How to Replace Traditional AV With CrowdStrike

In this video, we’ll demonstrate that CrowdStrike’s Falcon products have been certified to integrate with Microsoft’s Security Center. We’ll also walk through how to uninstall a traditional AV vendor to replace them with CrowdStrike’s NextGen AV capabilities.

Read Video Transcript

How to Replace Your AV with CrowdStrike Falcon®

CrowdStrike offers additional visibility and EDR capability beyond what most traditional AV solutions can offer. This made Falcon an attractive solution to run alongside other AV products. To make the product more flexible and meet the needs of customers, Falcon offers AV, EDR, IT Hygiene, and Intel solutions, either as standalone products or as a bundle. In this situation, we have a traditional AV product installed with CrowdStrike. This scenario is great for those who may still be under contract with our existing solution but would like to add CrowdStrike’s market-leading EDR solution for additional visibility.

We can clearly see that an AV solution is installed on this host. And the same host is also in the Falcon console. But I’d like to point out an important detail. In the policy page, we have a policy called Detect Mode. And looking at the details of this policy, only the detection capabilities are enabled. This is important because of Falcon’s prevention capabilities.

If there are two AV solutions on the same host, both with prevention or blocking capabilities, this may create a raised condition that may cause problems. In this situation where you’d like to replace an existing solution, the recommended order is to install Falcon with a detect-only policy, then uninstall the old AV solution. In this case, I’m just going to the programs and features section, then uninstall to remove a program and remove the old solution.

In most cases, a reboot is required after the old solution has been uninstalled. Once the host is up, we’ll go back to the Falcon UI and into the detect mode policy. Toward the top of the page, there is a current members tab where we could see the members of the policy and also remove them by selecting the system, and then the unassigned from policy button.

Once that has been completed, add it to your desired policy. In this case, I have chosen the platform default to visually inspect that the system has been correctly assigned. Select your desired policy and then the current members tab toward the top. You can filter by hostname at the top or use the faceted search criteria provided. In our case, the host is the first in the list. Back on the host itself, opening the Action Center, we can roll down and see that CrowdStrike is now listed as the virus and spyware protection. For more information, check us out at crowdstrike.com.

Tech Hub

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Hub.

Visit Tech Hub