SENSOR DEPLOYMENT

Question 1

What are the Windows OS requirements prior to installing the Falcon Sensor?

Answer 1

OS Requirements:

-Windows 7, 8.1, 10, 11

Question 2

What are the network protocols needed prior to installing the Falcon Sensor?

Answer 2

Network Protocols (2):

• Falcon requires TLS 1.2 to communicate with CrowdStrike Cloud.
• Requires Logon local audit policy to be “success and failure”

Question 3

Where in the Falcon console do you copy the CID/ Checksum?

Answer 3

-Copy customer ID checksum from Hosts > Sensor Downloads – It is Alphanumeric

Question 4

How to uninstall a Falcon Sensor on Windows?

Answer 4

Windows: Control Panel or CMD line

-Control Panel
Control Panel > uninstall a program > Choose Crowdstrike Windows Sensor

-CMD Line
** Download CSUinstallTool from Tool Downloads.

CMD w/ admin priv > CSUninstallTool.exe /quiet

Question 5

What default policies are required in order to prepare workloads for the Falcon Sensor?

Answer 5

• Requires Local audit policy to have setting of “Success and Failure”**If actual policy setting does not match setting, sensor changes it
  to match.
• Registry key DNScache/Type must be set to 0x00000020 Microsoft default value.
  **Windows Defender should be disabled

Question 6

What appropriate settings are needed to install a Falcon Sensor on Windows?

Answer 6

-Needs to be able to communicate with CrowdStrike FQDN and IP – may need networking to allow list and not block communication

• Needs to have communication over port 443 with the CS Cloud during installation and ongoing.
• Needs to communicate utilizing TLS 1.2 with the CS Cloud
• Disable packet inspection or similar network configurations (HTTPS or TLS Inspection)

Question 7

What appropriate settings are needed to install a Falcon Sensor on Mac?

Answer 7

Needs to have elevated privileges in order to install the sensor on Mac

Question 8

What appropriate settings are needed to install a Falcon Sensor on Linux ?

Answer 8

-Needs to be Kernel specific to run the Falcon Sensor

**If a kernel is not listed in the guide, the sensor will still install, but will run in reduced functionality mode (RFM)

Question 9

How to do you apply additional options for images/VDI’s, tokens, and tags?

Answer 9

-Put image template system into read/write mode
- Install Falcon sensor using the VDI=1 parameter
- Complete all steps required to generalize VM template
– Install Falcon using NO_START=1 Parameter.

**After installation, sensor does not attempt to communicate with
CS Cloud.

Question 10

What issues can occur with the basic configuration requirements of the system environment or Falcon components?

Answer 10

-Host can’t communicate with CS Cloud

-The Falcon Sensor requires the host to have their CA certs in Trust Root CA store
**Check whether certs are present, download/import them if needed

-

Question 11

How to troubleshoot a Falcon Sensor installation on a Windows host?

Answer 11

-Check the Channel Files – additional sensor instructions that provide updated settings for policies, allowlists/blocklists, detection exclusions, support for new OS patches and more.

-Verify sensor is running: cmd admin priv > sc.exe query csagent

-verify sensor is connected to the CS Cloud: cmd > netstat.exe -f

Question 12

How to troubleshoot a Falcon Sensor installation on a Linux host?

Answer 12

-Install dependent packages: apt-get -f install

-Verify Sensor is Running: ps -e | grep -e falcon-sensor

-Verify sensor is connected to the CS Cloud: sudo netstat -tapn | grep galcon

Question 13

How to troubleshoot a Falcon Sensor installation on a Mac host?

Answer 13

Verify sensor is running and connected to the CS Cloud:

-sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Question 14

Conduct root cause analysis related to system/ user issues

Answer 14

-DigicerthighassuranceRootCA cert must be in trusted Root CA Store

**Need Root Access to Host to do that

Question 15

What are the technical requirements required prior to installing the Falcon Sensor?

