Endpoint Security, CrowdStrike, Manual Installation and Uninstallation

How to install and uninstall CrowdStrike manually

Systems

CrowdStrike

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

Actions

Getting the Installer

For IT Pros without access to the CrowdStrike console:
The installers can be downloaded from a Box folder.

For IT Pros with access to the CrowdStrike console:
The installers can be found on the Sensors Download page in the CrowdStrike cloud console: https://falcon.crowdstrike.com/hosts/sensor-downloads. Take note of your unique Customer ID Checksum ("CCID" or "CID") at the top of the Sensors Download page as this will be used during the installation process.

Please contact Endpoint Services for the Box folder URL or to get access to the CrowdStrike console.

Windows Installation

To install CrowdStrike manually on a Windows computer, follow these steps:
  1. Download the WindowsSensor.exe file to the computer.
  2. Open an administrative command prompt and run the following command, replacing "<your CID>" with your unit's unique CCID:
    3. WindowsSensor.exe /install /quiet /norestart CID=<your CID>
  3. The installer will install the sensor and then connect to the CrowdStrike Cloud before registering the app with the CrowdStrike cloud console.
Please note that CrowdStrike may encounter conflicts with Windows Defender that is managed by Group Policy. It is recommended to check your GPOs prior to installing CrowdStrike.

Windows Server OS

The Falcon Sensor for Windows will register as antivirus software with the Windows Security Center (WSC) and also disable Windows Defender on Windows workstations. Since Windows servers do not have the WSC, they function differently with regard to Windows Defender:

  • Server 2012, 2012 R2: Defender is either disabled (or not even installed) by default–if you previously installed or enabled it manually, then you must disable it manually after installing CrowdStrike.
  • Server 2016 and Server 2019: Defender is enabled by default –if you left it enabled in your configuration, then it must be disabled. The following Powershell command can be used to disable Defender:
    • Set-MpPreference -DisableRealtimeMonitoring $true

Optional Parameters

ProvWaitTime

The ProvWaitTime parameter can be used to extend the time an endpoint attempts to reach the CrowdStrike cloud during sensor installation. Hosts must remain connected to the CrowdStrike cloud throughout installation, which is generally 10 minutes. A host unable to reach and retain a connection to the cloud within 10 minutes will not successfully install the sensor. If your host requires more time to connect, you can override this by using the ProvWaitTime parameter in the command line to increase the timeout to 1 hour.

Example:WindowsSensor.exe /install /norestart CID=<your CID> ProvWaitTime=3600000

NO_START=1

The NO_START=1 parameter can be used to prevent the sensor from starting up after installation. The next time the host boots, the sensor will start and be assigned a new agent ID (AID). This parameter is usually used when preparing master images for cloning.

Example:WindowsSensor.exe /install /norestart CID=<your CID> NO_START=1

Windows Uninstallation

CrowdStrike allows for IT Pros to protect the CrowdStrike sensor installation from uninstall by requiring a maintenance token to be provided prior to uninstalling the sensor. If uninstall protection is enabled, you will be required to provide this token during uninstallation.

Obtaining the Maintenance Token
  1. In the CrowdStrike cloud console, locate the endpoint on the Host Management screen and select it to view additional details for the host.
  2. Click the Reveal maintenance token button
  3. Provide your reason for using the token and click the Reveal Token button. Take note of the provided maintenance token.

**Note**

If the Reveal maintenance token button is not visible for a device, this most likely means the device has a sensor update policy applied that disables installation protection/maintenance tokens.


Option 1: Remove via Windows Control Panel
  1. Open the Control Panel
  2. Click Uninstall a Program
  3. Choose CrowdStrike Windows Sensor and uninstall it, providing the maintenance token via the installer if necessary

Option 2: Remove via Command Line
  1. Download CSUninstallTool from the Tool Downloads page in the CrowdStrike cloud console: https://falcon.crowdstrike.com/support/tool-downloads
  2. Open an administrative Command Prompt window and run one of the following commands (depending on whether uninstall protection is enabled), replacing "your token" with the endpoint's maintenance token:
    CsUninstallTool.exe /quiet
    3. CsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet

macOS Installation

Due to increased privacy and security features in recent macOS releases, CrowdStrike installation requires the following additional steps to be taken, either manually or via Workspace ONE profiles. These steps can't be fulfilled by Munki.

