Access Keys:
Skip to content (Access Key - 0)

CrowdStrike Falcon - Installation Instructions

On this page:

Prerequisites

Manual Installation

  1. Get an installer from our MIT IS&T CrowdStrike Falcon product page (This installer is provisioned for use at MIT. Do not attempt to download directly from CrowdStrike.)
  2. Launch the downloaded file
    • On Windows the name will be like FalconSensorWinOS.exe
    • On OSX the name will be like FalconSensorMacOSX.pkg
    • On Linux the name will be like CrowdStrike_LinuxDeb_x86.tar.gz or CrowdStrike_LinuxRPM_x86.tar.gz depending on the distribution
      • Do not attempt to install the package directly.  Extract the package and use the provided installer.
      • For example:
        $ sudo tar xvzf CrowdStrike_LinuxDeb_<version>.tar.gz
        $ cd CrowdStrike; sudo ./MIT-CrowdStrike-Install-Deb.sh
  3. Accept the Falcon License Agreement
  4. When prompted, click Yes or enter your computer password, to give the installer permission to run.
    • On Mac OS High Sierra and greater, you may get a "System Extension Blocked" message. To enable CrowdStrike, you must approve the kernel extension from CrowdStrike in the Security & Privacy pane of the Mac OS System Preferences.
    • On macOS Mojave and greater, you will need to provide full disk access to the installer to function properly. Open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the plus sign. Browse to /Library/CS. Add falcond.
    • Reboot your Mac after these changes.

You are done! After installation, the sensor will run silently.

Normal operation

When installation is finished, the sensor runs silently. If it sees clearly malicious programs, it can stop the bad programs from running. If it sees suspicious programs, IS&T's Security team will contact you.

To confirm the sensor is installed and running properly:

  • Windows
    • Navigate to the command line and type:
      sc query csagent
      Look for the STATE: RUNNING statement in the response: 
      •  
      • SERVICE_NAME: csagent
        TYPE : 2FILE_SYSTEM_DRIVER
        STATE : 4 RUNNING
        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0
  • Mac OS
    • Navigate to the Terminal command line and type:
      sysctl cs
      You should see a lot of useful information, including:
      • cs.version - your currently installed sensor version
      • cs.sensorid - your unique sensor id
      • cs.comms.cloud_ip - the CrowdStrike IP your sensor is connected to
      • cs.comms.cloud_connection_state: if everything is working correctly, this should be 102
    • Version 4.18.8013 and above:
      • Network information previously obtained by executing `sysctl cs.comms` is now obtained by executing `sudo /Library/CS/falconctl stats`
      • The output of  `sudo /Library/CS/falconctl stats` will provide more detailed information on
        • Cloud connection state
        • Activity
        • Events sent and received
  • Linux
    • Use one of the following commands to verify the service is running
      • $ sudo ps -e | grep falcon-sensor
        108019 ? 00:00:58 falcon-sensor
      • $ sudo systemctl is-active falcon-sensor
        active
      • $ sudo service falcon-sensor status
        Redirecting to /bin/systemctl status falcon-sensor.service
        ? falcon-sensor.service - CrowdStrike Falcon Sensor
        Loaded: loaded (/usr/lib/systemd/system/falcon-sensor.service; enabled; vendor preset: disabled)
        Active: active (running) since Thu 2019-10-31 11:00:47 EDT; 11min ago
        Process: 108012 ExecStart=/opt/CrowdStrike/falcond (code=exited, status=0/SUCCESS)
        Process: 108010 ExecStartPre=/opt/CrowdStrike/falconctl -g --cid (code=exited, status=0/SUCCESS)
        Main PID: 108016 (falcond)
        CGroup: /system.slice/falcon-sensor.service
        ??108016 /opt/CrowdStrike/falcond
        ??108019 falcon-sensor

Can it be uninstalled?

In order to uninstall current versions of CrowdStrike, you will need to obtain a maintenance token, which is unique to each system.  To obtain this token, email security@mit.edu from your MIT account stating that you need a maintenance token to uninstall CrowdStrike.  You will also need to provide your machine name in order for the Security team to find you token.  If you have it, including an IP address is also helpful.   Once you have this token, you may proceed with the below instructions.

  • Windows
    • Go to the Control Panels, select Uninstall a Program, and select CrowdStrike Falcon Sensor
  • Mac OS
    This depends on the version of the sensor you are running. You can check using the sysctl cs command mentioned above, but unless you are still using Yosemite you should be on 4.x at this point.
    • Sensor version 3.9 and earlier, navigate to the Terminal command line and type:
      sudo sh /Library/CS/uninstall.sh
    • Sensor version 3.10 and later, navigate to the Terminal command line and type:
      sudo /Library/CS/falconctl uninstall
    • You can also unload/load the sensor if you think you are having problems:
      sudo /Library/CS/falconctl load
      sudo /Library/CS/falconctl unload
  • Linux
    • sudo service falcon-sensor stop
    • Remove the package using the appropriate rpm or deb package command. The package name will be like falcon-sensor-4.18.0-6403.el7.x86_64

More information

If you have any questions about CrowdStrike, please contact the IS&T Security team at security@mit.edu

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

April 14, 2020

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-falcon c-falcon Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki