In this section, you will download the Falcon sensor and install on your first system. Installing Falcon Prevent is much easier than installing legacy antivirus solutions. First, it is important to recognize that you do not need to set up a management console. Falcon Prevent is cloud-delivered, so the backend infrastructure is already up and running. You will never have to worry about speed or scale. The installer is small, so it downloads faster and is easier to deploy. The installation is invisible to the end user, and in detect only mode, can co-exists with other endpoint security solutions. It does not even require a reboot. Also, the installation process is the same whether you are installing on a workstation, server, laptop, virtual instances on premise or virtual instances in the cloud.
We recommend doing this test scenario on your personal laptop or desktop. There is no malware used in this scenario, but we will begin in a full prevention mode. With that, you will want to first uninstall your existing AV solution. Later, we will review how using detect only mode allows for coexistence and easy deployment transitions. In the performance section, you will also have an opportunity to compare CrowdStrike with other AV providers.
1. Download and install the Falcon sensor
This section will walk you through your first sensor download and install. Because CrowdStrike Falcon is 100% cloud delivered, there is no need to setup any infrastructure. All you have to do is install the small sensor and you can immediately generate your first detection.
a. Right after your login you can click on "Download Sensor" to be taken to the Hosts > Sensor Downloads page.
Click the Download button
b. Launch the Installer to begin the sensor installation process.
Accept the license agreement.
After the installation is complete click "Close".
2. Verify the sensor in the Falcon UI
This step is meant to ensure that your newly installed sensor has connected to the cloud and that it is ready for the subsequent tests.
In the Falcon UI go to Hosts > Host Management and verify that you see your hostname listed. The "Prevention Policy" column should show "platform_default" as the assigned policy. In some cases, it might take a few minutes before you see your host fully registered.
3. Generate your first detection
To see an example of what a detection alert looks like in Falcon Prevent, we will run a harmless test command on your computer:
a. Open a command prompt (Windows cmd.exe)
b. Type or copy and paste this command:
choice /M crowdstrike_sample_detection
c. Switch back to the Falcon UI and go to Activity > Detections to inspect the new alert.
4. Verify registered AV
In this step we will verify that the default Prevention policy is enabled and that Falcon Prevent is the active AV for the system.
a. Navigate to the action center and if necessary expand the security section. CrowdStrike will be listed as the vendor under "Virus protection" once the prevention policy is enabled on the endpoint.Note: Before proceeding please ensure that CrowdStrike Falcon is listed under Virus protection. If Falcon is not listed as the active Virus protection, please contact firstname.lastname@example.org for assistance.
5. Generate your first test prevention
This next step will verify preventions are working properly.
a. CrowdStrike has a non malicious test file available that will be detected by Falcon Prevent in prevention mode. It can be considered similar to the EICAR test file that was often used for the legacy AV solutions (note that EICAR will not be picked up by Falcon Prevent as it is only a string of text and not an executable file). Start by downloading the CrowdStrike prevention test file.Note that the file is in a password protected zip file. The password for unpacking it is included in your free trial welcome email.
b. After unpacking and running the test file, you will see a message similar to this on the client system as the Falcon Sensor blocks the execution of the file.
c. Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new green prevention alert, which indicates the file was blocked and the prevention policy is working properly.
You are done!
Congratulations, you now have your first fully functional Falcon Prevent installation up and running. You have verified that Falcon Prevent is the active AV solution for your machine and seen a prevention from both the client and UI perspective.
In this section, you downloaded and installed Falcon Prevent. Did you notice that the sensor was small, took very little time to download, and didn't require a reboot? This is because CrowdStrike's unique architecture allows us to provide all the functionality of a traditional antivirus solution while consuming a fraction of the system resources.
Now, let's look closer at the performance benefits provided by Falcon Prevent.