CrowdStrike Falcon is an antivirus and computer protection tool. This software works on all major operating systems (Windows, Mac OS, Linux) and on both computers and servers.
To learn more about CrowdStrike and receive answers to the most commonly asked questions, click on a topic from the list below:
CrowdStrike Falcon replaces traditional antivirus software, which has been based largely on looking at signatures of malicious files and the reputation of websites. Security threats to IT infrastructure have evolved rapidly and have become very sophisticated, causing traditional antivirus to no longer be effective at protecting computers. To deal with these new threats, modern computer protection software, like CrowdStrike, employs new, data-driven approaches to identifying risks.
CrowdStrike protects a computer using several methods. Locally, it monitors the behavior of programs and users, looking for actions that should not be taking place during normal computer use. CrowdStrike also monitors the computer’s memory for file names, logged-in users, and the types of commands a computer runs. CrowdStrike also has its own information on attacks: CrowdStrike’s staff remotely monitors malicious activity and cyberattacks at thousands of different organizations, allowing for rapid identification of new threats. Neither the local nor remote monitoring processes read the contents of files, emails, websites visited, and other work-related or personal information. (For more information about what CrowdStrike does do, please see below).
No. CrowdStrike Falcon requires an internet connection to be installed and works most effectively when the computer is connected to the internet. CrowdStrike also updates itself automatically without requiring your computer to shut down and restart.
No, CrowdStrike Falcon does not read or access every file used on your computer. Certain programs that run in unusual ways may activate CrowdStrike’s automatic protections. There are a few ways to avoid critical software from being falsely flagged. Contact University Information Security at 773.702.CERT (2-2378) or security@uchicago.edu if you suspect an issue or have a question about compatibility.
CrowdStrike Falcon records metadata about the behavior of a device, including:
The information collected by CrowdStrike Falcon is stored in a facility run by CrowdStrike using secure data centers hosted by Amazon Web Services. The University has contracted with CrowdStrike to require privacy and security of University information, including a HIPAA Business Associate Agreement for protected health information. No data collected by CrowdStrike is used for any other purpose than information security.
The University Information Security team, which oversees the management of the system, is the only group on campus that can access the recorded information. They may access the data collected by CrowdStrike under only two conditions 1) when investigating a security incident; 2) as part of routine maintenance. Members of CrowdStrike’s incident response team can also access these data when assisting in the investigation of a security incident. Every action taken by CrowdStrike or by the University Information Security Team, along with the name of the person taking the action, is recorded in a protected, unchangeable log.
CrowdStrike’s structure allows for precise control of permissions and access so that staff with specific roles in IT security can access only what their job requires. Divisional IT staff can view information for detected incidents on the devices CrowdStrike protects, but cannot see all the data CrowdStrike collects to generate alerts.
The information on individual devices is stored for seven days. Data on devices that are monitored for extra risks, such as servers, can be stored for up to 31 days. Information about security incidents, such as, for example, when CrowdStrike blocks a dangerous program or file, can be kept for up to 90 days to assist with review and mitigation measures.
No. For most devices, it is estimated to use a few megabytes a day, or between 1%-5% of the CPU. It may use slightly more on a server or high traffic device.
The University offers a personal use version of CrowdStrike Falcon that provides essential next-generation antivirus protection, but it lacks some security and support features available in the enterprise edition, such as active monitoring of alerts by IT professionals. This version is intended for use on personally-owned computers and is available to faculty, students, and staff affiliated with the University of Chicago. Examples of intended use include student laptops and faculty/staff personal devices at home. Individuals who graduate or are no longer affiliated with the University must uninstall this version. Installation instructions are found at CrowdStrike for Personal Use.
This software works on all major operating systems (Windows, Mac OS, Linux) and on both computers and servers. The University’s license does not cover iOS or Android mobile devices.
Only your IT support professionals can determine if CrowdStrike is properly installed and running on your device. It does not advertise itself with an icon or taskbar popup.
There is no additional cost to the individual or department. CrowdStrike Falcon is included in the IT Allocation.
No. However, University Information Security and Divisional IT staff have a dashboard to view and respond to the activity of the CrowdStrike tool. Individual Divisional IT partners each have their own cloud dashboard to manage CrowdStrike deployments for the devices they support. Each Divisional IT team has access only to devices and servers they support. The dashboard allows University IT staff to see and respond to security issues within their own area of responsibility while allowing IT Services Information Security the ability to detect and respond to threats across the University.
Consult with your IT support staff if you have any questions.