How to Run an On-Demand Scan in CrowdStrike Falcon

0 February 12, 2025

CrowdStrike Falcon allows administrators to run on-demand scans on selected hosts or host groups to detect and analyze potential security threats. On-demand scans can be executed immediately or scheduled for future or recurring runs.

This guide provides step-by-step instructions on how to initiate and configure an on-demand scan using the Falcon Console.

Step 1: Navigate to On-Demand Scans

  1. Log into the CrowdStrike Falcon Console at https://falcon.crowdstrike.com.
  2. In the left-hand menu, go to Endpoint Security > On-Demand Scans.
  3. Click Create a Scan.

Step 2: Configure Scan Scheduling

Option 1: Run Scan Immediately

  • Select “Now” to start the scan immediately.
  • Enter the hostnames or host groups to be scanned.

Option 2: Schedule a Future or Recurring Scan

  • Select “In the Future” to schedule a scan at a later date/time.
  • Choose a start date and time.
  • Set the repeat frequency (e.g., daily, weekly, or never for a one-time scan).
  • Specify how long each scan occurrence will run (default: 2 hours).

📌 Tip: Scheduled scans can be recurring for ongoing security monitoring.

Step 3: Select Scan Target

  1. Enter at least one hostname or host group to be scanned.
  2. (Optional) Specify file paths to scan:
    • Use glob syntax to define patterns (e.g., C:\Users\Public\* to scan all files in the Public folder).
    • Click Upload File or Test Pattern to verify the path format.
  3. (Optional) Exclude specific file paths from the scan using the same format.

Step 4: Configure Scan Aggressiveness

  1. Under Sensor Anti-Malware, choose a Detection & Prevention Level:
    • Disabled – No scanning.
    • Cautious – Low sensitivity, minimal false positives.
    • Moderate (Recommended) – Balanced security and performance.
    • Aggressive – Higher sensitivity but may increase false positives.
    • Extra Aggressive – Maximum sensitivity but can impact system performance.
  2. Configure Cloud Anti-Malware Settings (same aggressiveness options).

📌 Tip: Moderate is recommended for most environments to balance detection accuracy and system impact.

Step 5: Adjust Performance & User Notifications

  1. Maximum CPU Utilization:
    • Set to Low (up to 25%) for minimal performance impact.
    • Adjust if higher CPU usage is acceptable.
  2. End-User Notifications:
    • Enable “Show notifications to end users” to inform them when a scan is running.
    • Set a pause duration (hours) to allow users to temporarily pause scans if needed.

Step 6: Start the Scan

  1. Review all scan settings.
  2. Click Create Scan to execute the scan immediately or schedule it for later.
  3. Monitor scan progress under Endpoint Security > On-Demand Scans.

Best Practices for On-Demand Scans

✅ Use Scheduled Scans for Routine Security Checks – Automate scanning for continuous protection.
✅ Select Specific File Paths When Possible – Reduces scan duration and system impact.
✅ Balance Detection Sensitivity & Performance – Use Moderate settings unless dealing with an active threat.
✅ Monitor Falcon Console for Scan Results – Check Activity > Detections for scan findings.