Endpoint agent prerequisites

Important:

Considering a switch to MS Defender? Please note:

• Changes to your contract and pricing may apply.
• New onboarding in the portal won’t be active by default.

For details or to make the switch, contact your ActZero account team.

Before installing the endpoint agent, ensure that the endpoint meets the following prerequisites:

All Endpoints

Please ensure the following requirements are met before deploying the Falcon sensor, regardless of operating system.

Networking Requirements

Hosts must connect to the CrowdStrike cloud on port 443 during initial installation. If your environment restricts internet access, allow traffic to and from CrowdStrike FQDNs or IP addresses.

CrowdStrike strongly recommends ensuring hosts remain online after installation to download supplementary data.

Certificate pinning

The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Some network configurations, such as deep packet inspection, interfere with certificate validation.

Disable deep packet inspection (also called "HTTPS interception," or "TLS interception") or similar network configurations. Common sources of interference with certificate pinning include antivirus systems, firewalls, or proxies.

Allow TLS traffic

After agent installation, an agent opens a permanent TLS connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.

Allow traffic to:

ts01-gyr-maverick.cloudsink.net

• 100.20.76.137
• 35.162.239.174
• 35.162.224.228
• 50.112.129.218
• 50.112.130.23
• 50.112.131.18
• 52.25.223.26
• 52.33.193.184
• 52.35.11.124
• 52.35.162.27
• 54.68.92.116
• 54.71.43.66

lfodown01-gyr-maverick.cloudsink.net

• 34.209.79.111
• 52.10.219.156
• 34.210.186.129
• 34.209.165.130
• 35.80.210.147
• 35.160.213.193
• 35.166.20.122
• 52.27.205.162
• 100.20.144.105

Lfoup01-gyr-maverick.cloudsink.net

• 34.209.165.130
• 34.214.236.51
• 34.215.239.163
• 35.80.210.147
• 35.160.213.193
• 35.166.20.122
• 44.228.118.64
• 44.229.24.18
• 50.112.6.52
• 50.112.129.218
• 50.112.130.23
• 50.112.131.18
• 52.25.223.26
• 52.27.205.162
• 52.33.193.184
• 52.35.11.124
• 52.35.162.27
• 54.68.92.116
• 54.71.43.66
• 54.191.184.169
• 100.20.144.105

Windows Endpoints

• the endpoint uses a recent version of Windows (refer to Deployment > What Windows versions does the Falcon agent support?)

Services

The following services must be installed and running:

• LMHosts

  Note: LMHosts might be disabled on your host if the TCP/IP NetBIOS Helper service is disabled

• Network Store Interface (NSI)

• Windows Base Filtering Engine (BSE)
• Windows Power Service (aka. Power)

Additionally the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Type must be set to 0x00000020, the Microsoft default value.

On Windows Server 2016 and 2019, Windows Defender is enabled by default. To use Falcon's Next-Gen Antivirus quarantine setting, you must disable Windows Defender. You can use the following Powershell command to disable Defender:

Set-MpPreference -DisableRealtimeMonitoring $true

Network protocols

The Falcon sensor requires TLS 1.2 to communicate with the CrowdStrike cloud. Other protocols, including SSL or earlier versions of TLS, are not supported.

Additional services for hosts using proxies

• WinHTTP AutoProxy
• DHCP Client, if you use Web Proxy Automatic Discovery (WPAD) via DHCP

Local audit policy setting

To better capture logon-related events, the Falcon sensor for Windows requires the Logon local audit policy to have a setting of Success and Failure. If the actual policy setting does not match this setting, the sensor changes it to match. Often, this policy is managed by a group policy object, or GPO. If you use a GPO to manage the Logon policy, consider updating your GPO to match the required setting to minimize conflict between your GPO enforcement and the sensor enforcement.

To view your Logon local audit policy setting, use this auditpol command:

auditpol.exe /get /category:Logon/Logoff

Certificates

The Falcon sensor requires your host to have the DigiCertHighAssuranceEVRootCA and DigiCertAssuredIDRootCA certs in your Trusted Root CA store.

Note: Starting with Falcon sensor for Windows version 6.18, the sensor installer checks whether these certs are present. If they are not present, the installer checks the Turn off Automatic Root Certificate Update Windows setting. If the setting is disabled, the installer continues and attempts to build the required certificate chain that would cause Windows to install the missing root CA. If sensor installs are failing and Turn off Automatic Root Certificate Update is enabled, set Turn off Automatic Root Certificate Update to disabled to ahve the sensor installer address missing certs.

To check whether the certs are already present. Download and import them if needed.

