Statement on Falcon Content Update for Windows Hosts

CrowdStrike is actively working with clients impacted by a defect present in a single content material replace for Home windows hosts. Mac and Linux hosts usually are not impacted. This isn’t a safety incident or cyberattack.

The problem has been recognized, remoted and a repair has been deployed. We refer clients to the assist portal for the newest updates and can proceed to supply full and steady updates on our web site.

We additional suggest organizations guarantee they’re speaking with CrowdStrike representatives by official channels.

Our group is absolutely mobilized to make sure the safety and stability of CrowdStrike clients.

Replace 9:22am ET, July 19, 2024:

We’re working laborious to supply complete and steady updates with our world clients as shortly as doable. Beneath is the newest CrowdStrike Tech Alert with extra details about the problem and workaround steps organizations can take. We’ll maintain this web page up to date with new data because it’s out there.

Abstract

• CrowdStrike is conscious of reviews of crashes on Home windows hosts associated to the Falcon Sensor.

Particulars

• Signs embody hosts experiencing a bugcheckblue display error associated to the Falcon Sensor.
• Home windows hosts which haven’t been impacted don’t require any motion because the problematic channel file has been reverted.
• Home windows hosts that are introduced on-line after 0527 UTC may also not be impacted
• Hosts working Home windows 7/2008 R2 usually are not impacted
• This concern will not be impacting Mac- or Linux-based hosts
• Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) model.
• Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic model.

Present Motion

• CrowdStrike Engineering has recognized a content material deployment associated to this concern and reverted these adjustments.
• If hosts are nonetheless crashing and unable to remain on-line to obtain the Channel File Modifications, the next steps can be utilized to workaround this concern:

Workaround Steps for particular person hosts:

Workaround Steps for public cloud or comparable setting together with digital:

Possibility 1:

• ​​​​​​​Detach the working system disk quantity from the impacted digital server
• Create a snapshot or backup of the disk quantity earlier than continuing additional as a precaution towards unintended adjustments
• Connect/mount the quantity to to a brand new digital server
• Navigate to the %WINDIRpercentSystem32driversCrowdStrike listing
• Find the file matching “C-00000291*.sys”, and delete it.
• Detach the quantity from the brand new digital server
• Reattach the mounted quantity to the impacted digital server

Possibility 2:

• ​​​​​​​Roll again to a snapshot earlier than 0409 UTC.

AWS-specific documentation:

Azure environments:

Bitlocker recovery-related KBs: