CrowdStrike Falcon allows administrators to run on-demand scans on selected hosts or host groups to detect and analyze potential security threats. On-demand scans can be executed immediately or scheduled for future or recurring runs.
This guide provides step-by-step instructions on how to initiate and configure an on-demand scan using the Falcon Console.
Step 1: Navigate to On-Demand Scans
- Log into the CrowdStrike Falcon Console at: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
- In the left-hand menu, go to Endpoint Security > On-Demand Scans.
- Click Create a Scan.
Step 2: Configure Scan Scheduling
Option 1: Run Scan Immediately
- Select “Now” to start the scan immediately.
- Enter the hostnames or host groups to be scanned.
Option 2: Schedule a Future or Recurring Scan
- Select “In the Future” to schedule a scan at a later date/time.
- Choose a start date and time.
- Set the repeat frequency (e.g., daily, weekly, or never for a one-time scan).
- Specify how long each scan occurrence will run (default: 2 hours).
📌 Tip: Scheduled scans can be recurring for ongoing security monitoring.
Step 3: Select Scan Target
- Enter at least one hostname or host group to be scanned.
- (Optional) Specify file paths to scan:
- Use glob syntax to define patterns (e.g.,
C:\\Users\\Public\\*to scan all files in the Public folder). - Click Upload File or Test Pattern to verify the path format.
- Use glob syntax to define patterns (e.g.,
- (Optional) Exclude specific file paths from the scan using the same format.
Step 4: Configure Scan Aggressiveness
- Under Sensor Anti-Malware, choose a Detection & Prevention Level:
- Disabled – No scanning.
- Cautious – Low sensitivity, minimal false positives.
- Moderate (Recommended) – Balanced security and performance.
- Aggressive – Higher sensitivity but may increase false positives.
- Extra Aggressive – Maximum sensitivity but can impact system performance.
- Configure Cloud Anti-Malware Settings (same aggressiveness options).
📌 Tip:Moderate is recommended for most environments to balance detection accuracy and system impact.
Step 5: Adjust Performance & User Notifications
- Maximum CPU Utilization:
- Set to Low (up to 25%) for minimal performance impact.
- Adjust if higher CPU usage is acceptable.
- End-User Notifications:
- Enable “Show notifications to end users” to inform them when a scan is running.
- Set a pause duration (hours) to allow users to temporarily pause scans if needed.
Step 6: Start the Scan
- Review all scan settings.
- Click Create Scan to execute the scan immediately or schedule it for later.
- Monitor scan progress under Endpoint Security > On-Demand Scans.
Best Practices for On-Demand Scans
✅ Use Scheduled Scans for Routine Security Checks – Automate scanning for continuous protection.
✅ Select Specific File Paths When Possible – Reduces scan duration and system impact.
✅ Balance Detection Sensitivity & Performance – Use Moderate settings unless dealing with an active threat.
✅ Monitor Falcon Console for Scan Results – Check Activity > Detections for scan findings.
Frequently Asked Questions
Find answers to common questions
To exclude specific file paths during an on-demand scan in CrowdStrike Falcon, navigate to the 'On-Demand Scans' section after creating a scan. In the scan configuration, you will find an option to specify exclusions using the same glob syntax as for included paths. For example, to exclude all files in the 'C:\Users\Public\Temporary' folder, you would enter 'C:\Users\Public\Temporary*'. This helps optimize scan performance and reduces false positives by not scanning unnecessary files, especially in environments with significant data.
Need Professional Help?
Our team of experts can help you implement and configure these solutions for your organization.