Endpoint Security, CrowdStrike, Manual Installation and Uninstallation

How to install and uninstall CrowdStrike manually

Systems

CrowdStrike

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

Actions

Getting the Installer

The CrowdStrike installer can be found on the Sensors Download page in the CrowdStrike cloud console: https://falcon.crowdstrike.com/hosts/sensor-downloads. Take note of your unique Customer ID Checksum ("CCID" or "CID") at the top of the Sensors Download page.

Windows Installation

To install CrowdStrike manually on a Windows computer, follow these steps:
  1. Download the WindowsSensor.exe file to the computer.
  2. Open an administrative command prompt and run the following command, replacing "<your CID>" with your unit's unique CCID:
  3. WindowsSensor.exe /install /quiet /norestart CID=<your CID>
  4. The installer will install the sensor and then connect to the CrowdStrike Cloud before registering the app with the CrowdStrike cloud console.

Optional Parameters

Optionally, units can add additional parameters to the install command.

The GROUPING_TAGS parameter can be used to assign a "tag" to a Windows endpoint within CrowdStrike. This tag can be used to filter Windows endpoints and even assign them to a dynamic group. One or more tags may be applied to an endpoint. Tags can include alphanumeric characters, hyphens (-), underscores (_), and forward slashes (/). To use multiple tags, separate each tag with commas. Tags can't include spaces ( ) or commas (,). All tags for a host, including any comma separators, must be a total of 256 characters or less.

Example:WindowsSensor.exe /install /norestart CID=<your CID> GROUPING_TAGS="Admin,Production"
In this example, two tags would be set for the endpoint: Admin and Production

The ProvWaitTime parameter can be used to extend the time an endpoint attempts to reach the CrowdStrike cloud during sensor installation. Hosts must remain connected to the CrowdStrike cloud throughout installation, which is generally 10 minutes. A host unable to reach and retain a connection to the cloud within 10 minutes will not successfully install the sensor. If your host requires more time to connect, you can override this by using the ProvWaitTime parameter in the command line to increase the timeout to 1 hour.

Example:WindowsSensor.exe /install /norestart CID=<your CID> ProvWaitTime=3600000

Windows Uninstallation

CrowdStrike allows for IT Pros to protect the CrowdStrike sensor installation from uninstall by requiring a maintenance token to be provided prior to uninstalling the sensor. If uninstall protection is enabled, you will be required to provide this token during uninstallation.

Obtaining the Maintenance Token
  1. In the CrowdStrike cloud console, locate the endpoint on the Host Management screen and select it to view additional details for the host.
  2. Click the Reveal maintenance token button
  3. Provide your reason for using the token and click the Reveal Token button. Take note of the provided maintenance token.
Option 1: Remove via Windows Control Panel
  1. Open the Control Panel
  2. Click Uninstall a Program
  3. Choose CrowdStrike Windows Sensor and uninstall it, providing the maintenance token via the installer if necessary

Option 2: Remove via Command Line
  1. Download CSUninstallTool from the Tool Downloads page in the CrowdStrike cloud console: https://falcon.crowdstrike.com/support/tool-downloads
  2. Open an administrative Command Prompt window and run one of the following commands (depending on whether uninstall protection is enabled), replacing "your token" with the endpoint's maintenance token:
    CsUninstallTool.exe /quiet
  3. CsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet

macOS Installation

To install CrowdStrike manually on a macOS computer, follow these steps:
  1. Download the FalconSensorMacOS.pkg file to the computer.
  2. Either double-click the installer file and proceed to install the CrowdStrike sensor via the GUI, or run the following command in a Terminal window:
    sudo installer -verboseR -package /path/to/FalconSensorMacOS.pkg -target /
  3. Once the CrowdStrike sensor is installed, open a Terminal window and run the following command to license the sensor, replacing "<your CID>" with your unit's unique CCID:
  4. sudo /Library/CS/falconctl license <your CID>
  5. The installer will install the sensor and then connect to the CrowdStrike Cloud before registering the app with the CrowdStrike cloud console.
  • Important: on macOS 10.15, you will need to grant full disk access in order for CrowdStrike to function properly. See our KB article for instructions.

  • Note that on macOS 10.13.4 and above, you will need to enable a kernel extension in order for CrowdStrike to function. Read more about user-approved kernel extension loading.

  • macOS Uninstallation

    CrowdStrike allows for IT Pros to protect the CrowdStrike sensor from uninstallation by requiring a maintenance token prior to uninstalling the sensor. The steps to uninstall the CrowdStrike sensor differ depending on whether uninstall protection is enabled.

    To uninstall CrowdStrike manually on a macOS computer with install protection enabled, follow these steps:
    1. In the CrowdStrike cloud console, locate the endpoint on the Host Management screen and select it to view additional details for the host.
    2. Click the Reveal maintenance token button
    3. Provide your reason for using the token and click the Reveal Token button. Take note of the provided maintenance token.
    4. Open a Terminal window and run the following command:
    5. sudo /Library/CS/falconctl uninstall --maintenance-token
    6. Enter the endpoint's maintenance token when prompted
    7. The sensor will uninstall itself
    To uninstall CrowdStrike manually on a macOS computer with install protection disabled, follow these steps:
    1. Open a Terminal window and run the following command:
    2. sudo /Library/CS/falconctl uninstall
    3. The sensor will uninstall itself
    IT Pros can remove the endpoint from the CrowdStrike cloud console via the Host Management screen or the endpoint will be automatically removed from the CrowdStrike cloud console after 45 days of inactivity.



    Keywords:CrowdStrike, antivirus, mac, manual install EPS TechS-EPS-CrowdStrike   Doc ID:93943
    Owner:EPS Distribution List .Group:University of Illinois Technology Services
    Created:2019-08-19 12:19 CSTUpdated:2019-11-12 10:49 CST
    Sites:University of Illinois Technology Services
    Feedback:  0   0