After logging into Falcon for the first time, you’ll see a brief orientation and then be guided to download the Falcon sensor.
Installing Falcon Prevent is a lot easier than installing standard antivirus solutions. Falcon Prevent is cloud-delivered, so the backend infrastructure is already up and running; you do not need to set up a management console. The installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on-premise or virtual instances in the cloud.contact us. We recommend installing on a typical laptop or desktop in your organization that is connected to the Internet. There is no malware used in this scenario, but we will start in full prevention mode. IMPORTANT: Before you begin, be sure to uninstall your existing AV solution. Later, we will review how using “detect only” mode allows for coexistence and easy deployment transitions.
b. Run the sensor installer on your device in one of these ways:Double-click the .pkg file, or Run this command at a terminal, replacing
c. When prompted, enter administrative credentials for the installer.macOS 10.13 High Sierra and later: Apple requires kernel extensions to be approved before being loaded. We recommend that you use Apple's MDM to approve the com.crowdstrike.sensor kernel extension before installing.
d. After entering the credential for installation, you’re prompted to approve kernel extension from Security & Privacy pane as shown below.
*Note if you are using an MDM you can follow the installation process noted in our support portal located here.
When this screen is displayed, approve the kernel extension from CrowdStrike.
2. Grant Full Disk Access
Provide full disk access to falcond on the host:
・Open Apple System Preferences
・Open Security & Privacy
・Select the Privacy tab
・If privacy settings are locked
・Click the lock icon in the lower-left corner
・Enter your device password
・In the left pane, select Full Disk Access
・In the right pane, click the + icon
・Navigate to /Library/CS/falcond (use Cmd-Shift-G in dialog to type in path)
・Click OpenClick Quit Now
・Click the lock in the lower-left corner to re-lock privacy settings
3. Confirm that the sensor is running
Run this command at a terminal: sysctl cs
4. Verify sensor visibility in the cloud
In the Falcon Interface go to Host Management and verify that you see your hostname listed. The "Prevention Policy" column should show "platform_default" as the assigned policy. In some cases, it might take a few minutes before you see your host fully registered.
5. Generate your first detection
To see an example of what a detection alert looks like in Falcon Prevent, run a harmless test command on your computer:
a. Open a terminal
b. Type or copy and paste this command: /bin/echo crowdstrike_sample_detection