Access Keys:
Skip to content (Access Key - 0)

CrowdStrike Falcon - Installation Instructions

On this page:

Prerequisite

You must have administrator rights to install the CrowdStrike Falcon Host Sensor.

Manual Installation

  1. Get an installer from our CrowdStrike Falcon product page (This installer is provisioned for use at MIT.)
  2. Launch the downloaded file
    • On Windows the name will be like FalconSensorWinOS.exe
    • On OSX the name will be like FalconSensorMacOSX.pkg
  3. Accept the Falcon License Agreement
  4. When prompted, click Yes or enter your computer password, to give the installer permission to run.
    • On Mac OS High Sierra, you may get a "System Extension Blocked" message. To enable CrowdStrike, you must approve the kernel extension from CrowdStrike in the Security & Privacy pane of the Mac OS System Preferences.

You are done! After installation, the sensor will run silently.

Normal operation

When installation is finished, the sensor runs silently. If it sees clearly malicious programs, it can stop the bad programs from running. If it sees suspicious programs, IS&T's Security team will contact you.

To confirm the sensor is installed and running properly:

  • Windows
    • Navigate to the command line and type:
      sc query csagent
      Look for the STATE: RUNNING statement in the response: 
      •  
      • SERVICE_NAME: csagent
        TYPE : 2FILE_SYSTEM_DRIVER
        STATE : 4 RUNNING
        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0
  • Mac OS
    • Navigate to the Terminal command line and type:
      sysctl cs
      You should see a lot of useful information, including:
      • cs.version - your currently installed sensor version
      • cs.sensorid - your unique sensor id
      • cs.comms.cloud_ip - the CrowdStrike IP your sensor is connected to
      • cs.comms.cloud_connection_state: if everything is working correctly, this should be 102

Can it be uninstalled?

  • Windows
    • Go to the Control Panels, select Uninstall a Program, and select CrowdStrike Falcon Sensor
  • Mac OS
    This depends on the version of the sensor you are running. You can check using the sysctl cs command mentioned above, but unless you are still using Yosemite you should be on 4.x at this point.
    • Sensor version 3.9 and earlier, navigate to the Terminal command line and type:
      sudo sh /Library/CS/uninstall.sh
    • Sensor version 3.10 and later, navigate to the Terminal command line and type:
      sudo /Library/CS/falconctl uninstall
    • You can also unload/load the sensor if you think you are having problems:
      sudo /Library/CS/falconctl load
      sudo /Library/CS/falconctl unload

More information

If you have any questions about CrowdStrike, please contact the IS&T Security team at security@mit.edu

CrowdStrike has a blog article with additional information, including instructions for how to confirm that the sensor is running.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

March 29, 2018

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-falcon c-falcon Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki