, you must provide that password to unload, uninstall, repair, or manually upgrade the Falcon sensor. This feature makes the sensor more tamper resistant.
WindowsSensor.exe /install /quiet CID=MyCIDWithChecksumValue PW="password"
Switch operations -
- 1. When installing the Falcon sensor, use the PW="examplepassword" parameter to set a password.
Adding Falcon Prevent to a standard deployment or "gold image"
To add Falcon Prevent to a gold image, a virtual desktop image for virtual desktop infrastructure (VDI) or to an Amazon Machine Image (AMI), you can install the sensor with the switch below. The NO_START=1 option will result in a standard installation with one exception. It will NOT start the sensor components that connect to the Falcon Platform. After the sensor installer has finished, shut down the machine and capture the image in a powered-off state. Every time you then deploy this "gold image", the sensor will connect to the Falcon Platform after the first boot. Once the newly imaged system boots up, the Falcon sensor will register itself in the Falcon UI and appear in the Host management app.
WindowsSensor.exe /install /quiet CID=MyCIDWithChecksumValue PW=”password” NO_START=1
Additional deployment scenarios and installation options are covered in our Deployment Guide in the Falcon UI under Support > Docs.
Deploying traditional security products can often take weeks or even months. CrowdStrike regularly has customers deploy tens of thousands of sensors in a day, during business hours, with no interruption to operations or helpdesk calls. There is no hardware to maintain or deploy. There is no need to reboot a system after an install, in fact, the entire process is invisible to the end user. Falcon Prevent can be deployed to Windows, Mac and Linux systems providing broad coverage on critical systems. And once deployed, Falcon Prevent can update on it’s own, eliminating the need for maintenance windows and downtime.