Answer 15

Services required:

-LMHosts
-Network Store Interface (NSI)
-Windows Base Filtering Engine (WBF)
-Windows Power Service (Power)

Question 16

Prior to installing the Falcon Sensor, Falcon’s NGAV setting needs to have…..

Answer 16

-Windows Defender DISABLED

Question 17

When happens when you install a sensor in a VDI environment?

Answer 17

When you install sensor in a VDI environment:

• Sensor runs from a shared, read only OS image.

-CS Cloud assigns a unique AID based on host’s FQDN and other characteristics.

Question 18

Falcon sensor will install, but not run if any of the following services are disabled or stopped?

Answer 18

Sensor can install but not run if any of the following services that are disabled or stopped:
- LMHosts
- Windows Base Filtering engine
- DHCP Client
- DNS Client

Question 19

LM Hosts may be disabled on the host if the following service is disabled?

Answer 19

-TCP/IP NetBIOS Helper service is disabled

Question 20

How to verify the Falcon Sensor is connected to the CS Cloud?

Answer 20

Verify the sensor is connected to the CS Cloud (2 ways):
-Falcon Console – Use Sensor Report

   -Host – cmd admin priv > run

Question 21

If host can’t connect to CS Cloud, check if…..

Answer 21

If Host can’t connect to CS Cloud, check if:

-Host can connect to internet,
-Verify proxy configuration
-Configure endpoint FW to permit traffic to/from Falcon sensor
-Verify that the host’s LMHost service is enabled
-Verify host trusts CS CA

Question 22

The Falcon Sensor requires host to have which CA certs in Trust Root CA store?

Answer 22

Falcon sensor requires host to have (2):
-DigiCertHigh AssurancerootCA

-DigiCertAssuredIDRootCA

**Both certs need to be in Trust Root CA Store

Question 23

What steps are taken in order to add CS CA’s are present on host?

Answer 23

-Microsoft Management Console > follow Microsoft documentation to enable Certificates snap-in.

Question 24

What happens when the Falcon Sensor installs on a Windows Host?

Answer 24

-Sensor installer uses standard Windows installer mechanism to set up Falcon’s sensor files and registry keys.

-If using installation tokens, CS cloud checks installer’s token

-Sensor contacts CS Cloud, which assigns the AID (Agent ID) for the host.

Question 25

What should be examined when conducting a root cause analysis related to system/ user issues?

Answer 25

• Must run installation with admin privileges
• Look for CID being incorrect
• Windows BFE can not be present/damaged
• GUID of previous install can’t be removed

Question 26

What is the most common problem that occurs when installing the Falcon Sensor?

Answer 26

Most common problem:
-Communication between host and the CS Cloud

Question 27

What is needed to whitelist CrowdStrike Endpoints?

Answer 27

Need to whitelist CrowdStrike Endpoints:
- Ensure Port 443 is open for 2 endpoints

• Cert Pinning/SSL Inspection must be DISABLED – all Falcon
  traffic must be whitelisted from SSL Inspection.

Question 28

If the windows host is using a proxy, what other service needs to be available?

Answer 28

-Win HTTP Auto Proxy

Question 29

If the windows host is using Web Proxy Automatic Discover, what service also needs to be running?

Answer 29

-DHCP

Question 30

What port does the host need to be able to the CS Cloud on?

Answer 30

-Hosts must be connected to CS Cloud on port 443 during
installation
**must allow traffic to and from CS Cloud FQDNs/IP Addresses

Question 31

How long does it take for a host to connect to the CS cloud through installation?

Answer 31

-10 minutes

**When the sensor cant connect to the cloud, it also takes 10 mins to it to re-establish a connection

Question 32

what is the PS command to disable windows defender?

Answer 32

Set-MpPreference -DisableRealtimeMonitoring $True

Question 33

What happens the second time if the sensor cant connect to the cloud?

Answer 33

-The sensor will uninstall from the system & exit the installer

Question 34

What is the command to determine the Linux kernel version?

Answer 34

uname -r

Question 35

What does the falcon sensor use to defend against man-in-the middle attacks?

