How to Prevent Malware with CrowdStrike Falcon®
Hi there. In this video, we’re going to see how to prevent malware with Falcon. The Falcon platform uses multiple methods to prevent and detect malware. Those methods include machine learning for on and offline protection, exploit blocking, indicators of attack, and blacklisting. This unique and integrated combination allows Falcon to protect against known malware, unknown malware, and fileless malware. Let’s see how to configure some of those features.
In the user interface, we need to go to the prevention settings. You can configure preventions features in the configuration app. Once in the app, make sure that you’re in the prevention policies section. Please note that you need admin privileges to configure the prevention policies. Also note that the configuration changes are almost immediate, and it only takes a couple of seconds to be updated on the endpoints. We’ll start out by configuring machine learning on the sensor. Machine learning allows Falcon to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files. Enabling this on the sensor protects the host even when not connected to the internet. The file attribute analysis provides machine learning analysis on the file metadata. While static file analysis analyzes the features extracted from the executable files themselves.
Notice that you can set up independent rules for detection and prevention. So you could, for example, choose to receive detection alerts for any suspicious files even if it’s just a little bit suspicious by selecting aggressive. But you can also choose to automatically prevent it, only if the machine learning is very sure that it’s malicious by selecting cautious. To edit those settings, choose the settings you want on the slider itself.
You could set prevention and detection separately to either disable, cautious, moderate, or aggressive. But logically, the detection settings always have to be stronger or equal to the prevention settings. When you’re done, click Save. This is what a machine learning block will display in the Falcon user interface.
The Falcon machine learning engine is great to block known and unknown malware. But malware does not always come in the form of a file that can be analyzed by machine learning. Malware to be deployed directly into memory by using exploit kits. This is why Falcon also includs an exploit blocking function. Each of the exploit protections can be turned on or off in the same window as the machine learning configuration. To turn an exploit mitigation on or off, just slide the toggle for the exploit mitigation you want to change. In our example, we have force ASLR, forced DEP, and heaps re-allocation all enabled. The toggle is green when the feature is enabled. If you want to disable the prevention for the exploit, slide the toggle to the left and confirm that you want to disable then save.
Here’s an example of an exploit blocking detection in the user interface. Exploit blocking provides another layer of protection but may not be sufficient times because some fileless malware does not use an exploit kit. Ransomware, for example, has some fileless attacks that do not use exploit. This is why Falcon Host also uses indicators of attack, or IOAs, to protect the systems. IOAs look across both legitimate and suspicious activities and detect stealthy chains of events that indicate malware infection attempts.
Because most IOAs also prevent attacks that do not use malware, they are enabled at all times. But some, such as adware, ransomware, and other specific IOAs can be configured. You can enable or disable them in the current window by sliding the toggles just like we did for exploit blocking. Now, we can see another block. Only this time, Falcon identified the activity and associated it with Chopper Web Shell, a remote access tool.
Finally, there are cases when you might want to block some applications because you’re certain that you never want them to run in your environment. Falcon Host allows you to upload hashes from your own blacklist or whitelist First, we need to make sure that custom blacklisting prevention is enabled. For that, let’s go back to the settings page and check. In our case, it’s already enabled, but if it was not, you could just use the toggle to enable it.
Next, I’ll grab a hash from one of our earlier detections. Files on a blacklist will automatically be prevented from running anywhere in the organization. To upload that file, we’ll go back to the configuration app, then prevention hashes section. Once there, we’ll select the upload icon on the right-hand side. If you want to upload more hashes later, click the same upload icon in the upper right-hand corner of the window.
Now, that the hash has been imported, we need to tell Falcon that we want to blacklist or whitelist this hash. In this case, we’re going to blacklist it. For that, we need to check the hash and assign the “always block” policy. Choosing “never block” would actually whitelist the file, then click Apply. Now, we can see that the always block policy is assigned to this hash. We can verify that the hash has been uploaded by using the faceted search criteria at the top.
But since I still have the hash on my clipboard, I’ll just paste it and search. The results include the newly uploaded hash and the associated details. In this situation, we can see the vendor, version, and other AV hits associated with the hash. Here’s a detection based on a blocked hash. You can see it was blocked because of policy and that the file has been quarantined.
In conclusion, Falcon Host uses an array of methods for malware prevention that protects you against known malware, unknown malware, and fileless malware. Those methods include machine learning– both on and offline– exploit blocking, indicators of attack, and blacklisting. Falcon uniquely combines these powerful methods in an integrated approach that protects more effectively against most malware and breaches. To get more information or requests to demo, check us out at crowdstike.com.