Endpoint Security, CrowdStrike, Prevention Policies

One of the most essential components of CrowdStrike is its prevention policies. Prevention policies are rules that determine the types of malware detection and prevention mechanisms the CrowdStrike agent utilizes on your endpoints. Without a defined policy, hosts will be unprotected by CrowdStrike.

Prevention policies may only be configured by an account with the Falcon Administrator role. Units utilizing the Community or a Named instance will not have access to this role, and should instead submit change requests to https://go.illinois.edu/EPSHelp.

Viewing Prevention Policies

To access the prevention policies, use the top-left menu button and select Configuration > Prevention Policies.

Menu showing how to access Prevention Policies
Menu showing how to access Prevention Policies

In the CrowdStrike console, policies are organized by operating system. Each operating system has its own set of policies, and not all operating systems have the same policy options available.

Example list of Prevention Policies
Example list of Prevention Policies

Each policy applies to one or more groups of hosts. Host groups are defined under Hosts > Groups.

Since a single host can belong to multiple groups, each with its own policy, the particular policy that applies to a host is dependent upon that policy's precedence. The policy with the highest precedence (lowest number) will apply to that host. If no policies apply to any groups that a host is a member of, or the host is not a member of any groups, then that host will receive the Default Policy.

Please note that policies with the "From Your MSSP" label are inherited, and have some settings that cannot be altered.

Policies may be reordered by toggling the Edit precedence switch in the upper-right corner. The inherited policies and the Default Policy cannot be moved.

Modifying Prevention Policies

To modify a prevention policy, click on the Edit Button to edit the policy.

Policies have three configuration pages:

  • Settings
  • Assigned Host Groups
  • Assigned Custom IOAs

Settings

Example of Prevention Policy Settings
Example of Prevention Policy Settings

The Settings page defines the ways that the CrowdStrike sensor detects and prevents malware and suspicious behavior. Click on a setting category to reveal its settings. Most settings have a switch to enable or disable them, while some have a level setting.

The settings for inherited policies cannot be modified.

Not all prevention settings will quarantine files. Quarantining does not apply to the following categories:

  • Exploit Mitigation
  • Ransomware
  • Exploitation Behavior
  • Lateral Movement and Credential Access

Files detected under these prevention settings will be prevented from running, but will not be quarantined.

See Endpoint Security, CrowdStrike, Security Best Practices for recommended defaults for prevention settings.

Assigned Host Groups

Example of Prevention Policy Assigned Host Groups
Example of Prevention Policy Assigned Host Groups

The Assigned Host Groups page defines which hosts the policy will apply to. More than one host group may be assigned to a given policy, but a given host group may be assigned to only one policy at a time, per operating system. A policy without any host groups assigned is an unused policy.

Assigned Custom IOAs

Example of Prevention Policy Assigned Custom IOAs
Example of Prevention Policy Assigned Custom IOAs

The Assigned Custom IOAs page allows you to define additional indicators of attack, which the CrowdStrike sensor will prevent from executing. Custom IOAs are only available for Windows and Mac hosts.

Custom IOA rule groups must be defined before they can be assigned to Prevention Policies. Only those with the Custom IOAs role may create custom IOA rule groups. The Falcon Administrator role does not have this permission.

While each host group can only be assigned to a single Prevention Policy, custom IOA rule groups may be assigned any number of Prevention Policies.


Much more information is available in the official documentation (console access required).