Skip to content Skip to site navigation

CrowdStrike FAQs

Below is a list of common questions and answers for the University’s new Endpoint Protection Software: https://uit.stanford.edu/service/edr

CrowdStrike for Endpoints

Q. What are my options for Anti-Malware as a Student or Staff for personally owned system?
A. A free/low-cost option is Sophos Home, but we recommend researching online and assessing what best fits your needs.
Q. Why is BigFix/Jamf recommended to be used with CrowdStrike?
A. BigFix/Jamf aids in the maintenance and apprroval to run CrowdStrike optimally. CrowdStrike is a managed antivirus solution and is not recommended for VLRE users.
Q. Will I see anything different?
A. The biggest difference visually is the absence of icons in the Windows System Tray, status menu or menu bars.
Q. If there are no icons, how do I know it’s running on my computer?

A. You now have the ability to verify if Crowdstrike is running through MyDevices. BigFix must be present on the system to report CrowdStrike status.






​​Windows:

On Windows, open a Command Prompt window (Start > Windows System > Command Prompt)

  • On Windows, open a Command Prompt window (Start > Windows System > Command Prompt)
    • Run the following command to ensure that “STATE” is “RUNNING”
      • sc query csagent
  • On Macs, open Terminal window (Finder > Terminal)
    • Run the following command
      • (6.x Client) sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
      • You will see a long output and basically looking for this:​
=== Communications ===Cloud Info
    Host: ts01-b.cloudsink.net
    Port: 443
    State: connected

 

  • You can check if you are on the 6.x client check by going to go your applications folder and clicking the Falcon icon.

  • For MacOS Mojave 10.14 through Catalina 10.15 to check if the kernel extension is approved and loaded by running the following terminal cmd:  "kextstat | grep crowd".
    If "com.crowdstrike.sensor" is displayed, it indicates that kernel extensions are approved and loaded successfully

​​Big Sur and later:

  • For macOS Big Sur 11.0 and later, to verify the Falcon system extension is enabled and activated by the operating system, run this command at a terminal:

    • systemextensionsctl list

      The output shows the com.crowdstrike.falcon.Agent system extension

1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state]
* * X9E956P446 com.crowdstrike.falcon.Agent (5.38/119.57) Agent [activated enabled]
Q. What are the Full Disk Access, Notifications and Network configurations for the falcon sensor for macOS?
A. Yes. Full Disk Access is recommended for Mojave and required for Catalina and later. 

You must grant Full Disk Access on each host. Administrator account permission is required:
1. 
Click the Apple icon and open System Preferences, then click Security & Privacy.
2. 
On the Privacy tab, if privacy settings are locked, click the lock icon and specify the password.
3. 
In the left pane, select Full Disk Access.
4. 
In the right pane, click the plus icon.
5. In finder, find Falcon in the list of applications, or use Cmd+Shift+G to and navigate to for CS sensor version 6.x:  /Applications/Falcon.app
6. Click Open
7. Big Sur and later select Agent
.
8. Click the lock icon to re-lock privacy settings.


                          

Enable Notification to be alerted when CrowdStrike takes actions: System Preferences - Notifications & Focus


Network: System Preferences - Network (this should be automatically added). 
If it is not added open a terminal shell and enter this command: 
Sudo /Applications/Falcon.app/Contents/Resources/falconctl enable-filter
Q. Will it slow my computer down?

A. There is no perceptible performance impact on your computer. The Falcon sensor’s design makes it extremely lightweight (consuming 1% or less of CPU) and unobtrusive: there’s no UI, no pop-ups, no reboots, and all updates are performed silently and automatically.

Q. Will it prevent me from using my applications?

A. CrowdStrike uses multiple methods to prevent and detect malware. Those methods include machine learning, exploit blocking and indicators of attack. That said, unless specifically configured, CrowdStrike will NOT block legitimate applications.

In the event CrowdStrike has blocked legitimate software/process then please submit a ticket with as much detail as you can and the Information Security Office will review the circumstances and add an exception/unquarantine files if approved.  Once an exception has been submitted it can take up to 60 minutes to take effect.  

 
Q. What data is sent to the CrowdStrike servers?

A. CrowdStrike Falcon is designed to maximize customer visibility into real-time and historical endpoint security events by gathering event data needed to identify, understand and respond to attacks — but nothing more. This default set of system events focused on process execution is continually monitored for suspicious activity. When such activity is detected, additional data collection activities are initiated to better understand the situation and enable a timely response to the event, as needed or desired. Note that the specific data collected changes as we advance our capabilities and in response to changes in the threat landscape. Information related to activity on the endpoint is gathered via the Falcon sensor and made available to the customer via the secure Falcon web management console.