Answer 35

Certificate pinning

Question 36

When the sensor is installed, the sensor is configured with what 2 policies?

Answer 36

• prevention policy

-sensor update policy

Question 37

What are sensor tags?

Answer 37

enable the user to categorize sensor enabled hosts by location, environment, purpose, etc

**can be assigned after confirmation that falcon sensor has been installed

Question 38

What does the sensor is installed what connection stays permanently open?

Answer 38

-After agent installation, agent opens permanent TLS
connection over port 443 and keeps connection open until endpoint is turned off or if the network connection is
terminated.

**Might need allow TLS Traffic on port 443
between internal network and cloud’s network addresses

Question 38

What does the sensor is installed what connection stays permanently open?

Answer 38

-After agent installation, agent opens permanent TLS
connection over port 443 and keeps connection open until endpoint is turned off or if the network connection is
terminated.

**Might need allow TLS Traffic on port 443
between internal network and cloud’s network addresses

Question 39

Where do customized sensor tags show up in the falcon console?

Answer 39

-falcon menu> host management

Question 40

Which 2 methods can the Falcon Sensor be installed on a Windows host?

Answer 40

Can install Falcon sensor for Windows using either

-GUI
-automated command line installation

Question 41

what commands installs the sensor on a linux host?

Answer 41

sudo /opt/crowdstrike/falconCH -s –cid=<CID></CID>

Question 42

what commands installs the sensor on a linux host?

Answer 42

sudo /opt/crowdstrike/falconCH -s –cid=<CID></CID>

Question 43

What adds support for Linux kernels through channel files w/out requiring a sensor update?

Answer 43

Zero Touch Linux (ZTL)

Question 44

Where on the Falcon Console can you download the sensor?

Answer 44

-Hosts > Sensor Downloads

Question 45

What is required to deploy falcon to Mac systems?

Answer 45

-MDM (mobile device management) solution to distribute the profile to endpoints prior to the sensor deployment process

Question 46

What happens if you don’t use an MDM solution?

Answer 46

-multiple confirmations occur on the host and must manually be approved

Question 47

How to use an MDM to configure profiles?

Answer 47

-Falcon menu>host setup and management>deploy>sensor downloads>locate sensor installer for Mac>click download>copy customer CCID or checksum

Cmd line> sudo installer -verboseR -package <installer_filename> -target />enter admin creds>run cmd falconctl</installer_filename>

Question 48

Which methods run the sensor installer on a Mac device?

Answer 48

-double click the .pkg file
-cmd line
sudo installer -verboseR -package <installer_filename> -target /</installer_filename>

Question 49

How does the falcon sensor stop breaches?

Answer 49

Unifies:
-Next gen antivirus
-Endpoint protection and response (EDR)
-Managed threat hunting
-Threat intelligence automation using a single lightweight sensor

Question 50

How long should sensor installation take to install sensors on all hosts?

Answer 50

-45 days

Question 51

How to install sensors automatically?

Answer 51

Falcon main menu> host setup and management> deploy> sensor downloads> locate sensor installer for OS» copy ID checksum or CCID> run your deployment tool to use this cmd: <Installer_Filename> /install /quiet /norestart CID=<CCID></CCID></Installer_Filename>

Question 52

What are some automatic installation best practices?

Answer 52

-Conduct manual sensor test installations first
-Adjust and test the cmd line aspects
-Finalize the string that makes the installation work properly

Question 53

What command validates that a sensor is running on a host?

Answer 53

-sc.exe query csagent

Question 54

What is beneficial about installing sensors manually?

Answer 54

-Best for small number of sensor installations

Question 55

Sensors are installed 2 different ways. What are they?

Answer 55

-Manual
-automatic

Question 56

How to install sensors manually?

Answer 56

Falcon main menu> host setup and management> deploy> sensor downloads>locate sensor installer for OS> copy ID checksum or CCID> double click .pkg file> accept license agreements and input checksum/ccid> yes to allow installation>

Question 57

What is beneficial about installing sensors automatically?

Answer 57

-Best for large number of installations