How to Prevent Malware with Custom Blacklisting in the Falcon Platform


Falcon Host, CrowdStrike’s Next-Generation endpoint protection solution, uses multiple methods to prevent and detect malware. In this video, you will see how to configure each of these methods.

Read Video Transcript

How to Prevent Malware with Custom Blacklisting in CrowdStrike Falcon Host Endpoint Protection

Thank you for joining us today. Today we’re going to show you how CrowdStrike’s Falcon host offers simple blacklisting and whitelisting of files in your environment on your endpoints.

What we have here is a Windows client with a copy of TeamViewer. TeamViewer is a remote administration tool often used by administrators to remote control into someone’s machine. Sometimes it’s also used by adversaries for inappropriate purposes.

As you can see here, if I double click the file in its current form, it will go ahead and open up. And we are able to remotely connect to a machine that’s also running the TeamViewer client. I’m going to close up that TeamViewer application and jump to our UI.

Our UI is cloud based. And I have logged into the UI already. And I am under our Response section, where the hashes are located. I’ve already imported a handful of hashes. In this case, we can see TeamViewer, maybe V&C, maybe BitTorrent, in my case. But I’m going to focus purely on TeamViewer.

I’ve already highlighted the two versions I have in my UI. And we can see that there’s no policy assigned to either one. In this case, None. I’m going to highlight both of them. And I’m going to choose Always Block. The second I hit Apply, within seconds these two hashes will be prevented from executing in my environment moving forward.

I’m going to go back to our client and double click. As you can see here, Windows is unable to execute the file. Now if we happen to have any detections of that file attempting to be executed, if I jump to my Detection screen and look at my detections, I will see that there was a blocked hash. And execution of this hash was blocked according to my blacklisting policy.

We’ll also show you a process tree showing how the file was executed and of course, associated details about the machine and the user. And here we see under Windows Explorer, the file was executed– stv.exe– Zero EV detections. But most importantly, it was blocked from execution.

Alternatively, we could have done the opposite. Instead of blacklisting the file, we could have also chosen to whitelist the file and choose to Never Block. Once I apply that policy, like so, if I go ahead and double click it again, the file is once again allowed to run. And that’s how you blacklist and whitelist files in your environment with CrowdStrike Falcon host.


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center