Detailed Sensor Event List

Q. How can I tell if there have been any threats blocked on my computer?

A. On Windows, CrowdStrike will show a pop-up notification to the end-user when the Falcon sensor blocks, kills, or quarantines. These messages will also show up in the Windows Event View under Applications and Service Logs. Sample popups:

macOS 

Q. Why do I need an uninstall Token?

A. Modern attacks by Malware include disabling AntiVirus on systems. CrowdStrike Falcon tamper protection guards against this.  Uninstall Tokens can be requested with a HelpSU ticket.  See How do I uninstall CrowdStrike for more information. 

Q. How do I uninstall CrowdStrike?

A. Windows: you can uninstall from Program & Features {submit maintenance token}

A. macOS: Open a terminal window and enter this command

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token (enter) {submit maintenance token}

OR

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t (enter) {submit maintenance token}

Maintenance Tokens can be requested with a HelpSU ticket.  Please provide the following information:

(required) SUNetID of the system owner
(required) Ownership: (Stanford/Personal/other-specify)

(one or more of the following)
Hostname
Serial Number
CrowdStrike ID1: (from mydevices)
Licence Type: (from mydevices)

(required) Reason: (Troubleshooting, Leaving Stanford, Personal Machine no longer used for Stanford work.  )

Notes:

  • When the system is no longer used for Stanford business. If BigFix and or JAMF is installed, you MUST FIRST REMOVE these applications or CrowdStrike will/may be reinstalled automatically. 
  • Uninstalling because it was auto installed with BigFix and you are a Student.  Students should rerun the BigFix installer and select SU Group: Students to not have CrowdStrike re-installed. 
  • If you are uninstalling CrowdStrike for Troubleshooting; CrowdStrike will automatically be installed in 24 hours for Windows.  At this time macOS will need to be reinstalled manually.
  • When the System is Stanford owned.  Many departments have opted to have their systems installed with CrowdStrike so if you are requesting for an uninstall token for reasons other than troubleshooting and it is blocking a legitimate application/process please the FAQ on “Will it prevent me from using my applications?” for a resolution.
  • If you are a current student and had CrowdStrike installed.  It is likely due to the fact that when you installed BigFix you selected a department that has opted in to have machines installed with CrowdStrike.  Before removing CrowdStrike you will need to run the BigFix installer and select SU Group: Students to be exempted. 
  • School of Medicine Student and Staff enrolled in the SOM Data Security Program are required to have CrowdStrike installed.  This includes personally owned systems and whether you access high risk data or not.  

1.  The CrowdStrike Agent ID is a unique identifier for you machine and helps in locating your machine in the event there are duplicate machine names.  

  • Manually querying for your agent id:
    • Windows: reg query HKLM\System\CurrentControlSet\services\CSAgent\Sim\ /f AG
    • macOS: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agentID

CrowdStrike for Servers

Q. Can I install Crowdstrike on my servers?

A. Yes, we encourage departments to deploy Crowdstrike EDR on servers. Please contact us for an engagement.

Q. What are the supported Windows versions for servers?

A. Supported Windows operating systems include:

64-bit Windows Servers:

  • Windows Server 2019
  • Windows Server Core 2019
  • Windows Server 2016
  • Windows Server Core 2016
  • Windows Server 2012 R2
  • Windows Storage Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 SP1
    • Microsoft extended support ended on January 14th, 2020
    • end of sensor support on January 14th, 2021
    • CrowdStrike Extended Support subscription available to receive support until January 14th, 2023
Q. What are the supported Linux versions for servers?

A. Crowdstrike supports the Graviton versions of the following Linux server operating systems:

Amazon Linux 2 – requires sensor 5.34.9717+ Note: Cloud Machine Learning (ML) is not supported on the Graviton1 and Graviton2 processors at this time.

x86_64 version of these operating systems with sysported kernels:

