CrowdStrike "Reduced Functionality Mode" (RFM)

CrowdStrike’s “Reduced Functionality Mode” (RFM)

The CrowdStrike Falcon sensor may occasionally drop into a “Reduced Functionality Mode” (or RFM) to prevent compatibility issues when something changes in a computer’s configuration. It may also start in this mode if the computer is not configured properly.

Linux

On Linux, RFM is a safe mode for the Falcon sensor that prevents compatibility issues if the host’s kernel is unsupported by the sensor in kernel mode and doesn't meet the sensor’s user mode requirements.

What happens to Linux sensors in RFM?

Linux sensors in RFM do not process events or register detections, but continue sending “heartbeat” events to indicate that a sensor is installed on the host.

Resolving Linux RFM

You can resolve a Linux sensor in RFM by either upgrading the sensor to a version that supports your installed kernel or by changing the host’s kernel to one that is supported by the sensor’s kernel mode or meets user mode requirements.

Newly released long-term support (LTS) kernels for supported Linux distributions aren’t generally immediately compatible with the current sensor, but CrowdStrike adds support as quickly as possible.

To prevent existing sensors from entering RFM, CrowdStrike recommends disabling automatic kernel updates and upgrading your kernel once it is supported by the Falcon sensor. Consult your distribution’s support documentation for pinning the existing kernel or configuring regular updates to leave the existing kernel in place.

macOS

On macOS, the Falcon sensor runs in RFM when Full Disk Access (FDA) is not enabled on the host.

What happens to macOS sensors in RFM?

macOS sensors in RFM still communicate with the cloud but sensor functionality that interacts with the file system is reduced.

Resolving macOS RFM

To restore a Mac host’s sensor to full functionality, you must enable Full Disk Access for the Falcon Sensor. FDA can be enabled using one of the following methods:

• Via MDM: Enable FDA for “Falcon Sensor” using a configuration profile.
• Manually: Enable FDA for “Falcon Sensor” via System Settings under Privacy & Security.

After enabling FDA, a system restart may be necessary for the sensor to exit RFM.

Windows

On Windows, RFM is a safe mode for the sensor that prevents compatibility issues if the host’s kernel is uncertified. This is most common when updates to the Windows kernel are released. Without certified kernel support, the Falcon sensor could potentially cause system crashes and other performance issues.

What happens to Windows sensors in RFM?

Windows sensors in RFM still actively monitor the system, reports events, and trigger detections, but at a reduced capacity. The sensor temporarily unhooks from some kernel elements, resulting in some detection patterns being unavailable and a small number of preventions not being triggered.

Resolving Windows RFM

When a released Windows update alters the kernel, CrowdStrike must internally certify that the Falcon sensor operates with the updated kernel. Windows sensors on computers with uncertified updates will drop into RFM while CrowdStrike performs certification, usually within 48 hours of the update’s release. Once the update is certified, the Falcon sensor will receive a file from the CrowdStrike cloud that tells the sensor to resume full functionality.

Hosts running an unsupported Windows version may also be in RFM. To resume full functionality, upgrade the host to a supported Windows version. Preview versions of Windows will always run in RFM.