Malwarebytes Remediation for CrowdStrike allows you to scan your CrowdStrike Falcon® endpoints. Once you have queried for endpoints, initiate a scan by following the steps below.
Setup and initiate a scan
- Check the boxes next to the endpoints you want to scan.
- In the Scan type area, choose one of the following options:
- Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
running on the endpoint. - Threat: Focuses on common paths that infections target to install.
- Full: Focuses on all of the device's drives. This is the longest and most thorough scan type.
- Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
- In the Scan options area, check any of the boxes to define your scan parameters. Your options are:
- remove: The scanner will quarantine malware, PUPs and PUMs found during the scan. If both remove and noreboot parameters are enabled, and the scan detects threats during execution, a warning message displays after the scan completes to notify the endpoint user a reboot is required to remove the threat(s).
- noarchive: By default, the contents of archives (zip, rar, etc.) are scanned. Enable option to disable archive scanning.
- useExpert: Enable this option for the scan to use aggressive detection technology based on AI-expert systems algorithms.
- noreboot: Prevents the endpoint(s) from automatically rebooting after the scan detects threats that normally require reboots to quarantine (only used when remove is checked).
- ignorepu: Ignore all Potentially Unwanted Programs (PUPs) and Potentially Unwanted
Modifications (PUMs) that may be installed on the target endpoint. - ark: Enables Anti-rootkit scanner functionality to be used during the scan. Any rootkits found are removed if remove is enabled.
- lowimpact: Low impact scans run at a lower system priority, minimizing the impact on the foreground system usage. Scans with this option enabled may take longer to complete than a scan without this option.
- In the Malwarebytes License Key field, enter your Malwarebytes Remediation for CrowdStrike license key found in your purchase email.
- Click Scan to start the scan.
- The Scan status column displays the status of the scan in real time. Click the scan status of an endpoint to view progress and results of the scan. Results display in JSON format.
If you ran the scan without enabling any Scan options, then the scan only reports results. If threats are discovered, you can run a subsequent scan with remove enabled to quarantine the threats.
Scan History and logs
When a scan completes, you may select an endpoint and click Scan History to view this report in a separate window.
At the bottom-left of the Scan History window, use the search field to narrow endpoint data in your scan results. The following search parameters are supported:
- Hostname
- Client Name
- Scan Type
Application Logs can be found in:
- %AppData%\Local\Malwarebytes\CrowdStrike\Logs\mbtool.log
Return to the Malwarebytes Remediation for CrowdStrike integration guide.