Amazon Linux 2 Amazon Linux AMI

  • 2018.03
  • 2017.09
  • 2017.03 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
CentOS
  • 8.0-8.2 – 8.2 requires sensor 5.34.9917+
  • 7.4-7.9 – 7.9 requires sensor 5.34.10803+
  • 7.1-7.3 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
  • 6.7-6.10
  • 6.5-6.6 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
Debian 9
  • 9.4 – requires sensor 5.33.9804+
Oracle Linux
  • Oracle Linux 7 - UEK 3, 4, 5
  • Oracle Linux 6 - UEK 3, 4
  • Red Hat Compatible Kernel (supported RHCK kernels are the same as RHEL)
Red Hat Enterprise Linux (RHEL)
  • 8.0-8.2 – 8.2 requires sensor 5.34.9917+
  • 7.4-7.9 – 7.9 requires sensor 5.34.10803+
  • 7.1-7.3 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
  • 6.7-6.10
  • 6.5-6.6 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
SUSE Linux Enterprise (SLES)
  • 15
  • 12.2-12.5
  • 12.1 – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
  • 11.4 – you must also install OpenSSL version 1.0.1e or greater
Ubuntu
  • 20.04 LTS – requires sensor 5.43.10807+
  • 18-AWS
  • 18.04 LTS
  • 16-AWS
  • 16.04 LTS and 16.04.5 LTS
  • 14.04 LTS – last supported on version 5.43.10807, through end-of-support on May 8th, 2021
Please note that Docker is supported on the following Linux OSes only:
  • Amazon Linux 2
    • requires sensor 5.34+ for Graviton versions
  • Amazon Linux 2018.03
  • CentOS7 and RHEL 7
  • Debian 9.4 – requires sensor 5.33.9804+
  • SLES 12 SP3
  • SLES 12 SP4 and SLES 15
  • SLES 12 SP5
  • Ubuntu 14.04, 16.04, and 18.04
Q. Does Crowdstrike support AWS, GCP, and Azure?
A. Yes, Crowdstrike is supported on all cloud platforms.
Q. How do I deploy Crowdstrike to my servers?
A. We currently have a BigFix fixlet that can help deploy the Crowdstrike sensor to your Windows servers. For all other deployment mechanisms such as SCCM, Jamf, and Puppet, we can provide the latest version of installers.
Q. What are some of the requirements for a successful Crowdstrike sensor deployment?

A. The following are a list of requirements:

Supported operating systems and kernels
Port 443 outbound to Crowdstrike cloud from all host segments
Proxies - sensor configured to support or bypass
SSL inspection bypassed for sensor traffic
TLS 1.2 enabled (Windows especially)
Both required DigiCert certificates installed (Windows)

Q. What firewall rules do I need for my server(s)? What do I do if my server is behind a proxy?
A. The Falcon Sensor communicates over port 443 and connects to the following two domains during normal operation:

      ts01-b.cloudsink.net
      lfodown01-b.cloudsink.net

The static IPs that are associated with these domains are maintained through address group "g_crowdstrike" in Netdocs. When updating firewall rules, please ensure you have an outbound rule that includes the destination address is equal to "g_crowdstrike" and "Service" is equal to "443t".

Alternatively, here are the static IPs to configure your routing tables if needed:
 
ts01-b.cloudsink.net lfodown01-b.cloudsink.net
13.56.127.239 13.56.121.58
13.57.54.63 50.18.198.237
50.18.194.39 52.8.141.1
52.52.117.52 54.183.120.141
52.52.119.33 54.183.135.80
52.52.149.168 54.183.215.154
52.52.239.58 54.193.86.245
52.53.77.89 54.215.170.42
52.8.134.130 54.219.179.25
52.8.160.82 54.241.161.242
52.8.172.89 54.241.181.78
52.8.173.58 54.241.182.78
52.8.19.75 54.241.183.151
52.8.32.113 54.241.183.229
52.8.45.162 54.241.183.232
52.8.5.240 54.67.108.17
52.8.54.244 54.67.114.188
52.8.61.206 54.67.122.238
52.9.104.148 54.67.17.131
52.9.212.176 54.67.24.156
52.9.77.209 54.67.4.108
52.9.82.94 54.67.41.192
52.9.87.98 54.67.5.136
54.183.105.3 54.67.51.32
54.183.122.156 54.67.72.218
54.183.140.32 54.67.78.134
54.183.142.105  
54.183.148.116  
54.183.148.43  
54.183.234.42  
54.183.24.162  
54.183.252.86  
54.183.34.154  
54.183.39.68  
54.183.51.31  
54.183.51.69  
54.183.52.221  
54.193.117.199  
54.193.27.226  
54.193.29.47  
54.193.67.98  
54.193.87.57  
54.193.90.171  
54.193.93.19  
54.215.131.232  
54.215.154.80  
54.215.169.199  
54.215.169.38  
54.215.176.108  
54.215.183.157  
54.215.226.55  
54.219.112.243  
54.219.115.12  
54.219.137.54  
54.219.140.50  
54.219.141.250  
54.219.145.181  
54.219.147.253  
54.219.148.161  
54.219.149.89  
54.219.149.92  
54.219.151.1  
54.219.151.27  
54.219.153.248  
54.219.158.53  
54.219.159.84  
54.219.161.141  
54.241.138.180  
54.241.146.67  
54.241.148.127  
54.241.150.134  
54.241.161.60  
54.241.162.180  
54.241.162.64  
54.241.164.212  
54.241.175.140  
54.241.175.52  
54.241.179.52  
54.241.181.242  
54.241.184.161  
54.241.185.201  
54.241.186.124  
54.241.197.58  
54.67.105.202  
54.67.119.89  
54.67.123.150  
54.67.123.234  
54.67.26.184  
54.67.33.233  
54.67.48.56  
54.67.54.116  
54.67.6.201  
54.67.68.88  
54.67.92.206  
54.67.96.255  
54.67.99.247  
   
