![]() ![]() They didn’t know what the problem was (at least initially) and offered to send me their malware to see that the software does indeed work (LOL nice try). Surely I was missing something since it didn’t catch anything. This wasn’t the worst part though.Īfter going through quite a few tests and noticing that the software wasn’t stopping anything I threw at it – RATs, ransomware, scripts, and other viruses, I shared my concerns with the contact. I’m guessing this person was new and didn’t know how to onboard people. I’m sure there was more information about the product and service but getting to the point above took an hour. Most of my notes above were from me asking quite a few questions. Speaking of our contact, the customer service success team did not do a good job introducing the software or how we could use it. I eventually figured this out after seeing some of the test machines appear in the main console. ![]() Our contact didn’t do a good job explaining this or helping us setup anything, surprising for a customer success engineer. What I Didn’t LikeĮven though the policies were easy to setup and assign, they require being switched on (this isn’t the default like other AV software). I didn’t get a chance to integrate this into a SIEM but I did forward some logs to see how easy the integration would be. The historical information was easy to find and laid out nicely. ![]() This was leagues ahead of what I had seen at the time. The group lookup page for known threat actors was a nice touch for investigating the background of certain strains of malware.Īs far as the meat and potatoes go, I really enjoyed the history and web origination piece. Once we got the protection piece working properly (more on this in the next section), I enjoyed the easy exclusions for false positives and the info on the true positives. I came from manually creating policies and having to jump through hoops to edit and save them. Managing and assigning policies are a nice touch (once they are turned on). It was this way by default (I don’t recall if you could disable this). I also liked how you can run the agent (Falcon) silently. The AV we were using was such a resource hog that ran multiple different processes. The low resource requirements for running the agent are nice. You don’t have to restart the machine to get the install to finalize, however, if you want the computer to show up in the console, you need to restart. The hardest part of the process was removing the previous installation of the antivirus solution we used. Has threat group lookup page for known threat actors.Need responder privileges as well as admin to issue cleanup, not readily apparent.Keep history of scripts run, registry effects, and web origination information.Client is called Falcon and there are different package offerings.Need to restart to have machine appear in console.Policy updates and the sensitivity of the software.Training courses and YouTube videos are available.Requires policies to be switched on to be effective, they do not setup or walkthrough policies.AD integrated and can assign policies by OU.3 main services: SaaS Endpoint Protection, Threat Intelligence, and Cloud Security.Here are my notes from the initial introduction and my time playing around with Crowdstrike Falcon: Other Next Gen AV Proof of Concept Options. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |