Posted on 11-10-2017 08:14 AM
I noticed Crowdstrike Falcon was added to Third Party Products.
It was added by @pingebrigtsen who works for the company.
Is anyone using it? Asking because there are no discussions about it on this forum. Zero. Nada. Zilch.
Did you replace another solution (McAfee, Symantec, etc.) with it?
What does it do that you like?
What does it not do that you hoped it would?
How is it working out for your environment?
Just curious, not trying to start an anti-malware war. :)
Solved! Go to Solution.
Posted on 05-18-2022 05:06 PM
It looks like CrowdStrike has updated its kb with documentation on how to deploy Falcon with Jamf Pro. This covers config profiles, packaging, Jamf policy creation, license activation via script or config profile, and policy settings required on the CrowdStrike portal. The kb is in the CrowdStrike support portal, How to deploy Falcon sensor for Mac with Jamf Pro policy: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ
My 2 cents: enabling installguard is controversial. Echoing @donmontalvo, it doesn't make sense in a managed environment. However, it is the recommendation from CrowdStrike to have installguard enabled. Perhaps that guidance is out of context? I'll leave this here.
Posted on 11-10-2017 08:22 AM
I was asked to deploy it by our InfoSec department last month. Very easy deploy.. ended up removing the uninstaller from the folder through a script, since a lot of our users have admin rights.. But other than that pretty straight forward. InfoSec seems happy with it. I don't really have any other interaction with it, so I can't tell you anything about that end. I know that there's different ways to use it. We're currently using it in tandem with Sophos. We did have to create a rule for Sophos to not scan the CrowdStrike folder.. But other than that they are playing together nicely.
Posted on 11-10-2017 10:47 AM
I'd ditch McAfee in a heartbeat to use is simply because it has a cool icon!
Posted on 11-11-2017 02:11 PM
We just launched a project to roll it out globally to our Win and Mac machines, replacing McAfee on the Win side. The install is a breeze and I def agree about removing the uninstaller if your users have admin rights. It was very low overhead and none of our POC users had any complaints like they do about McAfee or others.
Posted on 02-05-2018 08:18 AM
Can anyone share some info about how they installed this with JAMF please? I'm kind of new to JAMF, haven't done software deployment yet so not entirely sure the best way to go about it - are you running it as a script, or passing arguments to the pkg, or what? Thanks! :)
Posted on 02-15-2018 10:53 AM
We will soon deploy CrowdStrike to the company owned Macs. I am new to using JAMF and haven't figured out the best way to deploy the agent along with the sudo command to the devices. @chuinder or @briangoldstein can either of you provide assistance in helping deploy. Thanks in advance.
Posted on 02-15-2018 01:53 PM
I use Crowdstrike Falon for a few companies that I support.
To deploy it is quite easy.
1) Create a policy that runs at enrollment or once per computer at checkin that install the PKG from the CS Portal and after runs this scripts:
sudo /Library/CS/falconctl license LICENSEIDHERE
That is it. If you want to go a step further you could create an extension attribute that looks for the CS folder or agent. You can then scope your policy to a smart group that only installs it on machines w/o the agent.
Posted on 02-15-2018 07:08 PM
The latest Falcon Sensor for Mac (6103) finally allows password protection of the uninstall (only the Windows sensor had this previously). CrowdStrike support recommends a python script to pass the password over to the installer without putting it into command line in clear text. That said, the python script is still storing the password in plain text. Not the best idea, but tis all they had to offer for now and better than leaving it unprotected since all of our users are local admins (for now).
My install policy does the following:
Installs Falcon Sensor via the package provided in the Falcon Console
Places the password python script (Falcon-Protect.py) into /Library/CS/
Run's my install script (installFalconSensor.sh) stored in JAMF pro.
Falcon-Protect.py
#!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
while True:
print(password)
except IOError:
pass
installFalconSensor.sh:
#!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py
I also created the following extension attribute to report what version sensor the machines are running:
#!/bin/bash
#########################################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed. #
# If CrowdStrike Falcon is not installed "Not Installed" will return back #
#########################################################################################
RESULT="Not Installed"
if [ -f "/Library/CS/falconctl" ] ; then
RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"
Posted on 02-28-2018 12:21 PM
to: Zachary.fisher - Your policy instructions worked great on all systems earlier than 10.13.3. I've not been able to get this policy working on 10.13.3. Any solutions you've come across? I've been searching with no luck.
