CrowdStrike Response to Windows Hosts Issue
CrowdStrike issued an update regarding a defect found in a recent content update for Windows hosts, clarifying that Mac and Linux systems remain unaffected. This incident was not a result of a cyberattack. The company has identified the problem, isolated the defective content, and deployed a fix. CrowdStrike is urging customers to stay informed through the support portal and official channels.
CrowdStrike’s team is working tirelessly to restore security and stability for all affected customers. They emphasized that their Falcon platform continues to operate normally, ensuring protection remains uncompromised for systems where the Falcon sensor is installed. If systems are functioning correctly, no action is required as their protection is intact.
The company provided a detailed update on the issue. It was found that some Windows hosts experienced crashes, specifically a bugcheck or blue screen error, due to the Falcon sensor. Hosts unaffected by the problematic content do not require any action since the faulty channel file has been reverted. Hosts brought online after 0527 UTC are also not impacted. The problematic channel file, identified as “C-00000291*.sys” with a timestamp of 0409 UTC, has been replaced by a corrected version with a timestamp of 0527 UTC or later.
To address ongoing issues, CrowdStrike’s engineering team reverted the problematic content deployment. For hosts still crashing and unable to receive the channel file changes, a set of workaround steps is recommended. These steps include rebooting the host on a wired network to facilitate quicker internet connectivity. If crashes persist, users should boot Windows into Safe Mode or the Windows Recovery Environment, navigate to the CrowdStrike directory, and delete the faulty channel file.
In virtual environments or public clouds, two main recovery options are suggested. One involves detaching the operating system disk volume from the affected virtual server, creating a backup, attaching the volume to a new server, deleting the problematic file, and reattaching the fixed volume. Alternatively, rolling back to a snapshot taken before 0409 UTC is recommended.
For AWS-specific recovery, CrowdStrike provides guidance on recovering affected resources. Microsoft Azure environments can follow specific instructions provided by Microsoft. Additionally, users can retrieve the BitLocker Recovery Key from the Workspace ONE portal, and manage Windows encryption through Tanium, Citrix, or other specified platforms. Detailed recovery procedures for various environments, including Microsoft Azure, SCCM, Active Directory, Ivanti Endpoint Manager, and IBM BigFix, are available through linked articles.
CrowdStrike reassures customers that this issue does not impact the overall functionality of their Falcon platform. The incident only affected a single content update for Windows hosts, and all necessary measures have been taken to rectify the situation. The company’s Falcon Complete and Falcon OverWatch services remain fully operational.
The company remains committed to providing continuous updates and support to its customers. They emphasize the importance of maintaining communication through official channels to ensure accurate information and effective assistance.
CrowdStrike is recognized for its next-generation endpoint protection, threat intelligence, and response services. Their Falcon platform is designed to prevent breaches by addressing both malware and malware-free attacks. Customers are encouraged to stay informed through CrowdStrike’s blog and support portal, where the latest updates and resources are available.
In summary, while the recent defect in the content update for Windows hosts caused significant inconvenience, CrowdStrike has effectively managed the situation by deploying fixes and providing detailed guidance for recovery. Their commitment to customer security and operational integrity remains unwavering.