Last up to date: 2024-07-23 0740 UTC
Updated 2024-07-22 2237 UTC
CrowdStrike examined a remediation replace that was deployed on Friday, July 19, 2024 at 05:27 UTC. This replace improved our host remediation capabilities. We encourage prospects to observe our Tech Alerts to remain updated on the most recent updates.
We have revealed a video outlining the steps required to self-repair an affected distant Windows laptop computer.
We will proceed to offer updates right here as info turns into out there and new fixes are deployed.
CrowdStrike is actively aiding prospects who have been affected by the current content material replace glitch on Windows hosts. Mac and Linux hosts weren’t affected. The concern was recognized, remoted, and a repair was deployed. This was not a cyber assault.
We encourage prospects to test our help portal for updates, and we’ll proceed to offer updates right here and on our weblog as they change into out there. We encourage organizations to make sure they’re involved with CrowdStrike representatives via official channels.
CrowdStrike is working usually and this concern doesn’t impression Falcon platform techniques. If your system is working usually, safety is not going to be affected even when Falcon sensors are put in.
We perceive the seriousness of this case and sincerely apologize for any inconvenience or bother it could have triggered. Our groups are dedicated to making sure the safety and stability of CrowdStrike prospects.
Statement from the CEO
Date despatched 2024-07-19 1930 UTC
Dear valued prospects and companions,
I want to personally and sincerely apologize to you for the outage you skilled. Everyone at CrowdStrike understands the severity and impression of this case. We have been capable of shortly establish the difficulty, apply a repair, and give attention to restoring our prospects’ techniques as our prime precedence.
This outage is attributable to a flaw present in a Falcon content material replace for Windows hosts. Mac and Linux hosts aren’t affected. This will not be a cyber assault.
We are working carefully with affected prospects and companions to make sure that all techniques are restored and we will present the providers you depend on.
CrowdStrike is working usually and this concern doesn’t impression Falcon Platform techniques. If Falcon sensors are put in, safety is unaffected. Falcon Complete and Falcon OverWatch providers aren’t interrupted.
We will present ongoing updates through our help portal: https://supportportal.crowdstrike.com/s/login/.
CrowdStrike is dedicated to serving to you and your group, so when you have any questions or want further help, please contact your CrowdStrike consultant or technical help.
We know that adversaries and malicious actors will try to take advantage of occasions equivalent to these, so we urge everybody to stay vigilant and keep in contact with official CrowdStrike representatives. Our weblog and technical help will proceed to be the official channels for updates.
Nothing issues to me greater than the belief and confidence our prospects and companions have in CrowdStrike, and as we resolve this incident, I’m dedicated to offering full transparency about how this concern occurred and the steps we’re taking to make sure that this by no means occurs once more.
George Kurtz
Founder and CEO of CrowdStrike
Technical particulars
Technical particulars in regards to the outage might be discovered right here. Read the weblog Published: 2024-07-20 0100 UTC CrowdStrike is working usually and assures prospects that this concern doesn’t impression Falcon platform techniques. If your system is working usually, safety is not going to be affected even when the Falcon Sensor is put in. Falcon Complete and OverWatch providers aren’t interrupted by this incident. CrowdStrike decided that the reason for this concern was the deployment of Windows sensor-related content material and has reverted these adjustments. The content material is channel recordsdata situated within the %WINDIRpercentSystem32driversCrowdStrike listing. Channel recordsdata “C-00000291*.sys” with timestamps later than 2024-07-19 0527 UTC are the reverted (good) variations. The affected model is the channel file “C-00000291*.sys” with a timestamp of 2024-07-19 0409 UTC. NOTE: It is regular for a number of “C-00000291*.sys” recordsdata to be current within the CrowdStrike listing. If one of many recordsdata within the folder has a timestamp later than 05:27 UTC, it is going to be lively content material. Symptoms embrace hosts experiencing bugcheckblue display screen errors associated to the Falcon Sensor. For unaffected Windows hosts, the affected channel file has been reverted and no motion is required.
Unaffected Hosts
Windows hosts that have been introduced on-line after 2024-07-19 0527 UTC aren’t affected. Windows hosts that have been put in and provisioned after 2024-07-19 0527 UTC aren’t affected. Updated to 2024-07-21 1435 UTC. This concern doesn’t have an effect on Mac or Linux primarily based hosts.
How do I establish affected hosts?
How can I establish affected hosts utilizing superior occasion search queries?
Updated 2024-07-22 0139 UTC
The queries used within the dashboards are listed on the backside of the suitable dashboard guide.
How do I establish affected hosts through the Dashboard?
Updated 2024-07-23 0217 UTC
An up to date, detailed dashboard is obtainable exhibiting Windows hosts affected by the content material replace defects described on this technical alert. See Detailed Status Dashboard Identifying Windows Hosts Affected by Content Issues (v8.6) (pdf) or log in to the Support Portal to view it. Note that the queries used within the dashboard are listed on the backside of the relevant dashboard guide.
If your host continues to crash and is unable to remain on-line to obtain channel file updates, you should use the restore steps beneath.
How do I remediate a person host?
Updated 2024-07-21 0932 UTC
Reboot the host so it may obtain the reverted channel recordsdata. We strongly suggest connecting the host to a wired community (not WiFi) earlier than rebooting, because the host has a a lot quicker web connection over Ethernet. If the host crashes once more on reboot: Updated on 2024-07-22 1758 UTC Option 1 – Create an automatic restoration ISO with drivers Follow the steps for making a Falcon Windows host restoration ISO on this guide (PDF) or log in to view it within the Support Portal. Updated on 2024-07-23 0740 UTC Note: Bitlocker encrypted hosts could require a restoration key. Option 2 – Manual course of Check out the next video on CrowdStrike host self-remediation for distant customers. Follow the steps within the video if instructed to take action by your group’s IT division. Updated on 2024-07-22 1510 UTC Or, see this Microsoft article for detailed directions. Note: Bitlocker encrypted hosts could require a restoration key.
How do I get better my Bitlocker key?
Updated 2024-07-21 1810 UTC
How to get better cloud-based surroundings assets
Cloud Environment Guidance
Amazon
AWS Article
Azure
Microsoft article
Updated 2024-07-22 1758 UTC
Public Cloud/Virtual Environment
Option 1:
Detach the working system disk quantity from the affected digital server. As a precaution in opposition to surprising adjustments, take a snapshot or backup of the disk quantity earlier than continuing. Attach/mount the amount to the brand new digital server. Navigate to the %WINDIRpercentSystem32driversCrowdStrike listing. Find and delete recordsdata matching “C-00000291*.sys”. Detach the amount from the brand new digital server. Reattach the pinned quantity to the affected digital server.
Option 2:
Roll again to a snapshot earlier than 2024-07-19 0409 UTC
Third Party Vendor Information
Updated 2024-07-20 2259 UTC
Watch the video now