CrowdStrike Update Requires OIRT’s Feedback and Testing

Our endpoint protection solution, Falcon CrowdStrike EDR, has introduced several enhancements, and we would greatly value your participation in testing and providing feedback. We will begin enabling the new features for OIRT testing on November 18th at 9:00 AM, with testing concluding at the end of the day on December 15th.

These updates significantly improve our malicious file and activity detection capabilities while being designed to have minimal impact on users. If you notice any changes in CrowdStrike’s behavior during testing, complete the feedback form as soon as possible.

Feedback Form

Even if you don’t observe any changes, we encourage you to report that as well before the testing period ends. The form may be submitted multiple times throughout the testing phase.

Thank you for supporting this important initiative to ensure a smooth rollout. If you encounter any technical issues during testing, please open a SAMI ticket for assistance.

Enhanced exploitation visibility:

Generates events for the following types of processes:

• Productivity applications, such as Microsoft Office and Adobe Acrobat Reader

• Google Chrome and Microsoft Internet Explorer

• Command-line interfaces, such as Command Prompt and PowerShell

Enhanced Machine Learning for larger files:

Expands Machine Learning’s file size coverage.

USB insertion-triggered scan:

Starts an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-Malware Detection levels in On-Demand Scans Machine Learning.

On-write script file visibility:

Provides improved visibility into various script files being written to disk, while obfuscating a portion of their content.

Quarantine on removable media:

Quarantines executable files after they’re prevented by Next-Gen AntiVirus (NGAV).

Microsoft Office file malicious macro removal:

When enabled, malicious macros in Microsoft Office files will be removed before the file is released on the host.

Vulnerable driver protection:

Quarantines and blocks the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10, Windows Server 2016, and later versions.

Extended user-mode data visibility:

Allows the sensor to generate additional data from a user-mode component loaded into eligible processes. Higher settings may incur greater performance penalties in exchange for increased visibility. Testing with critical applications is recommended before full deployment at a new level.

Cloud Anti-Malware for Microsoft Office files:

Identifies potentially malicious macros in Microsoft Office files. If prevention is enabled, the system either quarantines the file or removes the malicious macros before releasing the file back to the host.

Cloud-based anti-malware:

Uses cloud-based machine learning, informed by global executable analysis, to detect and prevent known malware for online hosts.

Cloud-based adware and PUP detection:

Uses cloud-based machine learning, informed by global executable analysis, to detect and prevent adware and potentially unwanted programs (PUP) for online hosts.

Sensor-based anti-malware:

For both offline and online hosts, uses sensor-based machine learning to identify and analyze unknown executables as they run, detecting and preventing malware.

Cloud-based anti-malware for on-demand scanning:

For online hosts running on-demand scans initiated by end users, uses cloud-based machine learning, informed by global executable analysis, to detect and prevent known malware.

Sensor-based anti-malware for on-demand scanning:

For both offline and online hosts running on-demand scans initiated by end users, uses sensor-based machine learning to identify and analyze unknown executables, detecting and preventing malware.

See also