CrowdStrikebeginner

How to Run an On-Demand Scan in CrowdStrike Falcon (2025)

Complete guide to running CrowdStrike Falcon on-demand scans. Schedule scans, configure detection levels, optimize CPU usage, and detect threats fast.

5 min readUpdated January 2025

CrowdStrike Falcon allows administrators to **run on-demand scans** on selected hosts or host groups to detect and analyze **potential security threats**. On-demand scans can be executed **immediately** or scheduled **for future or recurring runs**.

This guide provides step-by-step instructions on how to **initiate and configure an on-demand scan** using the **Falcon Console**.

---

Step 1: Navigate to On-Demand Scans

    - Log into the **CrowdStrike Falcon Console** at: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant). - In the **left-hand menu**, go to **Endpoint Security** > **On-Demand Scans**. - Click **Create a Scan**.
---

Step 2: Configure Scan Scheduling

Option 1: Run Scan Immediately

  • Select “Now” to start the scan immediately.
  • Enter the hostnames or host groups to be scanned.

Option 2: Schedule a Future or Recurring Scan

  • Select “In the Future” to schedule a scan at a later date/time.
  • Choose a start date and time.
  • Set the repeat frequency (e.g., daily, weekly, or never for a one-time scan).
  • Specify how long each scan occurrence will run (default: 2 hours).

📌 **Tip:** Scheduled scans can be **recurring** for ongoing security monitoring.

---

Step 3: Select Scan Target

    - Enter at least one **hostname** or **host group** to be scanned. - (Optional) Specify **file paths** to scan:

    • Use glob syntax to define patterns (e.g., C:\Users\Public\* to scan all files in the Public folder).

    • Click Upload File or Test Pattern to verify the path format.

    • (Optional) Exclude specific file paths from the scan using the same format.

Step 4: Configure Scan Aggressiveness

    - Under **Sensor Anti-Malware**, choose a **Detection & Prevention Level**:

    • Disabled – No scanning.

    • Cautious – Low sensitivity, minimal false positives.

    • Moderate (Recommended) – Balanced security and performance.

    • Aggressive – Higher sensitivity but may increase false positives.

    • Extra Aggressive – Maximum sensitivity but can impact system performance.

    • Configure Cloud Anti-Malware Settings (same aggressiveness options).

📌 **Tip:**Moderate is recommended for most environments to balance detection accuracy and system impact.

Step 5: Adjust Performance & User Notifications

    - **Maximum CPU Utilization:** - Set to **Low (up to 25%)** for minimal performance impact. - Adjust if higher CPU usage is acceptable.
    • End-User Notifications:
    • Enable “Show notifications to end users” to inform them when a scan is running.
    • Set a pause duration (hours) to allow users to temporarily pause scans if needed.
---

Step 6: Start the Scan

    - Review all scan settings. - Click **Create Scan** to execute the scan immediately or schedule it for later. - Monitor scan progress under **Endpoint Security > On-Demand Scans**.
---

Best Practices for On-Demand Scans

✅ **Use Scheduled Scans for Routine Security Checks** – Automate scanning for continuous protection.
✅ **Select Specific File Paths When Possible** – Reduces scan duration and system impact.
✅ **Balance Detection Sensitivity & Performance** – Use **Moderate** settings unless dealing with an active threat.
✅ **Monitor Falcon Console for Scan Results** – Check **Activity > Detections** for scan findings.

Frequently Asked Questions

Find answers to common questions

To exclude specific file paths during an on-demand scan in CrowdStrike Falcon, navigate to the 'On-Demand Scans' section after creating a scan. In the scan configuration, you will find an option to specify exclusions using the same glob syntax as for included paths. For example, to exclude all files in the 'C:\Users\Public\Temporary' folder, you would enter 'C:\Users\Public\Temporary*'. This helps optimize scan performance and reduces false positives by not scanning unnecessary files, especially in environments with significant data.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon. Configure RBAC, assign permissions, and restrict console access.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike