CrowdStrike Falcon® Prevent FAQ
To Learn More about the Falcon Prevent Free Trial, visit the FAQ page here.
As the name implies, Falcon Prevent is the prevention module of the Falcon endpoint protection platform. Falcon Prevent provides comprehensive and proven prevention against malware and malware-free attacks, whether endpoints are online or offline. Its extensive next-generation antivirus (NGAV) capabilities include the ability to identify known malware; machine learning for unknown malware; exploit blocking; and exclusive indicator of attack (IOA) behavioral techniques. In addition to preventing malicious execution, for organizations that require on-demand scan capabilities, Falcon Prevent allows organizations to scan for dormant malware artifacts through on-demand scans. Falcon Prevent allows organizations to confidently replace their existing legacy AV solution with a comprehensive solution that includes real-time visibility and provides the context for all threat activity.
An IOC is a piece of evidence or artifact left behind after something has happened. An IOA is a series of actions or behaviors that an adversary employs to achieve his goal. The use of IOCs has been the traditional focus of endpoint detection, but modern adversaries have adapted to more easily evade IOC sweeps. In a forensics investigation, IOCs are the evidence that proves a network’s security has been breached. Unfortunately, by the time the IOC is discovered, the network likely has been compromised. Conversely, IOAs reflect a series of actions the attacker must perform in order to be successful. They are a set of actions that are required for any tool or technique to accomplish common attacker behaviors like code execution, persistence, command and control (C&C), and lateral movement. An effective IOA approach not only collects and analyzes exactly what is happening on the organization’s systems and networks, it does so in real time, preventing the malicious activity from being successful.
AI-powered IoAs are generated by powerful machine learning models in the cloud that continuously learn from threat intelligence to identify and protect against emerging classes of attack. These models continuously analyze event streams from the endpoint to issue IoAs to the Falcon agent, enabling the most up-to-date protection enforcement on the sensor.
Yes, the lightweight Falcon agent that runs on each endpoint includes all the prevention technologies required to protect the endpoint, whether it is online or offline. Those technologies include machine learning to protect against known and zero-day malware, exploit blocking, hash blocking and CrowdStrike’s behavioral artificial intelligence heuristic algorithms, known as Indicators of Attack (IOAs).
Absolutely, customers can and have replaced their AV with Falcon Prevent. CrowdStrike Falcon® is the only cybersecurity vendor that Gartner, Forrester and IDC have all recognized as a leader in modern endpoint security. CrowdStrike Falcon® consistently performs well across 3rd party tests including SE Labs, AV Comparatives, and AV-Test. For example, CrowdStrike is AV Comparatives approved, with a 99.2 percent malware block rate, and zero business false positives. In addition, the Falcon platform meets the compliance standards of PCI DSS Requirement No. 5 (“Protect all systems against malware and regularly update antivirus software or programs”).
Falcon Prevent is better than legacy anti-malware products in three ways. First, it provides better protection against all threat vectors, not just malware — even when endpoints aren't connected to the internet. Second, Falcon Prevent is fully operational in seconds, with no need for signatures, no fine-tuning, and no infrastructure costs. Falcon Prevent delivers immediate time-to-value and unmatched prevention from the get-go. And finally, Falcon Prevent offers improved performance with virtually zero impact on the endpoint — from initial installation through ongoing daily use.
- Signature-less malware protection: Falcon Prevent does not rely on signatures. This frees security teams from having to deploy virus definition update files to all endpoints on a daily basis.
- Machine learning: Falcon Prevent leverages machine learning to identify and block malware. Machine learning is particularly effective at stopping new, polymorphic or obfuscated malware, which is often missed by legacy AV solutions.
- Indicators of Attack (IOAs): Falcon Prevent uses IOAs to identify threats based on behavior, regardless of malware or tools used. Understanding the sequences of malicious behavior allows Falcon Prevent to stop attacks that go beyond malware. Examples include protection against lateral movement, webshell attacks and fileless attacks.
- Advanced Memory Scanning: Falcon Prevent eliminates blindspots with high performant memory scans, removing the performance constraints of traditional memory scanning, leaving malware-free threats nowhere to hide.
- Exploit protection: Falcon Prevent includes exploitation protection to harden systems against attempts to exploit vulnerable applications (e.g. Adobe Flash, Java and Microsoft Silverlight).
- Threat intelligence integration: Events can be contextualized by integrated threat intelligence, providing details on the attributed adversary and any other information known about the attack.
Malware-free attacks are attacks that evade detection by eliminating, or drastically limiting, storing binaries on disk. In the past, malware attacks typically involved use of malicious program files that can do harm when executed. As a result, security programs were built to scan files and detect if they were malware or not. But in order to evade such scans, adversaries created attack techniques that don’t use files on disk. They can, for example, hijack a perfectly non-malicious program and get it to send malicious commands directly into the memory of the system. These techniques evade legacy security solutions and any security products focused solely on detecting malware.
Falcon Prevent uses Machine Learning to immediately block both known and unknown malware. In addition, Falcon Prevent can stop other threats, such as malware-free attacks, or malicious activities that start further down the attack chain by using Indicators of Attacks (IOAs), advanced memory scanning and other techniques. For example, Falcon Prevent can see and stop attackers that use legitimate applications to perform malicious actions in memory, which is a widespread attack technique. In such cases, there is no file execution to stop before the attack starts. Malware-focused solutions would miss that. That’s why attackers employ these techniques. The key is to stop the adversary before they achieve their objectives, such as stealing data or encrypting drives. Falcon works before the attack starts and on-the-fly in real time.
Yes, Falcon Prevent uses an array of complementary prevention and detection methods to protect against ransomware, including the following:
- Blocking of known ransomware
- Exploit blocking to stop the execution and spread of ransomware via unpatched vulnerabilities
- Machine learning for detection of previously unknown zero-day ransomware
- Indicators of Attack (IOAs), advanced memory scanning and other techniques identify and block additional unknown ransomware, and also new categories of ransomware that don’t use files to encrypt victims’ data
Falcon Prevent provides great flexibility for such use cases. Falcon can run side-by-side with the customer’s current AV, as long as only one is chosen to handle malware blocking so they don’t compete for file access. Falcon Prevent makes it easy by allowing the customer to configure machine learning, CrowdStrike’s anti-malware technology, in detection mode only. One useful feature of Falcon in this scenario is that it will still show the malware it detects, and allow the user to see if another solution missed it. If the other solution includes a detection-only mode, the user can choose to put it in detection mode, while allowing Falcon to detect and prevent.
Customers do not need to deploy any infrastructure for Falcon Prevent. Falcon Prevent uses the Falcon Platform, which is built on 100 percent cloud architecture. This allows customers to be protected faster and drives down total cost of ownership (TCO) by eliminating on-premises hardware acquisition, deployment and maintenance. Cloud-based security also makes it impossible for the attacker to acquire the CrowdStrike technology in an attempt to tamper with or discover bypasses for it. Any time the attacker tries to defeat Falcon Endpoint, those attempts are seen by CrowdStrike. This also allows CrowdStrike to see more of the threat landscape. This broader vision gives Falcon more data to analyze and this, in turn, improves CrowdStrike’s overall protection capabilities.
Falcon is licensed on a subscription basis per endpoint. For more information please contact us.