Legacy antivirus solutions are simply not up to the task of stopping modern threats. You see major security breaches in the headlines every day and the one commonality between them all is that they use legacy antivirus at the core of their endpoint protection strategy.
Falcon Prevent provides a major improvement in protection against modern threats on your endpoints. Right out-of-the box you get complete protection against ransomware and other advanced malware. Falcon Prevent also goes far beyond malware by providing protection against file-less attacks, PowerShell-based attacks, exploits and phishing attacks.
Falcon Prevent has had its efficacy tested by AMTSO member security testing companies and has been certified to replace legacy antivirus solutions. Falcon Prevent is still the only next-generation antivirus product to participate in public, non-paid recurring tests. We have received certifications from both SE Labs and AV-Comparatives. These attest to our efficacy, performance and usability.
We recommend installing and testing Falcon Prevent in the cloud-based malware lab that we provide as part of the free trial. Details about this lab are included in the email you received after you signed up for the trial. The cloud-based lab provides a quick and easy way for you to have a secure place to really test the product. If you want to test real malware, exploits and other attacks, we highly recommend doing it in the lab that we provide.
If you already have a secure malware testing lab, you can also test Falcon Prevent there. The steps in this guide are written to allow testing in our lab or in yours.
*** Warning ***
In this next section you will walk through testing scenarios with actual malware. You should NOT be doing these test on your laptop or workstation, but rather in a dedicated malware testing environment. To facilitate this testing, CrowdStrike has created a virtual environment in the cloud to ensure that malware testing happens completely outside of your environment.
1. Accessing the cloud-based malware lab
If you already have your own malware lab set up, please feel free to skip this step and proceed with step 2.
a. Together with your confirmation email for the Falcon Prevent Free Trial, you also received an email from our partner cloudshare.com.
Please click on the link in the email and follow the signup instructions to leverage our hosted lab environment.
b. Once your signup is complete, you will be able to login to CloudShare and use the environment.
c. Click on the "Malware Lab" tab to access your test machine. When you access it for the first time, please click on the "Download Samples" icon on the Desktop. A script will then get fresh malware, ransomware and even script based attacks downloaded into the "Sample Files" folder on your desktop. This process might take a few minutes to complete. Feel free to minimize the download window and proceed with the sensor download and install from step 2.
2. Lab Preparation
Now that you have your test machine ready, it is time to install Falcon Prevent.
a. Download and install the Falcon sensor
As you begin testing, either in your own lab or in the provided virtual environment, sensors for each test host need to be downloaded and installed.
For sensor installation, please refer to section 1.
b. Verify active prevention policy
To test efficacy, the newly installed sensor will need to have a prevention policy.
Once the sensor is installed, move new hosts to the prevention policy as documented in section 2.
Run the CrowdStrike prevention test file to validate the policy has been applied correctly and an alert is shown in the Falcon UI. Go to Desktop > Sample Files > Non-Malicious and execute "cs_maltest.exe".
Note that the file is in a password protected zip file. The password for unpacking it is included in your free trial welcome email.
Once you have the sensor installed with prevention policies enabled, you can begin testing with actual malware.
a. In the malware lab, navigate to Sample Files > Malware from the desktop.
We have provided about 25 different malware samples. Use these samples to generate alerts in the Falcon UI.
1. Run a malware sample from Windows Explorer by double-clicking it. Now navigate back to the Falcon UI and notice that explorer.exe is the parent process in the process tree. This helps you understand how an attack was executed.
2. Run a sample from a command prompt (cmd.exe). The parent process is now cmd.exe instead of explorer.exe.
3. Use HxD Hex Editor (already installed in the malware lab) to modify the file and change its hash. Then, run the modified sample to see that Falcon Prevent can block unknown malware.
In recent years, ransomware has emerged as one of the most prevalent and problematic malware types. It is absolutely critical that you test anti-ransomware efficacy, so we have collected recent samples of prominent ransomware families like Locky or WannaCry and made them available in your lab. To access them, go to Desktop > Sample Files > Ransomware. Feel free to run any of these ransomware files and see how Falcon Prevent provides complete protection against them.
An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats.
Navigate to Desktop > Sample Files > IOAs-Behavioral.
