Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

help deleting or stopping crowdstrike falcon agent

DekuBleep

DekuBleep

macrumors 6502
Original poster
Jun 26, 2013
360
302
I just got a new MBP M1pro 14 inch. It was set up by the IT department at my job. It is my personal work laptop that I bring home etc.

The laptop has this program that monitors all of my web traffic and looks for vulnerabilities and looks for viruses called Crowdstrike Falcon Agent (https://www.crowdstrike.com) running constantly in the background. See the attached two photos.

Screen Shot 2022-08-03 at 7.29.36 AM.png


Screen Shot 2022-08-03 at 7.29.08 AM.png


The thing is that this app has a little lock sign in the left hand bottom corner of it and even though I have admin access to the computer I am unable to delete this file. I am also unable to stop this process "com.crowdstrike.falcon.agent" from running. If I stop it from running then it just starts right back up again.

I tend to not like these types of monitoring programs ... and in addition to that I don't think they make my any computer more secure than Apple already has... but in addition to that this program appears to prevent me from running iCloud private relay, and it seems to prevent me from loading my mail images remotely.... both of those are things that I want to be able to do.

For that reason, can anyone tell me how to delete this program "Falcon.app" from my machine (for which I have admin access)? And/or can anyone tell me how to stop this process "com.crowdstrike.falcon.agent" from running and stop it from instantly restarting again? Thanks a lot!
 
your MBP is probably registered within a MDM of the company you work for. There is probably a related enrolment profile installed on it which enforces certain company policies. Check the device and user profiles in the System Preferences.

You would have to talk with IT to change the MDM profile for your MBP.
 
  • Like
Reactions: Tagbert and ct2k7
As @Slartibart said, this is likely due to provisioning of the Mac.

Even though it may be a "personal work laptop", they likely need to enforce security of it. However, it is a work laptop, and unless you paid for it, and it was provided by work, they have the ultimate say on what gets to run on it.

You may not like it, but the work machine isn't really supposed to be used for anything beyond work.
 
  • Like
Reactions: Tagbert
Thanks for the tips!

I am specifically asking if anyone knows of a legal online uninstaller specifically?

Or if anyone knows of a terminal command to uninstall crowdstrike falcon?

Or if anyone knows of a way to temporarily block this software from running for a long period of time.

I’m not interested in breaking any rules or any laws. And please don’t presume to know the rules or regulations of my employer or this laptop. Thanks!

I want to do one of those because I want to be able to run iCloud private relay. And I don’t want all my network traffic filtered by crowdstike. And I don’t want my battery life to be substantially impacted by this software constantly scanning. Thanks!
 
If there is an MDM profile then you have to remove it in System Preferences first if you want to make changes at runtime. The only other way I know is by mounting the macOS volume from Recovery to get around the MDM profile, but you might be locked out of Recovery by a firmware password.

The lock icon itself means that the file/directory is immutable. You might be able to remove that file flag with the chflags command (see the manual page for more information, man chflags). You can check whether a flag is set with ls -lO /path/to/application/directory (the capital letter O, not the number 0).
 
Last edited:
KALLT said:
If there is an MDM profile then you have to it in System Preferences first if you want to make changes at runtime. The only other way I know is by mounting the macOS volume from Recovery to get around the MDM profile, but you might be locked out of Recovery by a firmware password.

The lock icon itself means that the file/directory is immutable. You might be able to remove that file flag with the chflags command (see the manual page for more information, man chflags). You can check whether a flag is set with ls -lO /path/to/application/directory (the capital letter O, not the number 0).
Click to expand...

This is what it says when I run that command in these two pictures

Screen Shot 2022-08-03 at 4.49.33 PM.png


Screen Shot 2022-08-03 at 4.49.26 PM.png


Does that tell you whether a flag is set? Thank you!
 
KALLT said:
Yes. “uchg” means user-immutable flag. You can try to remove it with this:
sudo chflags -R nouchg /path/to/Falcon.app
Click to expand...
Thank you! But I got a whole bunch of "Operation not permitted".
 
Last edited:
You probably need to disable SIP to have a chance.

I'm just curious - you said that you got this laptop recently...
Did you buy it (you own it)?, or is it ultimately owned by the company where you work?
 