Thanks - John
Posted on 04-10-2018 12:43 PM
@briangoldstein How did you go about copying your Falcon-Protect.py script into /Library/CS/ ?
Posted on 05-08-2018 06:11 PM
@chrijens sorry for the delay, was traveling when you sent that and the notification got lost. I just tossed the script in a package w/ composer.
Posted on 06-05-2018 08:50 AM
Could you use script parameters to pass in the password, so it isn't hard-coded within the script? I haven't done much with this functionality, but we're looking at rolling out CS as well and ways to do so intelligently/securely.
Posted on 06-07-2018 12:27 PM
@KSchroeder You can use an input parameter, but the password prompt is interactive with the binary. So, an 'except' script can negotiate both the password and password confirmation prompts. Assuming your password was reassigned from $4 to PWD: PWD="$4"
expect <<- DONE set timeout -1 spawn /Library/CS/falconctl installguard expect "Falcon Password:" send -- "${PWD} " expect "Confirm Falcon Password:" send -- "${PWD} " expect eof DONE
Posted on 07-10-2018 08:20 AM
one thing to note, if you're setting the password with an expect script as part of a postinstall script in your pkg you should remove the
spawn /Library/CS/falconctl installguard
since the installer invokes it on it's own.
Posted on 07-17-2018 12:26 PM
I never understood why a password would ever make sense in a managed environment.
Troubleshooting would be impacted, so problems will take longer to resolve, sensitive password is now floating around, and potentially SLAs might be missed...etc.
So we have this thing Jamf Pro. which can easily ensure Crowdstrike is both installed and running...so why not use it?
Its a much more manageable/sustainable approach...but yea I can see unmanaged environments using passwords.
#dosCentavos #healthcheckLogic
Posted on 07-17-2018 01:00 PM
yeah, I know what you mean @donmontalvo , but you can still do all that even with a password set.
Posted on 07-23-2018 12:22 PM
What would be the value to check if Crowdstrike has been deployed and currently running?
Posted on 07-23-2018 02:24 PM
@nkalister do you have a script that works to uninstall a password protected client? If so can you share? :)
Posted on 07-23-2018 04:12 PM
@donmontalvo sure, this is working for me:
#!/bin/bash
expect -c "
spawn /Library/CS/falconctl uninstall --password
expect "Falcon Password:"
send password
send
expect eof
"
substitute your client password for password in the codeblock.
Also, my previous post about not needing the
spawn /Library/CS/falconctl installguard
line was incorrect! While using the --password switch as described in the CS documentation appears to password protect the clients (the prompt for a password appeared) it actually still allowed the client to be removed without the password! I've now gone back to running the license command without the --password switch and am using the installguard command instead and it's working as expected.
Posted on 07-24-2018 07:42 AM
@nkalister thanks! Will test later in the week.
Posted on 12-03-2018 12:51 PM
Does anyone have a way monitor if CrowdStrike is running using an EA?
Posted on 12-04-2018 07:42 AM
So I have been working with infosec to deploy crowd strike again on Macs . we had to remove it because it would cause kernel panic if you had Box client on your Mac when trying to upgrade to High Sierra. Secondly we are currently trying to uninstall CS from a Mac and it causes a kernel panic to. has anyone seen this or any thought on this.
Posted on 12-04-2018 08:34 AM
We're using CS in our environment and have had no issues at all. It's pretty lightweight because all the analysis happens in the cloud. I've had no kernel panics in general, or upon any OS upgrades. Our InfoSec team seem to love it. The only downside I've encountered is there's not any local notifications; InfoSec will get notified and then has to handle notifications to techs or users.
I have 3 EA's I use to collect info on it.
#!/bin/sh
#Falcon CrowdStrike Connection State
falconConnState=`sysctl cs.comms.cloud_connection_state | awk '{print $2}'`
echo "<result>$falconConnState</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor ID
falconHostID=`sysctl cs.sensorid | awk '{print $2}'`
echo "<result>$falconHostID</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor Version
RESULT="Not Installed"
if [ -f "/Library/CS/falconctl" ] ; then
RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"
Posted on 12-05-2018 05:08 AM
@nkalister So replace Falcon Password: with the password that we set?
