App Review CrowndStrike Falcon Endpoint Security

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Shadowra

Level 33
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,246
CrowndStrike Falcon is a U.S. company offering an enterprise security solution.
It is based on AI Machine Learning and EDR.
The software will analyze any unknown software in depth and will intercept suspicious behavior using rules.
It has been tested with the default rules.



Interface: 7/10

Falcon does not have a GUI mode interface. Everything is managed through an administration console.
The installation is very long and can be complex, you have to generate a token and then download the program and install it.
Then, no icon appears at the bottom of the time!
I had to look for a command to check if the antimalware was active. It is not very explicit, but the console is very complete!


Protection:10/10 Web / Fake crack 1/1 Remains 30 threats on 539 malware / PC Infected after Malware Pack

Falcon has excellent protection, that's a fact!
Its AI is very effective.
However, it seems to have a lot of trouble stopping some attacks, especially in JS and VBS!
When launching EXE applications, or PowerShell scripts, Falcon managed to block the attack. The same goes for attacks in OneNote.
But it did not block any attack in JS and VBS...
It's a pity because the machine ends up infected by AgentTesla and Vjworm which are present....

@ShenguiTurmi request
 

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
122
Good test, but I want to make two points a bit clear.
The first is that there is no EDR. The authorization for testing in the video is the Falcon Pro I purchased, which only includes NGAV and threat intelligence information, as well as a limited number of sandboxes. A version fully equipped with EDR will cost more than twice the price of my version.
QQ截图20230320054402.png

(Falcon Elite has not listed a price on its official website, but they previously quoted me 185 USD/device/year. Given that their average price has increased by 30%, I believe the current price is 200 USD or more)

Another point is that enhanced detection for JS and VBS does not seem to be turned on (I checked my default policy...), and only a small portion of enhanced detection for PS is turned on
They have relatively high hardware requirements for memory payload detection. The basic condition is that the CPU supports Intel TDT (skylake or newer architecture and not supported any AMD cpu), and the device needs to have a GPU they support. This may be why memory detection did not take effect in this test.
Of course, I don't recommend buying crowdstrike because due to the high price.

Also, I observed something interesting.
This one, which is probably relevant to almost all "Next-Gen Antivirus", is that they are not really 100% machine learning based. I've encountered some samples in the real world that initially bypassed almost machine learning (including crowdstrike sensor based ML) and only saw single digit detections in Virustotal. But after a while, maybe the next day, you can find crowdstrike detecting them as cloud based ML, and I find it hard to believe that they were trained overnight for that, I tend to think it is a kind of hash pulling and then marking them as ML detections (after all, cloud ML models are not sent down to the user locally), this phenomenon is more than crowdstrike has, but also many other NGAVs, such as cynet sone cyberason cylance paloalto.
 
Last edited:

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
122
Awesome test. Really wanted to see Crowdstrike put through it's paces. Next other EDR/NDR? Maybe a revised AppGuard?
There may not be much further to go, but they already have some very large customers, such as:

You are accessing an information system that is provided for use to the United States government and other customers. Unauthorized use of the information system is prohibited and may be subject to criminal and civil penalties. Information system usage may be monitored, recorded, and subject to audit to maintain system security and availability, and to ensure authorized usage. Any evidence of possible violations of authorized use or applicable laws may be turned over to law enforcement. Your use of the information system indicates consent to these terms, including such monitoring and recording.

Our ordinary users cannot log in to these special versions, and I don't know what the difference is between this and the one we use. I just found this address on their user documentation (and its availability zone is marked as US-GOV-1).
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,629
I tend to think it is a kind of hash pulling and then marking them as ML
This can be observed from all “Next-Gen AVs”. Static analyses is very expensive on performance, specially compared to signatures that tell the engine which portions to scan (start at byte x end at byte z and look for y). That’s why the aim is to pre-scan and classify everything in advance. Detections generated quickly from behavioural blocking, emulation and other telemetry-based approaches are mainly hash-based.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top