Trending now

Falcon Content Update Remediation and Guidance Hub

7 Min Read

2024-07-21 07:00:02

Contents
Statement from our CEOTechnical DetailsNon-Impacted HostsHow do I Identify Impacted Hosts?How do I Identify Impacted Hosts via Advanced Event Search Query? Updated 2024-07-21 0023 UTCHow do I Identify Impacted Hosts via Dashboard?How do I Remediate Individual Hosts?How do I Recover Bitlocker Keys? Updated 2024-07-20 2259 UTCHow to Recover Cloud-Based Environment ResourcesAWSAzureGCPPublic Cloud/Virtual EnvironmentsThird Party Vendor Information Updated 2024-07-20 2259 UTCAdditional Resources

Updated 2024-07-21 0023 UTC

CrowdStrike is actively assisting customers affected by a defect in a recent content update for Windows hosts. Mac and Linux hosts were not impacted. The issue has been identified and isolated, and a fix has been deployed. This was not a cyberattack.

Customers are advised to check the support portal for updates. We will also continue to provide the latest information here and on our blog as it’s available. We recommend organizations verify they are communicating with CrowdStrike representatives through official channels.

We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon sensor is installed.

We understand the gravity of this situation and are deeply sorry for the inconvenience and disruption. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

Statement from our CEO

Sent 2024-07-19 1930 UTC

Valued Customers and Partners,

I want to sincerely apologize directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.

The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.

We are working closely with impacted customers and partners to ensure that all systems are restored, so you can deliver the services your customers rely on.

CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if the Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disrupted.

We will provide continuous updates through our Support Portal at https://supportportal.crowdstrike.com/s/login/.

We have mobilized all of CrowdStrike to help you and your teams. If you have questions or need additional support, please reach out to your CrowdStrike representative or Technical Support.

We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.

Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.

George Kurtz

CrowdStrike Founder and CEO

Technical Details

  • Technical Details on the outage can be found here: Read the blog Published 2024-07-19 0100 UTC
  • We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed. Falcon Complete and Overwatch services are not disrupted by this incident.
  • CrowdStrike has identified the trigger for this issue as a Windows sensor related content deployment and we have reverted those changes. The content is a channel file located in the %WINDIR%\System32\drivers\CrowdStrike directory.
    • Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version.
    • Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is the problematic version.
    • Note: It is normal for multiple “C-00000291*.sys files to be present in the CrowdStrike directory – as long as one of the files in the folder has a timestamp of 05:27 UTC or later, that will be the active content.
  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

Non-Impacted Hosts

  • Windows hosts which are brought online after 2024-07-19 0527 UTC will not be impacted
  • This issue is not impacting Mac- or Linux-based hosts

How do I Identify Impacted Hosts?

How do I Identify Impacted Hosts via Advanced Event Search Query? Updated 2024-07-21 0023 UTC

Please see this KB article: How to identify hosts possibly impacted by Windows crashes (pdf) or log in to view in support portal.

How do I Identify Impacted Hosts via Dashboard?

A Dashboard is available that displays impacted channels and CIDs and impacted sensors. Depending on your subscriptions, it’s available in the Console menu at either:

  • Next-Gen SIEM > Log management > Dashboard, or;
  • Investigate > Dashboards
  • ​​Named as: Hosts_possibly_impacted_by_windows_crashes
    • Note: The Dashboard cannot be used with the “Live” button

If hosts are still crashing and unable to stay online to receive the Channel File update, the remediation steps below can be used.

How do I Remediate Individual Hosts?

  • Reboot the host to give it an opportunity to download the reverted channel file. We strongly recommend putting the host on a wired network (as opposed to WiFi) prior to rebooting as the host will acquire internet connectivity considerably faster via ethernet.
  • If the host crashes again on reboot, please see this Microsoft article for detailed steps.
    • Note: Bitlocker-encrypted hosts may require a recovery key.

How do I Recover Bitlocker Keys? Updated 2024-07-20 2259 UTC

How to Recover Cloud-Based Environment Resources

Cloud Environment Guidance

AWS

 AWS article

Azure

 Microsoft article

GCP

 (PDF) or log in to view in the support portal

Public Cloud/Virtual Environments

Option 1:

  • ​​​​​​​Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to to a new virtual server
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2:

  • ​​​​​​​Roll back to a snapshot before 2024-07-19 0409 UTC

Third Party Vendor Information Updated 2024-07-20 2259 UTC

Additional Resources

You Might Also Like

Purdue basketball freshman Daniel Jacobsen injured vs Northern Kentucky

Rashida Jones honors dad Quincy Jones with heartfelt tribute: ‘He was love’

Nosferatu Screening at Apollo Theatre Shows Student Interest in Experimental Cinema – The Oberlin Review

Cheese sold at Aldi, Market Basket recalled over listeria concerns

Cheese sold at Aldi, Market Basket and more recalled due to listeria worries

TAGGED:
Share This Article
Leave a comment

Stay Connected

Latest News

Kareena Kapoor’s Next Untitled Film With Meghna Gulzar Gets Prithviraj Sukumaran On Board
Entertainment
What Are Adaptogens? Find Out How These 3 Herbs May Help You Tackle Stress Head-On
Health
The new Mac Mini takes a small step towards upgradeable storage
Technology
‘Bored of him’: Rahul Gandhi refrains from criticising PM Modi in Wayanad while campaigning for sister Priyanka
Politics