CrowdStrikebeginner

How to Run an On-Demand Scan in CrowdStrike Falcon

Complete guide to CrowdStrike Falcon on-demand scans. Schedule scans, configure detection levels, troubleshoot scan failures, and optimize CPU usage for threat detection.

10 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

CrowdStrike Falcon allows administrators to run on-demand scans on selected hosts or host groups to detect and analyze potential security threats. On-demand scans can be executed immediately or scheduled for future or recurring runs.

This guide provides step-by-step instructions on how to initiate and configure an on-demand scan using the Falcon Console.

Step 1: Navigate to On-Demand Scans

  1. Log into the CrowdStrike Falcon Console at: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. In the left-hand menu, go to Endpoint Security > On-Demand Scans.
  3. Click Create a Scan.

Step 2: Configure Scan Scheduling

Option 1: Run Scan Immediately

  • Select "Now" to start the scan immediately.
  • Enter the hostnames or host groups to be scanned.

Option 2: Schedule a Future or Recurring Scan

  • Select "In the Future" to schedule a scan at a later date/time.
  • Choose a start date and time.
  • Set the repeat frequency (e.g., daily, weekly, or never for a one-time scan).
  • Specify how long each scan occurrence will run (default: 2 hours).

📌 Tip: Scheduled scans can be recurring for ongoing security monitoring.

Step 3: Select Scan Target

  1. Enter at least one hostname or host group to be scanned.
  2. (Optional) Specify file paths to scan:
    • Use glob syntax to define patterns (e.g., C:\Users\Public\* to scan all files in the Public folder).
    • Click Upload File or Test Pattern to verify the path format.
  3. (Optional) Exclude specific file paths from the scan using the same format.

Step 4: Configure Scan Aggressiveness

  1. Under Sensor Anti-Malware, choose a Detection & Prevention Level:
    • Disabled – No scanning.
    • Cautious – Low sensitivity, minimal false positives.
    • Moderate (Recommended) – Balanced security and performance.
    • Aggressive – Higher sensitivity but may increase false positives.
    • Extra Aggressive – Maximum sensitivity but can impact system performance.
  2. Configure Cloud Anti-Malware Settings (same aggressiveness options).

📌 Tip: Moderate is recommended for most environments to balance detection accuracy and system impact.

Step 5: Adjust Performance & User Notifications

  1. Maximum CPU Utilization:
    • Set to Low (up to 25%) for minimal performance impact.
    • Adjust if higher CPU usage is acceptable.
  2. End-User Notifications:
    • Enable "Show notifications to end users" to inform them when a scan is running.
    • Set a pause duration (hours) to allow users to temporarily pause scans if needed.

Step 6: Start the Scan

  1. Review all scan settings.
  2. Click Create Scan to execute the scan immediately or schedule it for later.
  3. Monitor scan progress under Endpoint Security > On-Demand Scans.

Expected Scan Duration and Performance

Understanding typical scan times helps set expectations and identify potential issues:

Aggressiveness LevelTypical Duration*CPU ImpactBest For
Cautious3-5 hours5-15%Background scans during work hours
Moderate1-3 hours15-30%Routine scheduled scans
Aggressive30-90 min30-50%Post-incident verification
Extra Aggressive15-45 min50-75%Active threat response

*Duration varies based on disk size, file count, and system specifications. A typical 500GB drive with 200,000 files takes approximately 2 hours at Moderate level.

