Statement on Falcon Content Update for Windows Hosts

Statement on Falcon Content Update for Windows Hosts

Revealed 5:49am ET, July 19, 2024

CrowdStrike is actively working with prospects impacted by a defect present in a single content material replace for Home windows hosts. Mac and Linux hosts aren’t impacted. This was not a cyberattack.

The problem has been recognized, remoted and a repair has been deployed. We refer prospects to the assist portal for the newest updates and can proceed to supply full and steady updates on our web site.

We additional advocate organizations guarantee they’re speaking with CrowdStrike representatives by way of official channels.

Our workforce is totally mobilized to make sure the safety and stability of CrowdStrike prospects.

Up to date 1:25pm ET, July 19, 2024:

We perceive the gravity of the state of affairs and are deeply sorry for the inconvenience and disruption. We’re working with all impacted prospects to make sure that programs are again up and so they can ship the companies their prospects are relying on.

We guarantee our prospects that CrowdStrike is working usually and this difficulty doesn’t have an effect on our Falcon platform programs. In case your programs are working usually, there isn’t any influence to their safety if the Falcon Sensor is put in.

Under is the newest CrowdStrike Tech Alert with extra details about the problem and workaround steps organizations can take. We’ll proceed to supply updates to our group and the trade as they change into obtainable.

Abstract

  • CrowdStrike is conscious of experiences of crashes on Home windows hosts associated to the Falcon Sensor.

Particulars

  • Signs embrace hosts experiencing a bugcheckblue display screen error associated to the Falcon Sensor.
  • Home windows hosts which haven’t been impacted don’t require any motion because the problematic channel file has been reverted.
  • Home windows hosts that are introduced on-line after 0527 UTC may even not be impacted
  • Hosts working Home windows 7/2008 R2 aren’t impacted
  • This difficulty just isn’t impacting Mac- or Linux-based hosts
  • Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) model.
  • Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic model.
    • Be aware: It’s regular for a number of “C-00000291*.sys recordsdata to be current within the CrowdStrike listing – so long as one of many recordsdata within the folder has a timestamp of 0527 UTC or later, that would be the energetic content material.

Present Motion

  • CrowdStrike Engineering has recognized a content material deployment associated to this difficulty and reverted these modifications.
  • If hosts are nonetheless crashing and unable to remain on-line to obtain the Channel File Adjustments, the workaround steps under can be utilized to handle this difficulty.
  • We guarantee our prospects that CrowdStrike is working usually and this difficulty doesn’t have an effect on our Falcon platform programs. In case your programs are working usually, there isn’t any influence to their safety if the Falcon Sensor is put in. Falcon Full and Overwatch companies aren’t disrupted by this incident.

Question to establish impacted hosts by way of Superior occasion search

Please see this KB article: Methods to establish hosts presumably impacted by Home windows crashes.

Workaround Steps for particular person hosts:

Workaround Steps for public cloud or related surroundings together with digital:

Choice 1:

  • ​​​​​​​Detach the working system disk quantity from the impacted digital server
  • Create a snapshot or backup of the disk quantity earlier than continuing additional as a precaution towards unintended modifications
  • Connect/mount the amount to to a brand new digital server
  • Navigate to the %WINDIRpercentSystem32driversCrowdStrike listing
  • Find the file matching “C-00000291*.sys”, and delete it.
  • Detach the amount from the brand new digital server
  • Reattach the mounted quantity to the impacted digital server

Choice 2:

  • ​​​​​​​Roll again to a snapshot earlier than 0409 UTC.

AWS-specific documentation:

Azure environments:

Consumer Entry to Restoration Key within the Workspace ONE Portal

When this setting is enabled, customers can retrieve the BitLocker Restoration Key from the Workspace ONE portal with out the necessity to contact the HelpDesk for help. To activate the restoration key within the Workspace ONE portal, comply with the subsequent steps. Please see this Omnissa article for extra data.

Bitlocker recovery-related KBs:

Leave a Reply

Your email address will not be published. Required fields are marked *