Malwarebytes Remediation for CrowdStrike enables Malwarebytes Breach Remediation to perform scans on endpoints using the CrowdStrike API without having to use the CrowdStrike Falcon® Dashboard.
Using the Malwarebytes Remediation for CrowdStrike application, you can scan and remediate Windows workstations and Windows Servers.
Requirements
- An active Malwarebytes Remediation for CrowdStrike subscription.
- An active CrowdStrike Falcon Enterprise subscription.
Download and setup
Prior to running Malwarebytes Remediation for CrowdStrike, you must create a new API Client and Secret key in CrowdStrike Falcon Dashboard. See the following steps to setup the app.
- Log in to your CrowdStrike Falcon Dashboard as a Falcon Administrator.
- Define a CrowdStrike API client. See the Defining your first API Client section in the CrowdStrike support article Getting Access to the CrowdStrike API.
- When creating your CrowdStrike API client, check the following required Read and Write API Scopes:
- Detections: Read and Write
- Hosts: Read and Write
- Host Groups: Read and Write
- Incidents: Read and Write
- Real time response (admin): Write
- Real time response: Read and Write
- Spotlight vulnerabilities: Read
- Event streams: Read
- When creating your CrowdStrike API client, check the following required Read and Write API Scopes:
- After creating your CrowdStrike API client, go to Configuration > Response Policies.
- For the policies that will utilize Malwarebytes Remediation for CrowdStrike, click Edit Policy.
- Under the Real Time Functionality section, switch the Enable All toggles on for Custom Scripts and High Risk Commands.
- Click Save to confirm your policy configurations.
- Download the Malwarebytes Remediation for CrowdStrike executable found in your purchase email.
- Run the executable.
- Enter your Client ID and Secret ID to log in to the app.
Query options
You must first query your CrowdStrike endpoint devices before you can scan and remediate. To Load devices:
- In the Query options area, use the search bar to find endpoints based on any of the following values:
- Host name
- Device ID
- Local IP: Must be exact match.
- External IP: Must be exact match.
- Platform name
- OS version
- Product type: Can be Workstation or Server.
- Optionally, check the box next to Only devices with detected threats. This narrows results to only display endpoints where CrowdStrike has detected a threat.
- Click Load devices.
The endpoint(s) that match your search query populate as a list. You can now select the endpoint(s) you want to scan and remediate.
Run an endpoint scan
- Check the boxes next to the endpoints you want to scan.
- In the Scan type area, choose one of the following options:
- Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
running on the endpoint. - Threat: Focuses on common paths that infections target to install.
- Full: Focuses on all of the device's drives. This is the longest and most thorough scan type.
- Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
- In the Scan options area, check any of the boxes to define your scan parameters. Your options are:
- remove: The scanner will quarantine malware, PUPs and PUMs found during the scan. If both remove and noreboot parameters are enabled, and the scan detects threats during execution, a warning message displays after the scan completes to notify the endpoint user a reboot is required to remove the threat(s).
- noarchive: By default, the contents of archives (zip, rar, etc.) are scanned. Enable option to disable archive scanning.
- useExpert: Enable this option for the scan to use aggressive detection technology based on AI-expert systems algorithms.
- noreboot: Prevents the endpoint(s) from automatically rebooting after the scan detects threats that normally require reboots to quarantine (only used when remove is checked).
- ignorepu: Ignore all Potentially Unwanted Programs (PUPs) and Potentially Unwanted
Modifications (PUMs) that may be installed on the target endpoint. - ark: Enables Anti-rootkit scanner functionality to be used during the scan. Any rootkits found are removed if remove is enabled.
- lowimpact: Low impact scans run at a lower system priority, minimizing the impact on the foreground system usage. Scans with this option enabled may take longer to complete than a scan without this option.
- In the Malwarebytes License Key field, enter your Malwarebytes Remediation for CrowdStrike license key found in your purchase email.
- Click Scan to start the scan.
- The Scan status column displays the status of the scan in real time. Click the scan status of an endpoint to view progress and results of the scan. Results display in JSON format.
If you ran the scan without enabling any Scan options, then the scan only reports results. If threats are discovered, you can run a subsequent scan with remove enabled to quarantine the threats.
Application Logs can be found in:
- %AppData%\Local\Malwarebytes\CrowdStrike\Logs\mbtool.log