CrowdStrike is actively working with customers affected by a defect in a recent content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.


The issue has been identified, isolated, and fixed. We direct customers to the support portal for the latest updates and will provide ongoing public updates on our blog.

We recommend organizations communicate with CrowdStrike representatives through official channels.

Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

We understand the gravity of the situation and deeply regret the inconvenience and disruption caused. We are working with all impacted customers to ensure systems are restored so they can deliver the services their customers rely on.

We assure our customers that CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact on their protection if the Falcon sensor is installed.

Below is the latest CrowdStrike Tech Alert with more information about the issue and workaround steps organizations can take. We will continue to provide updates to our community and the industry as they become available.

Summary

CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon sensor. View the Tech Alert (pdf) or log in to view in the support portal.



Details

Symptoms include hosts experiencing a bugcheck/blue screen error related to the Falcon sensor.

  • Windows hosts not impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts brought online after 0527 UTC will also not be impacted.
  • This issue does not impact Mac or Linux hosts.
  • The channel file "C-00000291*.sys" with a timestamp of 0527 UTC or later is the reverted (good) version.
  • The channel file "C-00000291*.sys" with a timestamp of 0409 UTC is the problematic version.
  • It is normal for multiple "C-00000291*.sys" files to be present in the CrowdStrike directory; as long as one file has a timestamp of 0527 UTC or later, that will be the active content.

Current Action

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes. If hosts are still crashing and unable to stay online to receive the channel file changes, the workaround steps below can be used.

We assure our customers that CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact on their protection if the Falcon sensor is installed. Falcon Complete and OverWatch services are not disrupted by this incident.

Query to Identify Impacted Hosts via Advanced Event Search

Please see this KB article: How to identify hosts possibly impacted by Windows crashes (pdf) or log in to view in the support portal.

Dashboard

Similar to the above-referenced query, a dashboard is now available that displays impacted channels and CIDs and impacted sensors. Depending on your subscriptions, it’s available in the console menu at either:

  • Next-GEN SIEM > Dashboard or;
  • Investigate > Dashboards
  • Named as: hosts_possibly_impacted_by_windows_crashes
  • Note: The dashboard cannot be used with the “Live” button.

Automated Recovery Articles

Please see this article: Automated Recovery from Blue Screen on Windows Instances in GCP (pdf) or log in to view in the support portal.

Workaround Steps for Individual Hosts

  1. Reboot the host to give it an opportunity to download the reverted channel file. We strongly recommend putting the host on a wired network (as opposed to WiFi) prior to rebooting as the host will acquire internet connectivity considerably faster via ethernet.
  2. If the host crashes again, then:
    • Boot Windows into Safe Mode or the Windows Recovery Environment.
    • Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
    • Windows Recovery defaults to X:\windows\system32.
    • Navigate to the appropriate partition first (default is C:), and navigate to the CrowdStrike directory:
      bash
      C:
cd windows\system32\drivers\crowdstrike
    • Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume.
    • Locate the file matching “C-00000291*.sys” and delete it.
    • Do not delete or change any other files or folders.
    • Cold Boot the host:
      • Shutdown the host.
      • Start the host from the off state.
    • Note: BitLocker-encrypted hosts may require a recovery key.

Workaround Steps for Public Cloud or Similar Environment Including Virtual

Option 1:

  1. Detach the operating system disk volume from the impacted virtual server.
  2. Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes.
  3. Attach/mount the volume to a new virtual server.
  4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
  5. Locate the file matching “C-00000291*.sys” and delete it.
  6. Detach the volume from the new virtual server.
  7. Reattach the fixed volume to the impacted virtual server.

Option 2:

  1. Roll back to a snapshot before 0409 UTC.

AWS-Specific Documentation

How do I recover AWS resources that were affected by the CrowdStrike Falcon agent?

Azure Environments

Please see this Microsoft article.

User Access Recovery Key in the Workspace ONE Portal

When this setting is enabled, users can retrieve the BitLocker Recovery Key from the Workspace ONE portal without needing to contact the HelpDesk for assistance. To turn on the recovery key in the Workspace ONE portal, follow the next steps. Please see this Omnissa article for more information.

Windows Encryption Management via Tanium

Please see this Tanium article for more information.

BitLocker Recovery via Citrix

Please see this Citrix article for more information.

BitLocker Recovery-Related KBs

  • BitLocker recovery in Microsoft Azure (pdf) or log in to view in support portal.
  • BitLocker recovery in Microsoft environments using SCCM (pdf) or log in to view in support portal.
  • BitLocker recovery in Microsoft environments using Active Directory and GPOs (pdf) or log in to view in support portal.
  • BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager (pdf) or log in to view in support portal.
  • BitLocker recovery in Microsoft environments using ManageEngine Desktop Central (pdf) or log in to view in support portal.
  • BitLocker recovery in Microsoft environments using IBM BigFix (pdf) or log in to view in support portal.

Additional Resources

  • Falcon Sensor Content Issue Likely Used to Target CrowdStrike Customers.
  • CrowdStrike and Rubrik Customer Content Update Recovery for Windows Hosts.
  • Standing Strong Together: Cohesity’s Support for CrowdStrike’s Falcon Sensor Updates.