Crowdstrike Exception
To create an exception to allow Sensor to be installed on a laptop/desktop running CrowdStrike Falcon (EDR - Endpoint Detection and Response), you'll need to create a custom exclusion policy. CrowdStrike allows you to create exceptions or exclusions for specific applications, processes, or paths that might trigger false positives.
Steps to Create an Exception in CrowdStrike Falcon EDR
Steps to Create an Exception in CrowdStrike Falcon EDR
- Log in to the CrowdStrike Falcon Console:
- Go to the CrowdStrike Falcon console.
- Use your credentials to log in.
- Navigate to the Policy Section:
- Once logged in, click on the Configuration tab on the left-hand menu.
- Under the Configuration menu, click on Prevention Policies.
- Select the Appropriate Policy:
- Choose the policy that applies to the endpoints you want to create an exception for. Click on the policy to edit it.
- Go to the Exclusions Tab:
- Within the policy settings, navigate to the Exclusions tab.
- Here, you can add new exclusions for paths, certificates, hashes, or processes.
- Add a Custom Exclusion:
- To exclude the authentication product, you can either add a file path exclusion, process exclusion, or a certificate exclusion, depending on the behavior that is triggering the false positive.
- File Path Exclusion: If CrowdStrike is flagging specific files from the authentication product, you can add the path where the product is installed.
- Example:
C:\Program Files\AuthProduct\
- Process Exclusion: If the product uses specific processes that CrowdStrike flags, you can add them.
- Example:
AuthProduct.exe
- Certificate Exclusion: If the product is signed by a trusted certificate, you can exclude it by certificate.
- Save and Apply the Policy:
- After adding the necessary exclusions, save the policy.
- Ensure that the policy is applied to the relevant groups or systems in your organization.
- Test the Exception:
- Verify that the exception works by testing the functionality of the authentication product after the policy has been updated.
- Monitor for any false positives and adjust the exclusions as necessary.