Crowdstrike Falcon - does it blend?

donmontalvo
Esteemed Contributor II

I noticed Crowdstrike Falcon was added to Third Party Products.

It was added by @pingebrigtsen who works for the company.

Is anyone using it? Asking because there are no discussions about it on this forum. Zero. Nada. Zilch.

Did you replace another solution (McAfee, Symantec, etc.) with it?

What does it do that you like?

What does it not do that you hoped it would?

How is it working out for your environment?

Just curious, not trying to start an anti-malware war. πŸ™‚

33c1fc3a66564d7e88a2053d3879f16f

--
https://donmontalvo.com
32 REPLIES 32

chuinder
New Contributor III

I was asked to deploy it by our InfoSec department last month. Very easy deploy.. ended up removing the uninstaller from the folder through a script, since a lot of our users have admin rights.. But other than that pretty straight forward. InfoSec seems happy with it. I don't really have any other interaction with it, so I can't tell you anything about that end. I know that there's different ways to use it. We're currently using it in tandem with Sophos. We did have to create a rule for Sophos to not scan the CrowdStrike folder.. But other than that they are playing together nicely.

dpertschi
Valued Contributor

I'd ditch McAfee in a heartbeat to use is simply because it has a cool icon!

briangoldstein
New Contributor III

We just launched a project to roll it out globally to our Win and Mac machines, replacing McAfee on the Win side. The install is a breeze and I def agree about removing the uninstaller if your users have admin rights. It was very low overhead and none of our POC users had any complaints like they do about McAfee or others.

northernchap
New Contributor

Can anyone share some info about how they installed this with JAMF please? I'm kind of new to JAMF, haven't done software deployment yet so not entirely sure the best way to go about it - are you running it as a script, or passing arguments to the pkg, or what? Thanks! πŸ™‚

Warren
New Contributor II

We will soon deploy CrowdStrike to the company owned Macs. I am new to using JAMF and haven't figured out the best way to deploy the agent along with the sudo command to the devices. @chuinder or @briangoldstein can either of you provide assistance in helping deploy. Thanks in advance.

zachary_fisher
New Contributor III

I use Crowdstrike Falon for a few companies that I support.

To deploy it is quite easy.

1) Create a policy that runs at enrollment or once per computer at checkin that install the PKG from the CS Portal and after runs this scripts:

sudo /Library/CS/falconctl license LICENSEIDHERE

That is it. If you want to go a step further you could create an extension attribute that looks for the CS folder or agent. You can then scope your policy to a smart group that only installs it on machines w/o the agent.

briangoldstein
New Contributor III

The latest Falcon Sensor for Mac (6103) finally allows password protection of the uninstall (only the Windows sensor had this previously). CrowdStrike support recommends a python script to pass the password over to the installer without putting it into command line in clear text. That said, the python script is still storing the password in plain text. Not the best idea, but tis all they had to offer for now and better than leaving it unprotected since all of our users are local admins (for now).

My install policy does the following:
Installs Falcon Sensor via the package provided in the Falcon Console
Places the password python script (Falcon-Protect.py) into /Library/CS/
Run's my install script (installFalconSensor.sh) stored in JAMF pro.

Falcon-Protect.py

#!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
    while True:
        print(password)
except IOError:
    pass

installFalconSensor.sh:

#!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py

I also created the following extension attribute to report what version sensor the machines are running:

#!/bin/bash
#########################################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed.  #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
#########################################################################################
RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"

jec1
New Contributor II

to: Zachary.fisher - Your policy instructions worked great on all systems earlier than 10.13.3. I've not been able to get this policy working on 10.13.3. Any solutions you've come across? I've been searching with no luck.

Thanks - John

chrijens
New Contributor II

@briangoldstein How did you go about copying your Falcon-Protect.py script into /Library/CS/ ?

briangoldstein
New Contributor III

@chrijens sorry for the delay, was traveling when you sent that and the notification got lost. I just tossed the script in a package w/ composer.

KSchroeder
Contributor

Could you use script parameters to pass in the password, so it isn't hard-coded within the script? I haven't done much with this functionality, but we're looking at rolling out CS as well and ways to do so intelligently/securely.

leungn
New Contributor II

@KSchroeder You can use an input parameter, but the password prompt is interactive with the binary. So, an 'except' script can negotiate both the password and password confirmation prompts. Assuming your password was reassigned from $4 to PWD: PWD="$4"

expect <<- DONE set timeout -1 spawn /Library/CS/falconctl installguard expect "Falcon Password:" send -- "${PWD} " expect "Confirm Falcon Password:" send -- "${PWD} " expect eof DONE

nkalister
Valued Contributor

one thing to note, if you're setting the password with an expect script as part of a postinstall script in your pkg you should remove the

spawn /Library/CS/falconctl installguard

since the installer invokes it on it's own.

donmontalvo
Esteemed Contributor II

I never understood why a password would ever make sense in a managed environment.

Troubleshooting would be impacted, so problems will take longer to resolve, sensitive password is now floating around, and potentially SLAs might be missed...etc.

So we have this thing Jamf Pro. which can easily ensure Crowdstrike is both installed and running...so why not use it?

  • Is Crowdstrike installed, if not install it.
  • Is Crowdstrike process running, if not reinstall it.
  • Are any log/defs files being updated, if not reinstall it.

