How machine learning on the Falcon sensor provides better protection
Crowdstrike is a cloud company. However, this doesn’t mean that in order to be protected one needs to be connected to the internet.
While connected to the internet, I’ll run this known malware sample from the command prompt in my test environment. It blocked the malware as identified by the access is denied message.
Now if we look at this event in the Falcon UI, we can see the process tree and shows the same sample being run from the command prompt. And then underneath that, a reason for the block– in this case, machine learning. On the right hand side, we can get additional information about this event.
Here we see the sample has been identified as malicious by 36 other AV engines. But the purpose of this demo isn’t to illustrate Falcon stopping known malware while connected to the internet.
So let’s run this sample again, only this time we’ll illustrate the benefit of having machine learning on sensor by disconnecting our host from the internet. And then just so we know the sensors aren’t relying on a hash lookup or reputation, I’ll use a hex editor to slightly modify the files as to change the hash but not the behavior.
I’ll also run the file in two different ways– the first by double clicking it, and then the second from the command prompt, similar to the first time.
Notice on the double click, I receive permission error, and then on the command prompt another access is denied message. To see these events in the UI, I’ll need to enable my network adapter and then wait a few seconds so events can be reported from a test environment back to the Falcon UI.
Back in the UI, we can see a new alert. Deeper inspection shows us both the attempts– one from the explorer.exe process and the other from the command.exe process.
We can also see that the altered file doesn’t match any of the other AV detection engines on the right side, where previously we saw 36 detections. With machine learning on sensor, customers can receive the same benefit from world class protection even when offline.