  • On macOS 10.13.4 through macOS 10.15, you will need to enable a kernel extension in order for CrowdStrike to function.
    Read more about user-approved kernel extension loading.
  • On macOS 10.15 and above, you will need to grant full disk access in order for CrowdStrike to function properly.
    Read more about granting full disk access.
  • On macOS 11.0 and above, you will need to enable a system extension in order for CrowdStrike to function.
    Read more about user-approved system extension loading.
  • On macOS 11.0 and above, you will need to approve a network content filter in order for CrowdStrike to function.

    • To install CrowdStrike manually on a macOS computer, follow these steps:
    1. Download the FalconSensorMacOS.pkg file to the computer.
    2. Either double-click the installer file and proceed to install the CrowdStrike sensor via the GUI, or run the following command in a Terminal window:
      sudo installer -verboseR -package /path/to/FalconSensorMacOS.pkg -target /
    3. Once the CrowdStrike sensor is installed, open a Terminal window and run the following command to license the sensor, replacing "<your CID>" with your unit's unique CCID:
      4. sudo /Applications/Falcon.app/Contents/Resources/falconctl license <your CID>
    4. The installer will install the sensor and then connect to the CrowdStrike Cloud before registering the app with the CrowdStrike cloud console.

    macOS Uninstallation

    CrowdStrike allows for IT Pros to protect the CrowdStrike sensor from uninstallation by requiring a maintenance token prior to uninstalling the sensor. The steps to uninstall the CrowdStrike sensor differ depending on whether uninstall protection is enabled.

    To uninstall CrowdStrike manually on a macOS computer with install protection enabled, follow these steps:
    1. In the CrowdStrike cloud console, locate the endpoint on the Host Management screen and select it to view additional details for the host.
    2. Click the Reveal maintenance token button
    3. Provide your reason for using the token and click the Reveal Token button. Take note of the provided maintenance token.
    4. Open a Terminal window and run the following command:
      5. sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token
    5. Enter the endpoint's maintenance token when prompted
    6. The sensor will uninstall itself
    To uninstall CrowdStrike manually on a macOS computer with install protection disabled, follow these steps:
    1. Open a Terminal window and run the following command:
      2. sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall
    2. The sensor will uninstall itself
    IT Pros can remove the endpoint from the CrowdStrike cloud console via the Host Management screen or the endpoint will be automatically removed from the CrowdStrike cloud console after 45 days of inactivity.

    **Notes**

    • The falconctl path is different for CrowdStrike Falcon versions 5 and earlier. For older versions, use the above commands but replace /Applications/Falcon.app/Contents/Resources/falconctl with /Library/CS/falconctl
    • If the Reveal maintenance token button is not visible for a device, this most likely means the device has a sensor update policy applied that disables installation protection/maintenance tokens.

    Linux Installation

    To install CrowdStrike manually on a Linux system, follow these steps:
    1. Download the appropriate CrowdStrike installer for your computer's Linux distribution.
    2. Run one of the following commands based upon your Linux distribution:
      • Ubuntu: sudo dpkg -i /path/to/installer_package.deb
      • RHEL, CentOS, Amazon Linux: sudo yum install /path/to/installer_package.rpm
      • SLES: sudo zypper install /path/to/installer_package.rpm
    3. Once the CrowdStrike sensor is installed, run the following command to license the sensor (the command is the same for all Linux distributions), replacing "<your CID>" with your unit's unique CCID:
      4. sudo /opt/CrowdStrike/falconctl -s --cid=<your CID>
    4. Run one of the following commands to start the sensor manually:
      • Hosts with Systemd: systemctl start falcon-sensor
      • Hosts with SysVinit: service falcon-sensor start

    Linux Uninstallation

    To uninstall CrowdStrike manually on a Linux system, run one of the following commands based upon your Linux distribution:
    • Ubuntu: sudo apt-get purge falcon-sensor
    • RHEL, CentOS, Amazon Linux: sudo yum remove falcon-sensor
    • SLES: sudo zypper remove falcon-sensor

    **Note**

    Linux machines with either package signature verification or Secure Boot enabled require additional steps during installation. Please refer to the Falcon Sensor for Linux Deployment Guide for additional information.

    Support

    Contact the EPS team