Its a much more manageable/sustainable approach...but yea I can see unmanaged environments using passwords.

#dosCentavos #healthcheckLogic

--
https://donmontalvo.com

nkalister
Valued Contributor

yeah, I know what you mean @donmontalvo , but you can still do all that even with a password set.

SergioMonster
New Contributor

What would be the value to check if Crowdstrike has been deployed and currently running?

donmontalvo
Esteemed Contributor II

@nkalister do you have a script that works to uninstall a password protected client? If so can you share? πŸ™‚

--
https://donmontalvo.com

nkalister
Valued Contributor

@donmontalvo sure, this is working for me:

#!/bin/bash

expect -c "
  spawn /Library/CS/falconctl uninstall --password
  expect "Falcon Password:"
  send password
  send 
  expect eof
  "

substitute your client password for password in the codeblock.

Also, my previous post about not needing the

spawn /Library/CS/falconctl installguard

line was incorrect! While using the --password switch as described in the CS documentation appears to password protect the clients (the prompt for a password appeared) it actually still allowed the client to be removed without the password! I've now gone back to running the license command without the --password switch and am using the installguard command instead and it's working as expected.

donmontalvo
Esteemed Contributor II

@nkalister thanks! Will test later in the week.

--
https://donmontalvo.com

jriv
New Contributor III

Does anyone have a way monitor if CrowdStrike is running using an EA?

Tigerhaven
Contributor

So I have been working with infosec to deploy crowd strike again on Macs . we had to remove it because it would cause kernel panic if you had Box client on your Mac when trying to upgrade to High Sierra. Secondly we are currently trying to uninstall CS from a Mac and it causes a kernel panic to. has anyone seen this or any thought on this.

dennisnardi
New Contributor III

We're using CS in our environment and have had no issues at all. It's pretty lightweight because all the analysis happens in the cloud. I've had no kernel panics in general, or upon any OS upgrades. Our InfoSec team seem to love it. The only downside I've encountered is there's not any local notifications; InfoSec will get notified and then has to handle notifications to techs or users.

I have 3 EA's I use to collect info on it.

#!/bin/sh
#Falcon CrowdStrike Connection State

falconConnState=`sysctl cs.comms.cloud_connection_state | awk '{print $2}'`
echo "<result>$falconConnState</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor ID

falconHostID=`sysctl cs.sensorid | awk '{print $2}'`
echo "<result>$falconHostID</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor Version

RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"

wblack
New Contributor II

@nkalister So replace Falcon Password: with the password that we set?

richard_ballest
New Contributor

@briangoldstein i'm stuck at 'Running script Falcon-protect.py...' it just hangs and doesn't proceed.

JeyT
New Contributor III

@dennisnardi. Kind of new with jamf. Looking at you EA for Falcon. This is great, but I don't know much scripting but learning. How would I setup the Smart Group Criteria? I am just a little confused on what goes into the Operator and Value fields. Appreciate any help.

dennisnardi
New Contributor III

@tavaresj A few versions of CS back they changed their binary commands, so here is an updated EA script that will get the correct connection state:

#!/bin/sh

#  CS Connection State
#  

falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`

echo "<result>$falconConnState</result>"

That either returns "Connected" or blank (I think). Once you have the EA you can make your smart group criteria, and so mine is just "Name of EA" "is" "Connected". That will show all the computers with a working install of CS.

davidi4
New Contributor III

Those commands are deprecated - has anyone modified them for the new binary location inside Falcon.app? The cs.xxxxx commands no longer work either.

KyleEricson
Valued Contributor

@davidi4 This is the new location.

#!/bin/sh
## $4 = CID with Checksum
sudo /Applications/Falcon.app/Contents/Resources/falconctl license REPLACEWITHSERIAL#
exit 0

davidi4
New Contributor III

@keric Thanks! Next issue - Has anyone successfully done an upgrade in place using Jamf? I've got 6.14.12704.0 from InfoSec. It appears to install successfully, but everything CS stays at 6.12. I've been installing 5.32.11301.0 since we implemented CS, and the devices update the agent via CS cloud. I need to get everyone upgraded to a Big Sur-compatible version, with SEXTs enabled instead of KEXT before I release BS to production.

Thoughts?

patgmac
Contributor III

@davidi4 Crowdstrike does not use SysExt's under Catalina. And there's a known issue with the 6.x agent not working when a machine is upgraded to Big Sur. Supposed to be fixed in the upcoming 6.15.

Suggested workflow for now is to keep Catalina on 5.41, and Big Sur on 6.14. The 5.41 works enough that it can self-update to 6.14 once it's on Big Sur.

You will need to deploy the updated profile that includes SysExt approvals and web content filter payloads. Sample profile is on CS's support portal. You can deploy that profile to Catalina, but not Mojave.

tharr00
New Contributor II

@davidi4 Crowd Strike (Falcon Sensor) cloud should be updating clients itself. Tell your CS admin to get on the ball. You should only require an install on new machines or machines that have it removed. The console can also protect the install with out you having to package the client with a cert/token or what ever. The new installs work without removal, test one, check Falcon console for the version the machine is now reporting. We just started deploying the AV protection and ditched Symantec.

user-VcPayfLPwN
New Contributor

A determined intruder can blend into the day-to- day noise of a typical In this review of Falcon OverWatch, CrowdStrike's managed threat hunting service.
CredibleBH