How to confirm CrowdStrike Falcon sensor is installed


Introduction

Since the CrowdStrike Falcon sensor is intended to be unobtrusive to the user, knowing if it's been installed may not be obvious. This document provides details to help you determine whether or not CrowdStrike Falcon is installed and running for the following OS. 

  • Windows
  • MacOS
  • Linux

Note: CrowdStrike Falcon sensor is only licensed to be installed on university owned devices.  It should not be installed on personally owned devices.  Contact unit IT for installation assistance.

 

 

Instructions

Windows

Windows (GUI): Method 1

  1. Look for the CrowdStrike Falcon system tray icon (usually in the lower right corner of your display screen).
    ""
  2. It may be necessary to click the arrow (^) to show hidden icons.
    ""
  3. If the system tray icon is present, CrowdStrike Falcon is installed.

Windows (GUI): Method 2

  1. Right-click on the Start button, (often in the lower-left corner or lower center of the screen). Select "Installed Apps".
    Windows 11 right-click Start Menu
  2. In the new window that opens, scroll down until you locate "CrowdStrike Windows Sensor" in the list of installed apps.  Alternatively, in the search bar at the top, type in "CrowdStrike" to filter the list of installed apps.
    Windows 11 Installed Apps -- CrowdStrike Sensor
  3. If you cannot find an entry for "CrowdStrike Windows Sensor", CrowdStrike is NOT installed.

Windows (GUI): Method 3

  1. Press Ctrl + Shift + Esc to bring up Task Manager.
  2. Go to the Services tab.
  3. Look for: CSFalconService in the services list under the "Name" column with a status of "Running".
    "" 

Windows (command line)

  1. Open command prompt.
  2. Run the following command:  sc query csagent
  3. If you see "STATE: 4 RUNNING", CrowdStrike Falcon is installed and running.
    Windows 11 command prompt CrowdStrike Sensor output

Mac OS

MacOS (GUI): Method 1

  1. Go to your Applications folder and look for the Falcon application.  Note: If you cannot find the Falcon application, CrowdStrike is NOT installed.
    MacOS Applications folder -- Falcon app
  2. Locate the Falcon app and double-click it to launch it.
  3. The application should launch and display status information.
    MacOS Falcon status information

MacOS (GUI): 

  1. Press Command + Space.
  2. Type Activity Monitor.
  3. Search for "falcon".
  4. If you see "falcon" this indicates the Falcon sensor is installed and running.

MacOS (command line)

  1. Open a Terminal window.
  2. Run the following command:  /Applications/Falcon.app/Contents/Resources/falconctl info
  3. If Terminal displays command not found, Crowdstrike is not installed.

Linux

Linux (command line) -- method 1

  1. Open a terminal window.
  2. Run the following command:  sudo systemctl status falcon-sensor
  3. If installed and running, you’ll see:  Active: active (running)

Linux (command line) -- method 2

  1. For RHEL / Rocky / Alma, run the following command:  rpm -qa | grep falcon
  2. For Ubuntu / Debian, run the following command:  dpkg -l | grep falcon
  3. If installed, you’ll see:  falcon-sensor

Linux (command line) -- method 3

  1. Open a terminal window.
  2. Run the following command:  sudo /opt/CrowdStrike/falconctl -g --version
  3. If it returns a version number, Falcon is installed.

Linux (command line) -- method 4

  1. Open a terminal window.
  2. Run the following command:  ps -e | grep falcon-sensor
  3. If you see a result similar to the following, CrowdStrike Falcon is installed and running (the process ID number will vary): 6781 ?        00:31:59 falcon-sensor