I’d you do disable or remove it, that might be seen by the monitoring server and reported to the IT team for remediation.

Perhaps it’s best to approach it from another angle. If it’s your machine, tell IT to remove it. If it’s your companies machine, leave it alone and use it for company business.
 
  • Like
Reactions: Scoot65, Tagbert, 1557750 and 1 other person
DeltaMac said:
You probably need to disable SIP to have a chance.

I'm just curious - you said that you got this laptop recently...
Did you buy it (you own it)?, or is it ultimately owned by the company where you work?
Click to expand...

The computer is mine, but it's more like the computer is part of my compensation, and I am allowed to do what I want with it, but I am expected to also use it for work. It's not in any sense a loaner from the company that I work for... But the IT people have been putting more and more things like Crowdstrike on the computers in recently. And I don't want it on mine.
 
planteater said:
I’d you do disable or remove it, that might be seen by the monitoring server and reported to the IT team for remediation.

Perhaps it’s best to approach it from another angle. If it’s your machine, tell IT to remove it. If it’s your companies machine, leave it alone and use it for company business.
Click to expand...

Ever since COVID it's hard to actually see any of the IT people in person, so things have become less personal. And it's harder to have an email discussion with the IT people about your machine. It feels like you are not a real person to them since they never see you.

They also put BIG FIX on my computer and look at how it was killing my battery (BESagent):

Screen Shot 2022-07-31 at 12.11.06 PM.png


BESAgent was running all the time, and it was always "using significant energy" every single time I clicked on the battery in the menu bar.

Screen Shot 2022-07-31 at 12.13.33 PM.png


BIG Fix's BESagent was using a lot more power than any other app constantly. I am not sure if they set it to scan my computer every second for patches or what else it may have been doing... but the energy impact was out of control. I might as well have bought a desktop. Fortunately, I was able to uninstall Big Fix and my battery life was saved.

I'm hoping that I can do the same with Crowdstrike.
 
  • Like
Reactions: planteater
If you are the owner of this laptop you should insist that they remove it from the company MDM.
You should be able to inspect the installed profiles in System Preferences > Profiles or via the terminal command sudo profiles list.
An email to the IT department with the serial number (maybe additionally the model name and number, and MAC address) should suffice and they should be able to remove the enrollment. This takes barely a few minutes.

Otherwise you are not the owner of the MBP but a user with some elevated rights.
 
DekuBleep said:
The computer is mine, but it's more like the computer is part of my compensation, and I am allowed to do what I want with it, but I am expected to also use it for work. It's not in any sense a loaner from the company that I work for... But the IT people have been putting more and more things like Crowdstrike on the computers in recently. And I don't want it on mine.
Click to expand...
That sounds like a messy situation. You may “own” the laptop, but you are required to use it to access your companies systems. It seems likely that they are requiring this software be active as a prerequisite to give you access. If you removed it without permission, they would be within their rights to deny you access to their network. Just advise you to tread carefully here.
 
Thanks, everyone! I removed all the spyware myself, and so far, I haven't heard anything from the computer people yet... I may hear something from them in the future, and if I do, then I know what I am going to say. I don't want spyware on my computer, and I don't believe that it is making my computer more secure, and I need to be able to use iCloud private relay. Thanks again!
 
Hi @DekuBleep and @KALLT i'm facing the same issue but i've bought my macbook on ebay in June (with a reliable reseller "aetreasures") and the crowdstrike falcon was pre-installed. I've tried to get rid of without success. Yesterday my macbook get blocked and I can't force a hard reset. Do you know any way or somebody that can help me? Thanks in advance!
 
askfraga said:
Hi @DekuBleep and @KALLT i'm facing the same issue but i've bought my macbook on ebay in June (with a reliable reseller "aetreasures") and the crowdstrike falcon was pre-installed. I've tried to get rid of without success. Yesterday my macbook get blocked and I can't force a hard reset. Do you know any way or somebody that can help me? Thanks in advance!
Click to expand...

You can only contact the seller at this point. It seems that the MacBook either had an active MDM profile if it was owned by a company or organisation or it was still connected to an iCloud account of the previous owner. In either case, if that previous owner locked you out now, there isn't anything you can do about it yourself.
 