1. Follow the Microsoft documentation for the Microsoft Management Console (MMC) to enable the Certificates snap-in per How to: View certificates with the MMC snap-in.
2. In the MMC, click Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
3. Verify that both of the required certs are present. If either certificate is not present, complete these steps:
   • Download the missing certificate from Digicert: DigiCertHighAssuranceEVRootCA and DigiCertAssuredIDRootCA.
   • Import a certificate by right-clicking Certificates and then All Tasks > Import. Choose your local machine, click Next, and browse to the downloaded cert. Complete the import.
   • Import the other certificate if needed.
   • Confirm that both certs are now present in Trusted Root Certification Authorities > Certificates.

Product specific

Some endpoints such as finance, Web or SQL servers can have a higher than normal workload and require some special considerations. By providing a list of hostnames for these groups of hosts prior to installation ActZero can ensure hosts are added to the correct groups and policies.

The following are a list of some (but not all) systems to consider:

• Active Directory servers
• SQL / Database servers
• Web servers
• Accounting / finance servers

macOS Endpoints

• the endpoint uses a recent version of macOS (refer to Deployment > What macOS versions does the Falcon agent support?)

Authorizations

Falcon sensor for macOS version 6.11 and later requires these host authorizations to be specified in a profile:

• Authorization for the Falcon system extension, which is required for hosts running macOS Big Sur 11.0 and later. Apple requires system extensions to be approved before they can be loaded.
• Configuration for the Falcon network filter extension, which is required for hosts running macOS Big Sur 11.0 and later.
• Full Disk Access (FDA) to Falcon. This is a recommendation for macOS Mojave 10.14 and a requirement for macOS Catalina 10.15 and later.
• Authorization for the CrowdStrike kernel extension. This is required for hosts running macOS Mojave 10.14 through macOS Catalina 10.15, and to support the BIOS visibility prevention policy settings regardless of OS version. Similar to system extensions, Apple requires kernel extensions to be approved before they can be loaded.

For improved security and privacy, Apple doesn't allow profiles to be deployed outside of an MDM solution. CrowdStrike strongly recommends you use an MDM solution to distribute the profile to your endpoints prior to the deployment process. If you don't use an MDM solution to distribute the necessary profile to endpoints prior to installation or upgrade to sensor version 6.11 and later, multiple authentication confirmations from the OS occur on the host and must manually be approved.

Linux Endpoints

• the endpoint uses a recent version of Linux (refer to Deployment > What Linux versions does the Falcon agent support?)

Falcon-Kernel-Check tool

The falcon-kernel-check tool ensures the Falcon sensor will be fully operational on a host by verifying host kernels are compatible with Falcon. It’s intended to be run before the sensor is installed. If a kernel is incompatible, the sensor might still install on a host but will be in Reduced Functionality Mode (RFM). While in RFM, the sensor is in a safety mode that protects it from severe compatibility errors. The sensor generates a heartbeat event, but does not perform any monitoring or prevention actions.

Falcon sensor for Linux version 5.38 and later includes a feature to add support for new kernels without requiring a sensor update. Support for new kernels is added through Zero Touch Linux (ZTL) channel files that are deployed to hosts. The falcon-kernel-check tool currently only verifies kernel support for the initial release of the sensor version. As a result, kernel support that has been added through channel files for a sensor version are not reflected in the results of the falcon-kernel-check tool.

For hosts with the sensor already installed, verify kernel compatibility by checking RFM status. Run this command on the host:

sudo /opt/CrowdStrike/falconctl -g --rfm-state

Before you begin

Download the appropriate sensor package for your host

New kernel support is added regularly, so it is important to ensure that you have the latest sensor installer before running falcon-kernel-check.

Requirements

• Sensor support:
  • Falcon sensor for Linux version 4.25.7103 and later
• System requirements:
  • Supported Linux distro
  • Rpm2cpio (RPM-based distros only)

Extracting the tool

Follow the appropriate extraction instructions for your distro:

RPM-based distros:

$ mkdir -p /tmp/crowdstrike
$ rpm2cpio <installer_filename>.rpm | (cd /tmp/crowdstrike; cpio -idv)

DEB-based distros:

$ mkdir -p /tmp/crowdstrike
$ dpkg -x <installer_filename>.deb /tmp/crowdstrike

Checking kernel compatibility

The falcon-kernel-check tool can be used two ways.

• To check the host's active kernel, run falcon-kernel-check<build> with no parameters

$ falcon-kernel-check<build>

Host OS 3.10.0-957.1.3.el7.x86_64 is supported by Sensor version 7103.

• To check any other kernel, run falcon-kernel-check with the -k parameter. For example:

$ falcon-kernel-check<BuildNumber> -k 3.10.0-957.1.3.el7.x86_64

3.10.0-957.1.3.el7.x86_64 is supported by Sensor version 7103.

If a kernel version is available in multiple distributions, falcon-kernel-check displays the list of all kernels that match the specified parameter. For example:

$ falcon-kernel-check<BuildNumber> -k 4.4.0-31-generic
4.4.0-31-generic matches:
4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016
4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016

Command-line options

Usage: $ falcon-kernel-check<BuildNumber> [options]
-h print usage.
-v print version.
-k input kernel release to see if it is supported.