Double-click the "Credential_Dumping.bat" batch file. This script will run an encoded powershell command.
Navigate to the Falcon UI Detections page and inspect the new detection. Notice that the full command line parameters are available in the execution details pane.
In this alert, the process tree immediately shows us that PowerShell was run from a command prompt, that it was identified as Mimikatz, an LSASS process was accessed, and that the command was encoded. On the right in the Execution Details, we can see the full command line argument that was used. No other AV solution provides that level of detail.
Navigate to Desktop > Sample Files > IOAs-Behavioral. Double-click the "Sticky_Keys.bat" batch file. The file will run in a command prompt window. It will secretly modify a registry key that would allow an attacker to login to the machine without ever having to provide a username or a password.
Now use the "send ctrl+alt+delete" button on the left hand side of your malware lab screen to bring up the windows lock screen. Click on the "Ease of Access" option in the lower left hand corner and on the screen that pops up, check the box for "Type without the keyboard (On-Screen Keyboard)". Then hit "Apply"
Without Falcon Prevent on this system, a command prompt would have appeared, giving the attacker full system access (NT AUTHORITY\SYSTEM). This is an example of attacker behavior that does not use malware and is therefore commonly missed by legacy AV solutions. Falcon Prevent stopped this persistence mechanism even though no malware was used.
Cancel out of the Windows lock screen and switch back to the Falcon UI. You will find a new, critical alert under Activity > Detections.
By expanding the new alert, we can see cmd.exe was prevented from launching with system privileges and from bypassing the windows logon process.
Note: In both of these examples, no malware was used. These are examples of file-less attacks. Falcon Prevent identified a behavior that was suspicious and protected the user. This is an example of the power of IOAs. IOAs identify malicious behavior - no matter how it is delivered.
6. Phishing Attack
In this scenario we will simulate a phishing attack by opening an email with a malicious attachment.
a. In the malware lab, open Outlook and find our prepared email in the inbox. This phishing attack claims that the user has unpaid charges from a hotel stay.
To learn more, the user is asked to open the attachment by double-clicking "Folio-0701-2017-00873.xls".
b. After you open the attached Excel file, a Visual Basic error message appears. This indicates that Falcon Prevent has stopped the document from executing its malicious payload in the background.
c. Opening the attachment triggered a new alert in the Falcon UI.
Expanding the new alert clearly illustrates that this threat came from Outlook.exe and that the Excel attachment launched PowerShell.
To get even more details as to what PowerShell did, the Execution Details pane shows that PowerShell attempted to run a hidden command and download our malicious script from Github.
7. Application Management
Falcon Prevent allows you to manually block or allow applications based on your organization's unique needs.
a. Navigate to Desktop > Sample Files > Non-Malicious
Double-click and run the "Show_a_Hash.exe" application. This application does nothing more than show its own file hash in a command prompt. We will use that hash to blacklist the file and prevent it from running again.
Copy the hash from the Command Prompt.
Navigate to the Falcon UI Configuration > Prevention Hashes.
On the right-hand side, click the upload hashes icon, then paste the hash into the window and select "Apply".
In the next window, select the action "Always Block" and select "Apply" again.
Navigate back to the Desktop and close the command prompt window, then double-click "Show_a_Hash.exe" again and notice that it does not run this time.
In the Falcon UI, navigate to Activity > Detections and inspect the new alert.
Tip: Managing your hash policy can be done directly from a detection. This means, if a detection is created for a malicious file, it can immediately be added to the blacklist using the "Execution Details" pane on the right of the selected alert. Simply click the "Update Hash Policy" button for the selected hash and make changes. The same is true if a custom application is causing false alerts and needs to be added to the whitelist.
In the previous sections, we have seen that Falcon Prevent is lightweight and easy to install and manage. In this section, we saw that Falcon Prevent can protect users from all types of attacks; from the commodity malware attack to more complex phishing. We have even seen Falcon prevent tactics that are typically indicative of targeted attacks that leverage tools like PowerShell. Being fast, simple, and effective is great, but if the solution doesn’t provide ways to easily handle alerts and triage events you only trade one problem for another. In the next section, we will show you how simple it is to triage alerts and manage cases directly in Falcon.