DekuBleep said:
Thanks, everyone! I removed all the spyware myself, and so far, I haven't heard anything from the computer people yet... I may hear something from them in the future, and if I do, then I know what I am going to say. I don't want spyware on my computer, and I don't believe that it is making my computer more secure, and I need to be able to use iCloud private relay. Thanks again!
Click to expand...
Hi
Please how did you manage to remove the spyware
 
  • Like
Reactions: MacAddict1978
Dare6969 said:
Hi
Please how did you manage to remove the spyware
Click to expand...
I created an account on this website specifically so that I could respond to you and this thread in general.

Crowdstrike is NOT spyware. It's much easier to think of it as an anti-virus (but much more complicated). We don't use it to monitor what users do on their computers, we use it for cyber security. The OP of this thread has the whole thing completely wrong and, truthfully, it was infuriating to read his responses; the laptop may be a form of compensation but, as long as it is used for work, it needs to be secured.

As a side note, we can EASILY monitor what users are doing, we do NOT need special software for that. Be very aware that, at any given time, the IT team can monitor your traffic, emails, etc. We don't do this because it's not worth the time and effort, it's against company policy, and we honestly don't care what you do on your computer.

One more thing: there is software that would allow us to visually monitor computers remotely and you would never know it's installed. These things already exist in the form of malware which is exactly what Crowdstrike aims to prevent.
 
NotSpyware said:
I created an account on this website specifically so that I could respond to you and this thread in general.

Crowdstrike is NOT spyware. It's much easier to think of it as an anti-virus (but much more complicated). We don't use it to monitor what users do on their computers, we use it for cyber security. The OP of this thread has the whole thing completely wrong and, truthfully, it was infuriating to read his responses; the laptop may be a form of compensation but, as long as it is used for work, it needs to be secured.

As a side note, we can EASILY monitor what users are doing, we do NOT need special software for that. Be very aware that, at any given time, the IT team can monitor your traffic, emails, etc. We don't do this because it's not worth the time and effort, it's against company policy, and we honestly don't care what you do on your computer.

One more thing: there is software that would allow us to visually monitor computers remotely and you would never know it's installed. These things already exist in the form of malware which is exactly what Crowdstrike aims to prevent.
Click to expand...
Hi notspyware
I bought my computer with crowdstrike falcon installed on it, and would really want to be in control of it installation
 
NotSpyware said:
I created an account on this website specifically so that I could respond to you and this thread in general.

Crowdstrike is NOT spyware. It's much easier to think of it as an anti-virus (but much more complicated). We don't use it to monitor what users do on their computers, we use it for cyber security. The OP of this thread has the whole thing completely wrong and, truthfully, it was infuriating to read his responses; the laptop may be a form of compensation but, as long as it is used for work, it needs to be secured.

As a side note, we can EASILY monitor what users are doing, we do NOT need special software for that. Be very aware that, at any given time, the IT team can monitor your traffic, emails, etc. We don't do this because it's not worth the time and effort, it's against company policy, and we honestly don't care what you do on your computer.

One more thing: there is software that would allow us to visually monitor computers remotely and you would never know it's installed. These things already exist in the form of malware which is exactly what Crowdstrike aims to prevent.
Click to expand...

Sorry, it has been a while since I checked in on this thread. Didn't mean to "infuriate" you with my responses. My understanding is that crowdstrike sends the filename of every file that is run on the computer to a server and they say that the server has a list of known malware filenames. Then the crowdstrike falcon server looks through the filenames used on my computer to see if there is any malware running on my computer. Yeah, I don't want or need that.
Also, "bigfix" was using about 40% of my CPU 24 hours a day non-stop. It was constantly draining my battery scanning for software to update on a laptop, and there was no way for me to disable it or slow it down. So I took it off my computer.
 
Dare6969 said:
Hi
Please how did you manage to remove the spyware
Click to expand...
Apple tells you how to do it on their support page.

Intro to mobile device management profiles

MDM lets you securely and wirelessly configure devices, whether they’re owned by the user or your organisation.
support.apple.com

Profile removal​

How you remove profiles depends on how they were installed. The following sequence indicates how a profile can be removed:

1. All profiles can be removed by wiping the device of all data.
 
I removed Falcon app by starting the mac in safe mode, then I could just throw it in the trash and delete it. 🎂🎉👍😄
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back