Our website uses cookies to enhance your browsing experience.



After logging into Falcon for the first time, you’ll see a brief orientation and then be guided to download the Falcon sensor.

Installing Falcon Prevent is a lot easier than installing standard antivirus solutions. Falcon Prevent is cloud-delivered, so the backend infrastructure is already up and running; you do not need to set up a management console. The installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on-premise or virtual instances in the cloud.

Frequently Asked Questions

*Note that while Falcon supports Windows, macOS, and Linux, this trial does not include Linux. To learn more about protecting your Linux systems, please contact us.

We recommend installing on a typical laptop or desktop in your organization that is connected to the Internet. There is no malware used in this scenario, but we will start in full prevention mode.

IMPORTANT: Before you begin, be sure to uninstall your existing AV solution. Later, we will review how using “detect only” mode allows for coexistence and easy deployment transitions.

Step-by-Step Instructions

1. Confirm that the sensor is running

Navigate to the Download page.

a. Click the Download button and copy the Customer ID checksum (you’ll need this during the install).

b. Run the sensor installer on your device in one of these ways:

Double-click the .pkg file, or
Run this command at a terminal, replacing with the path and file name of your installer package.
sudo installer -verboseR -package -target /

c. When prompted, enter administrative credentials for the installer.

macOS 10.13 High Sierra and later: Apple requires kernel extensions to be approved before being loaded. We recommend that you use Apple's MDM to approve the com.crowdstrike.sensor kernel extension before installing. If your organization is unable to use MDM, then follow the OS prompts to manually approve the kernel extension after licensing. Manual approval must happen on the host, as Apple prevents admins from remotely approving kernel extensions.

d. Use the command below to run falconctl, installed with the Falcon sensor, and provide your customer ID checksum (CID). In this example, replace 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.

sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX

After installation, the sensor runs silently.

Note: If you run into any issues during the sensor install, please contact us.

2. Confirm that the sensor is running

Run this command at a terminal:

sysctl cs

The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more.

3. Verify sensor visibility in the cloud

In the Falcon Interface go to Host Management and verify that you see your hostname listed. The "Prevention Policy" column should show "platform_default" as the assigned policy. In some cases, it might take a few minutes before you see your host fully registered.

4. Generate your first detection

To see an example of what a detection alert looks like in Falcon Prevent, run a harmless test command on your computer:

a. Open a terminal

b. Type or copy and paste this command:

c. Switch back to the Falcon Interface and go to Detections to inspect the new alert.