NOTICE - On October 18, 2022, this product was renamed to Remediation Connector Solution.
TIP - This is an example of the Remediation Connector Solution configured with CrowdStrike Falcon®.
CrowdStrike and CrowdStrike Falcon are registered trademarks of CrowdStrike, Inc.
Remediation Connector Solution is not associated with, or endorsed by, CrowdStrike Holdings, Inc. or its affiliates.
Remediation Connector Solution allows you to scan your CrowdStrike Falcon® endpoints. Once you have queried for endpoints, initiate a scan by following the steps below.
Setup and initiate a scan
- Check the boxes next to the endpoints you want to scan.
- In the Scan type area, choose one of the following options:
-
Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
running on the endpoint. - Threat: Focuses on common paths that infections target to install.
- Full: Focuses on all of the device's drives. This is the longest and most thorough scan type.
-
Hyper: Focuses only on Memory Objects and Heuristics to determine if malware is actively
- In the Scan options area, check any of the boxes to define your scan parameters. Your options are:
- Remove: The scanner will quarantine malware, PUPs and PUMs found during the scan. If both Remove and NoReboot parameters are enabled, and the scan detects threats during execution, a warning message displays after the scan completes to notify the endpoint user a reboot is required to remove the threat(s).
- DisableArchiveScan: By default, the contents of archives (zip, rar, etc.) are scanned. Enable option to disable archive scanning.
- AIScan: Enable this option for the scan to use aggressive detection technology based on AI-expert systems algorithms.
- NoReboot: Prevents the endpoint(s) from automatically rebooting after the scan detects threats that normally require reboots to quarantine (only used when remove is checked).
-
IgnorePUM&PUP: Ignore all Potentially Unwanted Programs (PUPs) and Potentially Unwanted
Modifications (PUMs) that may be installed on the target endpoint. - Anti-rootkit: Enables Anti-rootkit scanner functionality to be used during the scan. Any rootkits found are removed if remove is enabled.
- LowImpact: Low impact scans run at a lower system priority, minimizing the impact on the foreground system usage. Scans with this option enabled may take longer to complete than a scan without this option.
- In the License Key field, enter your Remediation Connector Solution license key found in your purchase email.
- Click Scan to start the scan.
- The Scan status column displays the status of the scan in real-time. Click the scan status of an endpoint to open the pane on the right-hand side of the screen to view the scan progress.
Note: Loading other endpoints before the scan completes may cause scan results to fail reporting back to the console.
If you ran the scan without enabling any Scan options, the scan only reports results. If threats are discovered, you can run a subsequent scan with remove enabled to quarantine the threats.
Scan Progress
Scans proceed through the following operation states:
- Initializing: Scan operations begin on the target endpoint.
-
Error: CrowdStrike failed to send the scan task to an endpoint.
Note: CrowdStrike checks the endpoint status every 15 minutes. An error occurs during the creation of a scan task when an endpoint goes offline between checks. Submitting a scan task again after 15 minutes results in a Scheduled scan if the endpoint is offline or starting a scan if the endpoint is online. - Scheduled: This feature is optional. When CrowdStrike RTR detects the endpoint is offline, a scan task is created and remains scheduled for 7 days before expiring.
- Scanning: Scan operations are in progress on the target endpoint.
- Failed: Scan operations failed on the target endpoint.
- Completed: Scan operations completed on the target endpoint.
A detailed listing of the scan progress can be viewed here: Collect diagnostic logs in Remediation Connector Solution.
For more information on scan errors, see Errors in Remediation Connector Solution.
Scan History and logs
When a scan completes, you may select an endpoint and click Scan History to view this report in a separate window.
At the bottom-left of the Scan History window, use the search field to narrow endpoint data in your scan results. The following search parameters are supported:
- Hostname
- Client Name
- Scan Type
Remediation Connector Solution logs are located in:
- Application log: %LOCALAPPDATA%\Local\Malwarebytes\MRfCS\
- Current log: - .\mrfcs.log
- Previous log: - .\mrfcx_nnn.log
- Scan reports: .\ScanReports\yy-mm-dd_hh-mm-_guid1_computername_guid2.json
Once endpoints begin scanning, add exclusions or custom rules to prevent false positives. To add exclusions or custom rules, see Add Exclusions and Custom Rules for Remediation Connector Solution.