CrowdStrike is actively assisting customers affected by a defect in a recent content update for Windows hosts. Mac and Linux hosts are unaffected, and this issue was not caused by a cyberattack.
We have identified and isolated the problem, and a fix has been deployed. Customers can find the latest updates on our support portal and website. We recommend that organizations communicate with CrowdStrike representatives through official channels.
Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.
Updated 9:22 AM ET, July 19, 2024:
We understand the severity of the situation and apologize for the inconvenience and disruption caused. We are working with all affected customers to ensure their systems are restored and operational.
CrowdStrike operations remain normal, and this issue does not impact our Falcon platform systems. If your systems are functioning correctly, there is no impact on their protection if the Falcon Sensor is installed.
CrowdStrike Tech Alert:
Summary: CrowdStrike is aware of Windows hosts experiencing crashes related to the Falcon Sensor.
Details:
- Symptoms include hosts experiencing a bug check/blue screen error due to the Falcon Sensor.
- Windows hosts that have not been impacted do not require any action as the problematic channel file has been reverted.
- Windows hosts brought online after 0527 UTC are not impacted.
- Windows 7/2008 R2 hosts are not affected.
- Mac and Linux hosts are unaffected.
- The good version of the channel file is “C-00000291*.sys” with a timestamp of 0527 UTC or later.
- The problematic version of the channel file is “C-00000291*.sys” with a timestamp of 0409 UTC.
Current Action: CrowdStrike Engineering has reverted the changes related to this issue. For hosts still experiencing crashes and unable to stay online to receive the channel file changes, the following workaround steps can be taken:
Workaround Steps for Individual Hosts:
- Reboot the host to allow it to download the reverted channel file. If the host crashes again, proceed with the following steps:
- Boot Windows into Safe Mode or the Windows Recovery Environment.
- Note: Using a wired network and Safe Mode with Networking can facilitate remediation.
- Navigate to the
%WINDIR%\System32\drivers\CrowdStrikedirectory. - Locate and delete the file matching “C-00000291*.sys”.
- Boot the host normally.
- Note: Bitlocker-encrypted hosts may require a recovery key.
Workaround Steps for Public Cloud or Similar Environments Including Virtual:
Option 1:
- Detach the operating system disk volume from the impacted virtual server.
- Create a snapshot or backup of the disk volume as a precaution.
- Attach/mount the volume to a new virtual server.
- Navigate to the
%WINDIR%\System32\drivers\CrowdStrikedirectory. - Locate and delete the file matching “C-00000291*.sys”.
- Detach the volume from the new virtual server.
- Reattach the fixed volume to the impacted virtual server.
Option 2:
- Roll back to a snapshot before 0409 UTC.
For more information, please refer to our AWS-specific document and continue to monitor our support portal for the latest updates.
Email your news TIPS to Editor@Kahawatungu.com — this is our only official communication channel
