Endpoint Security, CrowdStrike, Prevention Policies
One of the most essential components of CrowdStrike are its prevention policies. Prevention policies are rules that determine the types of malware detection and prevention mechanisms the CrowdStrike agent utilizes on your endpoints. Without a defined policy, hosts will be unprotected by CrowdStrike.
Prevention policies may only be configured by an account with the Falcon Administrator role. Units utilizing the Community or a Named instance will not have access to this role, and should instead submit change requests to https://go.illinois.edu/epshelp.
To access the prevention policies, use the left navigation bar and select Configuration > Prevention Policies.
Sidebar showing how to access Prevention Policies
In the CrowdStrike console, policies are organized by operating system. Each operating system has its own set of policies, and not all operating systems have the same policy options available.
Example list of Prevention Policies
Each policy applies to one or more groups of hosts. Host groups are defined under Hosts > Groups.
Since a single host can belong to multiple groups, each with its own policy, the particular policy that applies to a host is dependent upon that policy's precedence. The policy with the highest precedence (lowest number) will apply to that host. If no policies apply to any groups that a host is a member of, or the host is not a member of any groups, then that host will receive the Default Policy.
Policies may be reordered by toggling the Edit precedence switch in the upper-right corner. The Default Policy cannot be moved from the final position.
To modify a prevention policy, click on the to edit the policy.
Policies have three configuration pages:
- Assigned Host Groups
- Assigned Custom IOAs (Windows and Mac only)
Example of Prevention Policy Settings
The Settings page defines the ways that the CrowdStrike sensor detects and prevents malware and suspicious behavior. Click on a setting category to reveal its settings. Most settings have a switch to enable or disable them, while some have a level setting. These can be set by clicking the icon below the level desired.
Not all prevention settings will quarantine files. Quarantining does not apply to the following categories:
- Exploit Mitigation
- Exploitation Behavior
- Lateral Movement and Credential Access
Files detected under these prevention settings will be prevented from running, but will not be quarantined.
See Endpoint Security, CrowdStrike, Security Best Practices for recommended defaults for prevention settings.
Example of Prevention Policy Assigned Host Groups
The Assigned Host Groups page defines which hosts the policy will apply to. More than one host group may be assigned to a given policy, but a given host group may be assigned to only one policy at a time, per operating system.
Example of Prevention Policy Assigned Custom IOAs
The Assigned Custom IOAs page allows you to define additional indicators of attack, which the CrowdStrike sensor will prevent from executing. Custom IOAs are only available for Windows and Mac hosts.
Custom IOA rule groups must be defined before they can be assigned to Prevention Policies. Only those with the Custom IOAs role may create custom IOA rule groups. The Falcon Administrator role does not have this permission.
While each host group can only be assigned to a single Prevention Policy, custom IOA rule groups may be assigned any number of Prevention Policies.
Much more information is available in the official documentation (console access required).