CrowdStrike Falcon® Helps Customers Achieve Regulatory Compliance

An interview with CrowdStrike Chief Information Officer Colin Black discussing regulatory compliance with CrowdStrike Falcon®.

Read Video Transcript

How to Prevent Malware

Hello and welcome to this video. We are going to see how to prevent malware with Falcon Host. Falcon Host uses multiple methods to prevent and detect malware. Those methods include machine learning, exploit blocking, indicators of attack, and blacklisting. This unique and integrated combination allows Falcon Host to protect against known malware, unknown malware, and file-less malware. Let’s see how to configure some of those features.

In the Falcon Host user interface, we need to go to the prevention settings. You can configure prevention features in the respond app. Once in the app, make sure that you’re in prevention. Then, click on settings. Please note that you need admin privileges to configure the prevention features on the prevention app setting page. Also note that the configuration changes are almost immediate and it only takes a couple of seconds to be updated on the endpoints.

Let’s start by configuring machine learning. Machine learning allows Falcon Host to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files. The file attribute analyses provide machine learning analyses on the file metadata. Well, static file analyses analyzes the features extracted from the executable files themselves.

Notice that you can set up independent rituals for detection and prevention. So you could, for example, choose to receive detection alerts for any suspicious files, even if it’s just a little bit suspicious, by selecting aggressive. But, you can choose to automatically prevent it only if the machine learning is very sure that it’s malicious by selecting cautious.

To edit those settings, click edit, choose the settings you want, and you could set prevention and detection separately to either disabled, cautious, moderate, or aggressive. But logically, the detection settings always have to be stronger or equal to the prevention setting. Click save when you’re done.

This is what a machine learning block will display in the Falcon Host user interface. And here’s another example of ransomware being caught by machine learning. The Falcon Host machine learning engine is great to block known and unknown malware, but malware does not always come in the form of a file that can be analyzed by machine learning.

Malware can be deployed directly into memory by using exploit kits. This is why Falcon Host also includes an exploit blocking function. Each of the exploit protection can be turned on or off in the same window as the machine learning configuration.

To turn an exploit mitigation on or off, just slide the toggle for the exploit mitigation you want to change. In our example, we’re going to turn on force ASR mitigation. We’ll slide the toggle to the right. We are asked if we want to enable this blocking globally, and let’s click enable. The toggle is changed to green and enabled. If you want to disable the prevention for the exploit, slide the toggle to the left and confirm that you want to disable.

Here’s an example of exploit blocking detection in the Falcon Host user interface. Exploit blocking provides another layer of protection but may not be sufficient at times because some file that’s malware do not use exploit kits. Ransomware, for example, has some file-less attacks that do not use exploits. This is why Falcon Host also uses indicators of attack, or IOAs, to protect the systems.

I always look across both legitimate and suspicious activities and detect stealthy chains of events that indicate malware infection attempts. Because most IOAs also prevent attacks that do not use malware, they are enabled at all times. But some, such as adware and ransomware, specific IOAs can be configured. You can enable or disable them in the current window by sliding the toggles just like we did for exploit blocking. Remember, earlier we saw an example of ransomware blocked by machine learning. Now we can see another ransomware blocked, but this time it was prevented by an indicator attack.

Finally, there are cases when you might want to block some applications because you’re certain that you never want them to run in your environment. Falcon Host allows you to upload hashes from your own blacklist or whitelist. For that we have to be the respond app, prevention window, and then click on hashes. Then we’ll drag and drop the list.

The list can be a text file with one MD5 or SHA-1 hash per line. All valid hashes will be uploaded. Rose with non-valid hash format will be ignored. Then save.

We can see that the hash has been uploaded, and if we want to upload more hashes later, click on the upload icon on the top right corner of the window. Now that the hash has been imported, we need to tell Falcon that we want to blacklist or whitelist this hash.

In this case, we’re going to blacklist it. For that, we need to check the hash and assign the always block policy. Choosing never block would actually whitelist the file. Then click Apply. Now we can see that the always block policy is assigned to this hash.

But we also need to make sure that custom blacklisting prevention is enabled. For that, let’s go back to the Settings page and check. In our case, it is already enabled, but if it was not, we could use the toggle to enable it. This is how this prevention shows up in the user interface of Falcon Host. This will show as being blocked according to your organization policy.

In conclusion, Falcon Host uses an array of methods for malware prevention that protects you against known malware, unknown malware, and file-less malware. Those methods include machine learning, exploit blocking, indicators of attacks, and blacklisting. Falcon Host uniquely combines these powerful methods into an integrated approach that protects and points more effectively against most malware and britches. Thank you for watching.

TECHNICAL CENTER

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center