App Review CrowndStrike Falcon Endpoint Security

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra
Shadowra

Shadowra

Level 36
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Content source
https://odysee.com/@Shadowra:f/CrowndStrike-Falcon-Endpoint-Security:9
CrowndStrike Falcon is a U.S. company offering an enterprise security solution.
It is based on AI Machine Learning and EDR.
The software will analyze any unknown software in depth and will intercept suspicious behavior using rules.
It has been tested with the default rules.



Interface: 7/10

Falcon does not have a GUI mode interface. Everything is managed through an administration console.
The installation is very long and can be complex, you have to generate a token and then download the program and install it.
Then, no icon appears at the bottom of the time!
I had to look for a command to check if the antimalware was active. It is not very explicit, but the console is very complete!


Protection:10/10 Web / Fake crack 1/1 Remains 30 threats on 539 malware / PC Infected after Malware Pack

Falcon has excellent protection, that's a fact!
Its AI is very effective.
However, it seems to have a lot of trouble stopping some attacks, especially in JS and VBS!
When launching EXE applications, or PowerShell scripts, Falcon managed to block the attack. The same goes for attacks in OneNote.
But it did not block any attack in JS and VBS...
It's a pity because the machine ends up infected by AgentTesla and Vjworm which are present....

@ShenguiTurmi request
 
  • Like
  • +Reputation
  • Applause
Reactions: Viking, Behold Eck, Kongo and 17 others
ShenguiTurmi

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
126
Good test, but I want to make two points a bit clear.
The first is that there is no EDR. The authorization for testing in the video is the Falcon Pro I purchased, which only includes NGAV and threat intelligence information, as well as a limited number of sandboxes. A version fully equipped with EDR will cost more than twice the price of my version.
QQ截图20230320054402.png

(Falcon Elite has not listed a price on its official website, but they previously quoted me 185 USD/device/year. Given that their average price has increased by 30%, I believe the current price is 200 USD or more)

Another point is that enhanced detection for JS and VBS does not seem to be turned on (I checked my default policy...), and only a small portion of enhanced detection for PS is turned on
They have relatively high hardware requirements for memory payload detection. The basic condition is that the CPU supports Intel TDT (skylake or newer architecture and not supported any AMD cpu), and the device needs to have a GPU they support. This may be why memory detection did not take effect in this test.
Of course, I don't recommend buying crowdstrike because due to the high price.

Also, I observed something interesting.
This one, which is probably relevant to almost all "Next-Gen Antivirus", is that they are not really 100% machine learning based. I've encountered some samples in the real world that initially bypassed almost machine learning (including crowdstrike sensor based ML) and only saw single digit detections in Virustotal. But after a while, maybe the next day, you can find crowdstrike detecting them as cloud based ML, and I find it hard to believe that they were trained overnight for that, I tend to think it is a kind of hash pulling and then marking them as ML detections (after all, cloud ML models are not sent down to the user locally), this phenomenon is more than crowdstrike has, but also many other NGAVs, such as cynet sone cyberason cylance paloalto.
 
Last edited:
  • Like
  • Hundred Points
  • +Reputation
Reactions: simmerskool, Dave Russo, Andrew3000 and 9 others
ShenguiTurmi

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
126
Zero Knowledge said:
Awesome test. Really wanted to see Crowdstrike put through it's paces. Next other EDR/NDR? Maybe a revised AppGuard?
Click to expand...
There may not be much further to go, but they already have some very large customers, such as:

You are accessing an information system that is provided for use to the United States government and other customers. Unauthorized use of the information system is prohibited and may be subject to criminal and civil penalties. Information system usage may be monitored, recorded, and subject to audit to maintain system security and availability, and to ensure authorized usage. Any evidence of possible violations of authorized use or applicable laws may be turned over to law enforcement. Your use of the information system indicates consent to these terms, including such monitoring and recording.

Our ordinary users cannot log in to these special versions, and I don't know what the difference is between this and the one we use. I just found this address on their user documentation (and its availability zone is marked as US-GOV-1).
 
  • Like
  • Applause
Reactions: simmerskool, [correlate], roger_m and 3 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
ShenguiTurmi said:
I tend to think it is a kind of hash pulling and then marking them as ML
Click to expand...
This can be observed from all “Next-Gen AVs”. Static analyses is very expensive on performance, specially compared to signatures that tell the engine which portions to scan (start at byte x end at byte z and look for y). That’s why the aim is to pre-scan and classify everything in advance. Detections generated quickly from behavioural blocking, emulation and other telemetry-based approaches are mainly hash-based.
 
  • Like
  • +Reputation
  • Applause
Reactions: simmerskool, [correlate], roger_m and 3 others
Andrew3000

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
537
ShenguiTurmi said:
Good test, but I want to make two points a bit clear.
The first is that there is no EDR. The authorization for testing in the video is the Falcon Pro I purchased, which only includes NGAV and threat intelligence information, as well as a limited number of sandboxes. A version fully equipped with EDR will cost more than twice the price of my version.
View attachment 273739
(Falcon Elite has not listed a price on its official website, but they previously quoted me 185 USD/device/year. Given that their average price has increased by 30%, I believe the current price is 200 USD or more)

Another point is that enhanced detection for JS and VBS does not seem to be turned on (I checked my default policy...), and only a small portion of enhanced detection for PS is turned on
They have relatively high hardware requirements for memory payload detection. The basic condition is that the CPU supports Intel TDT (skylake or newer architecture and not supported any AMD cpu), and the device needs to have a GPU they support. This may be why memory detection did not take effect in this test.
Of course, I don't recommend buying crowdstrike because due to the high price.

Also, I observed something interesting.
This one, which is probably relevant to almost all "Next-Gen Antivirus", is that they are not really 100% machine learning based. I've encountered some samples in the real world that initially bypassed almost machine learning (including crowdstrike sensor based ML) and only saw single digit detections in Virustotal. But after a while, maybe the next day, you can find crowdstrike detecting them as cloud based ML, and I find it hard to believe that they were trained overnight for that, I tend to think it is a kind of hash pulling and then marking them as ML detections (after all, cloud ML models are not sent down to the user locally), this phenomenon is more than crowdstrike has, but also many other NGAVs, such as cynet sone cyberason Cylance paloalto.
Click to expand...
How did you buy it? I tried, but the sales team doesn't give an answer because prob they only sell to companies. Thanks
 
  • Like
Reactions: [correlate], simmerskool, Trooper and 1 other person
cartaphilus

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
503
That was exactly my experience with crowdstrike...hence I was soo freaking amazed that soo many lvl 1 corporations were employing crowdstrike as their go to security solution. I mean they are not great but not horrible. They are 3.5 Roentgens of edge security solutions.
 
  • Like
Reactions: [correlate], simmerskool and Shadowra

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review SentinelOne Endpoint 2024
Replies
10
Views
1,133
Video Reviews - Security and Privacy
Kongo
Kongo
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review CheckPoint Harmony Endpoint Security 2024
Replies
40
Views
3,304
Video Reviews - Security and Privacy
Vitali Ortzi
Vitali Ortzi
Shadowra
    • +Reputation
    • Like
    • Thanks
App Review Trend Micro Worry-Free XDR Endpoint Security 2024
Replies
14
Views
1,080
Video Reviews - Security and Privacy
Khushal
Khushal

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top