Factors Affecting Scan Duration

  • Disk size and file count: More files = longer scans
  • File types: Compressed archives and executables take longer to analyze
  • System resources: SSD vs HDD, available RAM, CPU cores
  • Network connectivity: Cloud lookups require internet access
  • Exclusions: Proper exclusions significantly reduce scan time

Troubleshooting On-Demand Scans

Scan Fails to Start

Symptoms: Scan status shows "Failed" or never progresses from "Pending"

Solutions:

  1. Verify sensor connectivity:

    • Check sensor status in Host Management
    • Ensure endpoint is online and communicating with cloud

  2. Check user permissions:

    • User must have Falcon Administrator or Endpoint Manager role
    • Navigate to Users & Roles to verify permissions

  3. Verify Prevention Policy allows scans:

    • Some policies may restrict on-demand scan capabilities
    • Check the assigned Prevention Policy settings

Scan Times Out or Stops Early

Symptoms: Scan ends before completing all files, or shows timeout error

Solutions:

  1. Extend scan duration: When creating the scan, increase "how long each scan occurrence will run"
  2. Reduce scope: Scan specific directories instead of entire drive
  3. Lower aggressiveness: Higher levels require more time per file
  4. Schedule during off-hours: Reduce resource contention

Scan Runs But Finds Nothing (Suspected False Negative)

Symptoms: Known test files not detected, or post-incident scan shows no threats

Solutions:

  1. Verify cloud connectivity: Scans require cloud analysis for full effectiveness
  2. Check sensor version: Update to latest sensor version for newest detections
  3. Increase aggressiveness: Try Aggressive or Extra Aggressive for suspicious cases
  4. Review exclusions: Ensure excluded paths don't contain threats

High False Positive Rate

Symptoms: Legitimate applications flagged as threats

Solutions:

  1. Add targeted exclusions: Create path or hash exclusions for known-good files
  2. Lower aggressiveness: Reduce to Moderate or Cautious
  3. Submit false positive: Use the Falcon Console to report false detections to CrowdStrike
  4. Review before quarantine: Enable confirmation prompts for critical systems

Scan Causing System Performance Issues

Symptoms: Endpoint becomes slow or unresponsive during scan

Solutions:

  1. Lower CPU utilization: Set to Low (up to 25%) in scan settings
  2. Schedule during off-hours: Run scans outside business hours
  3. Enable user pause: Allow end users to temporarily pause scans
  4. Exclude performance-critical paths: Add exclusions for database files, VMs, etc.

Common Use Cases

Post-Malware Incident Scan

After detecting and remediating malware, run a verification scan:

  1. Set aggressiveness to Aggressive or Extra Aggressive
  2. Target the affected host specifically
  3. Include the entire system drive
  4. Review results for any remaining artifacts
  5. Check related hosts in the same network segment

Compliance Scanning

For regulatory compliance (PCI DSS, HIPAA, etc.):

  1. Create a recurring scan (weekly recommended)
  2. Use Moderate aggressiveness for balance
  3. Target all endpoints in compliance scope
  4. Export scan reports for audit documentation
  5. Document any exclusions with business justification

Pre-Deployment Baseline

Before deploying new systems or images:

  1. Scan the golden image or template
  2. Use Aggressive settings for thorough analysis
  3. Document scan results as baseline
  4. Re-scan after any image updates

Best Practices for On-Demand Scans

  • Use Scheduled Scans for Routine Security Checks – Automate scanning for continuous protection.
  • Select Specific File Paths When Possible – Reduces scan duration and system impact.
  • Balance Detection Sensitivity & Performance – Use Moderate settings unless dealing with an active threat.
  • Monitor Falcon Console for Scan Results – Check Activity > Detections for scan findings.
  • Document Scan Exceptions – Keep records of why certain paths are excluded.
  • Test Scan Settings – Run scans on test systems before organization-wide deployment.

Frequently Asked Questions

Find answers to common questions

To exclude specific file paths during an on-demand scan in CrowdStrike Falcon, navigate to the 'On-Demand Scans' section after creating a scan. In the scan configuration, you will find an option to specify exclusions using the same glob syntax as for included paths. For example, to exclude all files in the 'C:\Users\Public\Temporary' folder, you would enter 'C:\Users\Public\Temporary*'. This helps optimize scan performance and reduces false positives by not scanning unnecessary files, especially in environments with significant data.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike