CrowdStrike install/uninstall

Linux Installation

To install CrowdStrike manually on a Linux system, follow these steps:
  1. Download the appropriate CrowdStrike installer for your computer's Linux distribution.
  2. Run one of the following commands based upon your Linux distribution:
    • Ubuntu: sudo dpkg -i /path/to/installer_package.deb
    • RHEL, CentOS, Amazon Linux: sudo yum install /path/to/installer_package.rpm
    • SLES: sudo zypper install /path/to/installer_package.rpm
  3. Once the CrowdStrike sensor is installed, run the following command to license the sensor (the command is the same for all Linux distributions), replacing "<your CID>" with your unit's unique CCID:
    • sudo /opt/CrowdStrike/falconctl -s --cid=<your CID>
  4. Run one of the following commands to start the sensor manually:
    • Hosts with Systemd: systemctl start falcon-sensor
    • Hosts with SysVinit: service falcon-sensor start

Linux Uninstallation

To uninstall CrowdStrike manually on a Linux system, run one of the following commands based upon your Linux distribution:
  • Ubuntu: sudo apt-get purge falcon-sensor
  • RHEL, CentOS, Amazon Linux: sudo yum remove falcon-sensor
  • SLES: sudo zypper remove falcon-sensor

Note: Linux machines with either package signature verification or Secure Boot enabled require additional steps during installation. Please refer to the Falcon Sensor for Linux Deployment Guide for additional information.

 

Windows Installation

To install CrowdStrike manually on a Windows computer, follow these steps:
  1. Download the WindowsSensor.exe file to the computer.
  2. Either double-click the installer file and proceed to install the CrowdStrike sensor via the GUI installer (entering your unit's unique CCID when prompted), or run the following command in an administrative command prompt, replacing "<your CID>" with your unit's unique CCID:
    • WindowsSensor.exe /install /quiet /norestart CID=<your CID>
  3. The installer will install the sensor and then connect to the CrowdStrike Cloud before registering the app with the CrowdStrike cloud console.

Please note that CrowdStrike may encounter conflicts with Windows Defender that is managed by Group Policy or MECM. It is recommended to check your Windows Defender policies and configurations prior to installing CrowdStrike.

 

Windows Server OS

The Falcon Sensor for Windows will register as antivirus software with the Windows Security Center (WSC) and also disable Windows Defender on Windows workstations. Since Windows servers do not have the WSC, they function differently with regard to Windows Defender:

  • Server 2012, 2012 R2: Defender is either disabled (or not even installed) by default–if you previously installed or enabled it manually, then you must disable it manually after installing CrowdStrike.
  • Server 2016, Server 2019, and Server 2022: Defender is enabled by default – if you left it enabled in your configuration, then it must be disabled. The following Powershell command can be used to disable Defender:
    • Set-MpPreference -DisableRealtimeMonitoring $true

 

Optional Command-line Parameters

 ProvWaitTime

The ProvWaitTime parameter can be used to extend the time an endpoint attempts to reach the CrowdStrike cloud during sensor installation. Hosts must remain connected to the CrowdStrike cloud throughout installation, which is generally 10 minutes. A host unable to reach and retain a connection to the cloud within 10 minutes will not successfully install the sensor. If your host requires more time to connect, you can override this by using the ProvWaitTime parameter in the command line to increase the timeout to 1 hour.

Example:WindowsSensor.exe /install /norestart CID=<your CID> ProvWaitTime=3600000

 NO_START=1

The NO_START=1 parameter can be used to prevent the sensor from starting up after installation. The next time the host boots, the sensor will start and be assigned a new agent ID (AID). This parameter is usually used when preparing master images for cloning.

Example: WindowsSensor.exe /install /norestart CID=<your CID> NO_START=1

Windows Uninstallation

CrowdStrike allows for IT Pros to protect the CrowdStrike sensor installation from uninstall by requiring a maintenance token to be provided prior to uninstalling the sensor. If uninstall protection is enabled, you will be required to provide this token during uninstallation.

Obtaining the Maintenance Token
  1. In the CrowdStrike cloud console, locate the endpoint on the Host Management screen and select it to view additional details for the host.
  2. Click the Reveal maintenance token button
  3. Provide your reason for using the token and click the Reveal Token button. Take note of the provided maintenance token.

Note: If the Reveal maintenance token button is not visible for a device, this most likely means the device has a sensor update policy applied that disables installation protection/maintenance tokens.

Option 1: Remove via Windows Control Panel
  1. Open the Control Panel
  2. Click Uninstall a Program
  3. Choose CrowdStrike Windows Sensor and uninstall it, providing the maintenance token via the installer if necessary

Option 2: Remove via Command Line
  1. Download CSUninstallTool from the Tool Downloads page in the CrowdStrike cloud console: https://falcon.crowdstrike.com/support/tool-downloads
  2. Open an administrative Command Prompt window and run one of the following commands (depending on whether uninstall protection is enabled), replacing "your token" with the endpoint's maintenance token:
    • CsUninstallTool.exe /quiet
    • CsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet

 

posted @ 2025-01-06 18:11  sevck  阅读(13)  评论(0编辑  收藏  举报