Posted on 01-11-2019 02:46 PM
@briangoldstein i'm stuck at 'Running script Falcon-protect.py...' it just hangs and doesn't proceed.
Posted on 06-27-2019 06:28 AM
@dennisnardi. Kind of new with jamf. Looking at you EA for Falcon. This is great, but I don't know much scripting but learning. How would I setup the Smart Group Criteria? I am just a little confused on what goes into the Operator and Value fields. Appreciate any help.
Posted on 06-27-2019 09:50 AM
@tavaresj A few versions of CS back they changed their binary commands, so here is an updated EA script that will get the correct connection state:
#!/bin/sh
# CS Connection State
#
falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`
echo "<result>$falconConnState</result>"
That either returns "Connected" or blank (I think). Once you have the EA you can make your smart group criteria, and so mine is just "Name of EA" "is" "Connected". That will show all the computers with a working install of CS.
Posted on 01-04-2021 09:05 AM
Those commands are deprecated - has anyone modified them for the new binary location inside Falcon.app? The cs.xxxxx commands no longer work either.
Posted on 01-04-2021 09:41 AM
@davidi4 This is the new location.
#!/bin/sh
## $4 = CID with Checksum
sudo /Applications/Falcon.app/Contents/Resources/falconctl license REPLACEWITHSERIAL#
exit 0
Posted on 01-04-2021 11:03 AM
@keric Thanks! Next issue - Has anyone successfully done an upgrade in place using Jamf? I've got 6.14.12704.0 from InfoSec. It appears to install successfully, but everything CS stays at 6.12. I've been installing 5.32.11301.0 since we implemented CS, and the devices update the agent via CS cloud. I need to get everyone upgraded to a Big Sur-compatible version, with SEXTs enabled instead of KEXT before I release BS to production.
Thoughts?
Posted on 01-04-2021 12:52 PM
@davidi4 Crowdstrike does not use SysExt's under Catalina. And there's a known issue with the 6.x agent not working when a machine is upgraded to Big Sur. Supposed to be fixed in the upcoming 6.15.
Suggested workflow for now is to keep Catalina on 5.41, and Big Sur on 6.14. The 5.41 works enough that it can self-update to 6.14 once it's on Big Sur.
You will need to deploy the updated profile that includes SysExt approvals and web content filter payloads. Sample profile is on CS's support portal. You can deploy that profile to Catalina, but not Mojave.
Posted on 01-09-2021 01:51 AM
@davidi4 Crowd Strike (Falcon Sensor) cloud should be updating clients itself. Tell your CS admin to get on the ball. You should only require an install on new machines or machines that have it removed. The console can also protect the install with out you having to package the client with a cert/token or what ever. The new installs work without removal, test one, check Falcon console for the version the machine is now reporting. We just started deploying the AV protection and ditched Symantec.
Posted on 01-11-2021 07:01 AM
A determined intruder can blend into the day-to- day noise of a typical In this review of Falcon OverWatch, CrowdStrike's managed threat hunting service.
CredibleBH
Posted on 05-18-2022 05:06 PM
It looks like CrowdStrike has updated its kb with documentation on how to deploy Falcon with Jamf Pro. This covers config profiles, packaging, Jamf policy creation, license activation via script or config profile, and policy settings required on the CrowdStrike portal. The kb is in the CrowdStrike support portal, How to deploy Falcon sensor for Mac with Jamf Pro policy: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ
My 2 cents: enabling installguard is controversial. Echoing @donmontalvo, it doesn't make sense in a managed environment. However, it is the recommendation from CrowdStrike to have installguard enabled. Perhaps that guidance is out of context? I'll leave this here.
Posted on 03-14-2023 12:33 AM
Hi,
@dennisnardiI used your script to get the status of falcon sensor but that is not working.
Also unable to uninstall the sensor and getting an error
Error: InstallGuard is not ready
Also, we have ~400 devices on JAMF and Falcon sensor is installed but somehow ~100 machines are not showing up on the Hostmanagement page of CrowdStrike.
Any idea, how can we do these solved please?