Falcon Content Update Remediation and Guidance Hub

Falcon Content Update Remediation and Guidance Hub

by

Up to date 2024-07-21 0023 UTC

CrowdStrike is actively helping clients affected by a defect in a current content material replace for Home windows hosts. Mac and Linux hosts weren’t impacted. The difficulty has been recognized and remoted, and a repair has been deployed. This was not a cyberattack.

Clients are suggested to verify the help portal for updates. We may even proceed to supply the most recent data right here and on our weblog because it’s obtainable. We suggest organizations confirm they’re speaking with CrowdStrike representatives by means of official channels.

We guarantee our clients that CrowdStrike is working usually and this subject doesn’t have an effect on our Falcon platform techniques. In case your techniques are working usually, there isn’t a impression to their safety if the Falcon sensor is put in.

We perceive the gravity of this example and are deeply sorry for the inconvenience and disruption. Our group is totally mobilized to make sure the safety and stability of CrowdStrike clients.

Assertion from our CEO

Despatched 2024-07-19 1930 UTC

Valued Clients and Companions,

I need to sincerely apologize on to all of you for the outage. All of CrowdStrike understands the gravity and impression of the scenario. We rapidly recognized the problem and deployed a repair, permitting us to focus diligently on restoring buyer techniques as our highest precedence.

The outage was attributable to a defect present in a Falcon content material replace for Home windows hosts. Mac and Linux hosts will not be impacted. This was not a cyberattack.

We’re working carefully with impacted clients and companions to make sure that all techniques are restored, so you may ship the providers your clients depend on.

CrowdStrike is working usually, and this subject doesn’t have an effect on our Falcon platform techniques. There isn’t a impression to any safety if the Falcon sensor is put in. Falcon Full and Falcon OverWatch providers will not be disrupted.

We are going to present steady updates by means of our Help Portal at https://supportportal.crowdstrike.com/s/login/.

We have now mobilized all of CrowdStrike that will help you and your groups. If in case you have questions or want further help, please attain out to your CrowdStrike consultant or Technical Help.

We all know that adversaries and unhealthy actors will attempt to exploit occasions like this. I encourage everybody to stay vigilant and make sure that you’re participating with official CrowdStrike representatives. Our weblog and technical help will proceed to be the official channels for the most recent updates.

Nothing is extra essential to me than the belief and confidence that our clients and companions have put into CrowdStrike. As we resolve this incident, you’ve gotten my dedication to supply full transparency on how this occurred and steps we’re taking to forestall something like this from taking place once more.

George Kurtz

CrowdStrike Founder and CEO

Technical Particulars

  • Technical Particulars on the outage may be discovered right here: Learn the weblog Revealed 2024-07-19 0100 UTC
  • We guarantee our clients that CrowdStrike is working usually and this subject doesn’t have an effect on our Falcon platform techniques. In case your techniques are working usually, there isn’t a impression to their safety if the Falcon Sensor is put in. Falcon Full and Overwatch providers will not be disrupted by this incident.
  • CrowdStrike has recognized the set off for this subject as a Home windows sensor associated content material deployment and now we have reverted these modifications. The content material is a channel file situated within the %WINDIRpercentSystem32driversCrowdStrike listing.
    • Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or later is the reverted (good) model.
    • Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is the problematic model.
    • Observe: It’s regular for a number of “C-00000291*.sys information to be current within the CrowdStrike listing – so long as one of the information within the folder has a timestamp of 05:27 UTC or later, that would be the lively content material.
  • Signs embrace hosts experiencing a bugcheckblue display screen error associated to the Falcon Sensor.
  • Home windows hosts which have not been impacted don’t require any motion because the problematic channel file has been reverted.

Non-Impacted Hosts

  • Home windows hosts that are introduced on-line after 2024-07-19 0527 UTC won’t be impacted
  • This subject shouldn’t be impacting Mac- or Linux-based hosts

How do I Determine Impacted Hosts?

How do I Determine Impacted Hosts through Superior Occasion Search Question? Up to date 2024-07-21 0023 UTC

Please see this KB article: The way to establish hosts probably impacted by Home windows crashes (pdf) or log in to view in help portal.

How do I Determine Impacted Hosts through Dashboard?

A Dashboard is obtainable that shows impacted channels and CIDs and impacted sensors. Relying in your subscriptions, it’s obtainable within the Console menu at both:

  • Subsequent-Gen SIEM > Log administration > Dashboard, or;
  • Examine > Dashboards
  • ​​Named as: Hosts_possibly_impacted_by_windows_crashes
    • Observe: The Dashboard can’t be used with the “Reside” button

If hosts are nonetheless crashing and unable to remain on-line to obtain the Channel File replace, the remediation steps beneath can be utilized.

How do I Remediate Particular person Hosts?

  • Reboot the host to provide it a chance to obtain the reverted channel file. We strongly suggest placing the host on a wired community (versus WiFi) previous to rebooting because the host will purchase web connectivity significantly quicker through ethernet.
  • If the host crashes once more on reboot, please see this Microsoft article for detailed steps.
    • Observe: Bitlocker-encrypted hosts could require a restoration key.

How do I Recuperate Bitlocker Keys? Up to date 2024-07-20 2259 UTC

The way to Recuperate Cloud-Primarily based Surroundings Sources

Cloud Surroundings Steering

AWS

 AWS article

Azure

 Microsoft article

GCP

 (PDF) or log in to view within the help portal

Public Cloud/Digital Environments

Choice 1:

  • ​​​​​​​Detach the working system disk quantity from the impacted digital server
  • Create a snapshot or backup of the disk quantity earlier than continuing additional as a precaution in opposition to unintended modifications
  • Connect/mount the quantity to to a brand new digital server
  • Navigate to the %WINDIRpercentSystem32driversCrowdStrike listing
  • Find the file matching “C-00000291*.sys”, and delete it
  • Detach the quantity from the brand new digital server
  • Reattach the mounted quantity to the impacted digital server

Choice 2:

  • ​​​​​​​Roll again to a snapshot earlier than 2024-07-19 0409 UTC

Third Social gathering Vendor Data Up to date 2024-07-20 2259 UTC

Extra Sources

Leave a Reply