CrowdStrike
CrowdStrike
 
Install
Windows Install
WindowsSensor.exe /install /quiet /norestart CID=<your CID>
Linux Install
dpkg -i falcon-sensor_6.53.0-15003_amd64.deb /opt/CrowdStrike/falconctl -s -f --cid="XXXX" /opt/CrowdStrike/falconctl -s --trace=warn systemctl enable falcon-sensor systemctl restart falcon-sensor
Check Version
Windows Check Version
Check Version: [1]
wmic path win32_product where (caption like '%crowdstrike sensor%') get version
Note: This take a few minutes to process
Examples
Installed:
C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version Version 5.36.11809.0
Not installed:
C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version No Instance(s) Available.
Linux Check Version
/opt/CrowdStrike/falconctl -g --version version = 7.10.16303.0
Linux Kernel Check
The Linux Kernel updates much more often than CrowdStrike. You should disable automatic Kernel Updates, and control the kernel updates. To check if the currently running kernel is currently supported by version of CrowdStrike:
# /opt/CrowdStrike/falcon-kernel-check Host OS 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 is supported by Sensor version 16303.
To get a list of supported kernels use:
# /opt/CrowdStrike/falcon-kernel-check -k [PATTERN] # /opt/CrowdStrike/falcon-kernel-check -k 5.15
Example:
# /opt/CrowdStrike/falcon-kernel-check -k 5.15 | grep generic 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 5.15.0-30-generic #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022 5.15.0-33-generic #34~20.04.1-Ubuntu SMP Thu May 19 15:51:16 UTC 2022 5.15.0-33-generic #34-Ubuntu SMP Wed May 18 13:34:26 UTC 2022 ... 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 5.15.0-89-generic #99~20.04.1-Ubuntu SMP Thu Nov 2 15:16:47 UTC 2023 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023
Check for Reduced Functionality Mode (RFM)
sudo /opt/CrowdStrike/falconctl -g --rfm-state
Good:
rfm-state=false
Not so good:
rfm-state=true
If true, check for reason:
sudo /opt/CrowdStrike/falconctl -g --rfm-reason # if good, but ask anyways: rfm-reason=None, code=0x0.
Check File System Service
Check sensor is running: [1]
sc query csagent
C:\>sc query csagent
SERVICE_NAME: csagent
        TYPE               : 2  FILE_SYSTEM_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
Note: This is a different service than what is in service manager
Linux
Dependency:
apt install libnl-3-200
cd /opt dpkg -i falcon-sensor_6.53.0-15003_amd64.deb # /opt/CrowdStrike/falconctl -s --cid="XXXX" # Note: need -f with the --cid, example: # "CID is set, but -f was not specified" /opt/CrowdStrike/falconctl -s -f --cid="XXXX" /opt/CrowdStrike/falconctl -s --trace=warn systemctl enable falcon-sensor systemctl restart falcon-sensor
/opt/CrowdStrike/falconctl -s --trace=info
systemctl status falcon-sensor /opt/CrowdStrike/falconctl -g --cid /opt/CrowdStrike/falconctl -g --trace service falcon-sensor status service falcon-sensor restart ps aux | grep sensor ps aux | grep falcon
How to Install the CrowdStrike Falcon Sensor for Linux https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor-for-linux/
Pi Not Supported
Raspberry Pi is not supported
root@pitest:~# dpkg -i falcon-sensor_6.53.0-15003_amd64.deb dpkg: error processing archive falcon-sensor_6.53.0-15003_amd64.deb (--install): package architecture (amd64) does not match system (armhf) Errors were encountered while processing: falcon-sensor_6.53.0-15003_amd64.deb root@pitest:~# uname -a Linux pitest 5.15.74-v7l+ #1595 SMP Wed Oct 26 11:05:08 BST 2022 armv7l GNU/Linux
Installation Path
Windows Install Path
CS is installed in:
C:\Windows\System32\drivers\CrowdStrike
ref: [2]
Linux Install Path
/opt/CrowdStrike/
Uninstall
In order to uninstall current versions of CrowdStrike, you will need to obtain a maintenance token, which is unique to each system. To obtain this token, email YOUR IT ADMIN stating that you need a maintenance token to uninstall CrowdStrike. You will also need to provide your unique agent ID as described below. The Security Team may be able to find your host by a combination of hostname, IP address and/or MAC address.
You can retrieve the host's device ID or AID (agent ID) locally by running the following commands at a Command Prompt/Terminal.
Windows: reg query HKLM\System\CurrentControlSet\services\CSAgent\Sim\ /f AG
Mac sensor version 6.x: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agentID
Once the Security Team provides this maintenance token, you may proceed with the below instructions.
Windows
- Go to the Control Panels, select Uninstall a Program, and select CrowdStrike Falcon Sensor
Mac OS
- This depends on the version of the sensor you are running. You can check using the sysctl cs command mentioned above, but unless you are still using Yosemite you should be on 6.x at this point. Note for those unfamiliar with sudo that you will be prompted for a password, which is the password for the account you are logged in as, to allow the command to run with elevated privilege. The Falcon Agent will also require Full Disk access for the uninstall. On macOS 13 and above, Terminal will need to be added to App Management.
- Sensor version 6.x and above, navigate to the Terminal command line and type:
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token
- Enter token-from-security-team when prompted
- You can also unload/load the sensor if you think you are having problems:
sudo /Applications/Falcon.app/Contents/Resources/falconctl load sudo /Applications/Falcon.app/Contents/Resources/falconctl unload --maintenance-token
- Enter token-from-security-team when prompted
Linux sudo service falcon-sensor stop
- Remove the package using the appropriate rpm or deb package command. The package name will be like falcon-sensor-4.18.0-6403.el7.x86_64
ref: [3]