Q. What is the command to install Crowdstrike on a host behind a proxy?
A. For windows, using an elevated cmd prompt, the command is as follows:

WindowsSensor.exe /install /quiet /norestart CID=enteryourCIDhere APP_PROXYNAME=enteryourproxyserverhere APP_PROXYPORT=enteryourporthere ProvWaitTime=3600000

Please contact us for fixlet information in BigFix for bulk deployments.
Q. How do I check if the Windows sensor is running?
A. Running the following command is a standard step for troubleshooting the Falcon Sensor for Windows that to not only looks for the existence of a sensor, but verifies that it is actively running:

cmd = "sc query csagent"

The output of this should return something like this:

        C:\Users\user> sc query csagent

        SERVICE_NAME: csagent
        TYPE               : 2  FILE_SYSTEM_DRIVER
        STATE             : 4  RUNNING
                                 (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE      : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT                 : 0x0
        WAIT_HINT                     : 0x0

If the state reports that the service is not found, but there is not a CrowdStrike folder (see above): This is expected; proceed with deployment.

If the state reports that the service is not found, but there is a CrowdStrike folder (see above): There is a sensor present, but there is a problem with the Sensor.

If the state reads STOPPED: The sensor is present but not running, so there is a problem with the Sensor.

If the STATE returns STOPPED, there is a problem with the Sensor.  The next thing to check if the Sensor service is stopped is to examine how it's set to start.
     
      Do this with: "sc qc csagent"

       The response should look like:

        [SC] QueryServiceConfig SUCCESS

        SERVICE_NAME: csagent
        TYPE                                : 2  FILE_SYSTEM_DRIVER
        START_TYPE                 : 1   SYSTEM_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME     : \??\C:\WINDOWS\system32\drivers\CrowdStrike\csagent.sys
        LOAD_ORDER_GROUP   : FSFilter Activity Monitor
        TAG                              : 0
        DISPLAY_NAME       : CrowdStrike Falcon
        DEPENDENCIES       : FltMgr
        SERVICE_START_NAME :

The important thing on this one is that the START_TYPE is set to SYSTEM_START.  The Sensor should be started with the system in order to function.  If this setting has been changed, perform the following: "sc config csagent start= system"

Then start the service (no reboot required): "sc start csagent"

You should receive a response that the csagent service is RUNNING.

If the csagent service fails to start to a RUNNING state and the start type reads SYSTEM, the most likely explanation is some form of Sensor corruption, and reinstalling the Sensor is the most expedient remediation.

Q. How do I verify Linux sensor connectivity?

Verifying that the sensor is running

Check running processes to verify the Falcon sensor is running: ps -e | grep -e falcon-sensor
 

Check kernel modules to verify the Falcon sensor's kernel modules are running: lsmod | grep falcon
 

Check the Falcon sensor's configurable options: sudo /opt/CrowdStrike/falconctl -g
Optional parameters:
 

--aid: the sensor's agent ID (Please feel free to  contact ISO for help as needed)
 

--cid: your Customer ID (Please feel free to  contact ISO for help as needed)
 

--apd: the sensor's proxy status (enabled or disabled) (This is only applicable if your host is behind a proxy server)
 

--aph: the sensor's proxy host
 

--app: the sensor's proxy port
 

--version: the sensor's version number
 

The sensor requires these runtime services:

network
 

systemd
 

local-fs
 

sysinit
 

multi-user
 

shutdown
 

Verifying the sensor files on disk

If the sensor is not running, verify that the sensor's application files exist on your host:

$ sudo ls -al /opt/CrowdStrike /opt/CrowdStrike/falcon-sensor

This should be a symlink to either:

the original sensor installation at /opt/CrowdStrike/falcon-sensor
 

a sensor update package with a release build number, such as /opt/CrowdStrike/falcon-sensor3000


 
Last modified July 1, 2022