Updated July 20, 2024 at 5:39 AM
CrowdStrike is actively working with clients affected by the flaw present in a single content material replace for Windows hosts. Mac and Linux hosts should not affected. This was not a cyber assault.
The problem has been recognized, remoted and a repair has been deployed, we’re directing clients to our assist portal for the newest updates and can proceed to supply full and ongoing public updates on our weblog.
Additionally, organizations are suggested to make sure they convey with CrowdStrike representatives by way of official channels.
Our crew is devoted to making sure safety and stability for CrowdStrike clients.
We perceive the seriousness of this example and deeply apologize for any inconvenience or bother precipitated. We are working with all affected clients to get our methods again up and operating and offering the service you anticipate.
CrowdStrike is working usually and this problem doesn’t impression Falcon platform methods. If your system is working usually, safety is not going to be affected even when Falcon sensors are put in.
Below is the newest CrowdStrike technical alert with extra data on this problem and workarounds that organizations can take. We will proceed to supply updates to our group and the business as they turn out to be out there.
abstract
CrowdStrike is conscious of experiences of crashes on Windows hosts associated to Falcon sensors.
element
Symptoms embody hosts experiencing bugcheckblue display errors associated to the Falcon sensor. Unaffected Windows hosts have had the problematic channel information reverted and no motion is required. Windows hosts that got here on-line after 0527 UTC are additionally not affected. This problem doesn’t have an effect on Mac or Linux based mostly hosts. Channel information “C-00000291*.sys” with a timestamp of 0527 UTC or later are the reverted (good) model. Channel information “C-00000291*.sys” with a timestamp of 0409 UTC are the problematic model. Note: It is regular for a number of “C-00000291*.sys” information to exist within the CrowdStrike listing. If one of many information within the folder has a timestamp of 0527 UTC or later, will probably be the energetic content material.
Current Action
CrowdStrike engineering has recognized the content material deployments associated to this problem and reverted these adjustments. If hosts proceed to crash and are unable to remain on-line to obtain channel file adjustments, you need to use the workarounds beneath: CrowdStrike is working usually and this problem doesn’t impression Falcon Platform methods. If your methods are working usually, safety just isn’t affected even when you have Falcon sensors put in. Falcon Complete and OverWatch companies is not going to be interrupted by this incident.
Query to determine affected hosts utilizing Advanced Event Search
Please discuss with this KB article: How to determine hosts probably affected by a Windows crash (pdf) or log in to the Support Portal to view it.
Dashboard
Next Gen SIEM > Dashboards or Investigations > Dashboard Name: hosts_possibly_impacted_by_windows_crashes
Note: Dashboards should not out there with the “Live” button
Auto-recovery articles:
Please see this text: Automatic Recovery from Blue Screen on Windows Instances on GCP (pdf) or log in to the Support Portal to view it.
Workaround steps for particular person hosts:
Reboot the host so it will probably obtain the reverted channel information. It is extremely advisable to attach the host to a wired community (not WiFi) earlier than rebooting. The host could have a a lot quicker web connection over Ethernet. If the host crashes once more, comply with these steps: Boot Windows into Safe Mode or Windows Recovery Environment. Note: Connecting the host to a wired community (not WiFi) and utilizing Safe Mode with Networking might assist with restoration. Navigate to the %WINDIRpercentSystem32driversCrowdStrike listing. Windows Recovery defaults to X:windowssystem32. First navigate to the suitable partition (default is C:) after which navigate to the crowdstrike listing: C: cd windowssystem32driverscrowdstrike Note: In WinRE/WinPE, navigate to the WindowsSystem32driversCrowdStrike listing on the OS quantity Do not delete or modify some other information or folders. Cold boot the host and shut down the host. Start the host from an off state.
Note: BitLocker encrypted hosts might require a restoration key.
Workaround steps for public cloud or comparable environments together with digital:
Option 1: Detach the working system disk quantity from the affected digital server. Take a snapshot or backup of the disk quantity earlier than continuing as a precaution towards sudden adjustments. Attach/mount the quantity to the brand new digital server. Navigate to %WINDIRpercentSystem32driversCrowdStrike listing. Find and delete information matching “C-00000291*.sys”. Detach the quantity from the brand new digital server. Reattach the pinned quantity to the affected digital server. Option 2: Roll again to a snapshot previous to 0409 UTC.
AWS particular documentation:
Azure atmosphere:
Workspace ONE Portal User Access Recovery Key
Enabling this setting permits customers to retrieve their BitLocker restoration key from the Workspace ONE portal with out contacting the assistance desk. To allow restoration keys within the Workspace ONE portal, comply with these steps. For extra data, see this Omnissa article.