Windows Hosts Falcon Content Update

Statement Regarding Windows Hosts Falcon Content Update,

Customers who were impacted by a flaw discovered in a single Windows host content update are currently receiving assistance from CrowdStrike. Linux and Mac hosts are unaffected. There was no cyberattack here.

Table of Contents

After the problem was located, it was isolated, and a solution was implemented. For the most recent information, we are directing clients to the support site. We will keep our blog updated with comprehensive and frequent public information.

Furthermore, we advise businesses to make sure they are engaging with CrowdStrike agents via authorized means.

To guarantee CrowdStrike customers’ security and stability, our crew has been fully mobilized.

We sincerely apologize for any trouble and disruption caused, and we acknowledge the seriousness of the matter. We are collaborating with all affected clients to guarantee that their systems are restored and they can continue providing the essential services to their clientele.

We reassure our clients that CrowdStrike is up and running and that our Falcon platform systems are unaffected by this problem. Installing the Falcon sensor won’t affect your systems’ protection if they are running normally.

The most recent CrowdStrike Tech Alert, which includes further details regarding the problem and solutions that businesses can use, can be seen below. As more information becomes available, we’ll keep our community and the industry informed.

Summary

Reports of crashes on Windows systems connected to the Falcon sensor have been received by CrowdStrike.

Details

Among the symptoms are hosts reporting a Falcon sensor-related bugcheck\blue screen error.
The affected Windows hosts don’t need to take any action because the problematic channel file has been reversed.

Additionally, Windows hosts that go online after 05:27 UTC won’t be affected.
This problem does not affect hosts running Linux or Mac OS X.
The reversed (good) version is the channel file “C-00000291.sys” with a timestamp of 0527 UTC or later. The faulty version of the channel file “C-00000291.sys” has a timestamp of 0409 UTC.
Note: It is common for the CrowdStrike directory to contain numerous “C-00000291*.sys files.” The active content will be the file in the folder with a timestamp of 0527 UTC or later.

Current Action

The adjustments were undone by CrowdStrike Engineering after they discovered a content deployment connected to the problem.
The workaround procedures listed below can be applied if hosts are still crashing and are unable to stay online in order to receive the Channel File Changes.

Dashboard

There is now a Dashboard that shows Impacted channels, CIDs, and Impacted sensors, just like the query shown above. It’s accessible through the Console menu at any of the following, depending on your subscriptions:

Next-GEN SIEM > Monitor or; Examine > Dashboards
Known as hosts potentially affected by Windows crashes
Note: The “Live” button is not compatible with the Dashboard.

Query to use Advanced Event Search to find affected hosts

Please see this KB article:How to identify hosts possibly impacted by Windows crashes (pdf)orlog in to view in support portal.

Steps to work around for specific hosts:

.To enable the host to download the reversed channel file, reboot it. Before rebooting, we highly advise .connecting the host to a physical network (rather than WiFi), since this will allow the host to establish .internet .connectivity much more quickly.
.Should the host crash once again, then:

.Use the Windows Recovery Environment or Safe Mode to boot Windows.
.NOTE: Safe Mode with Networking and connecting the host to a wired network (as opposed to WiFi) can aid in correction.
.Go to the directory %WINDIR%\System32\drivers\CrowdStrike.
.Windows Recovery uses X:\windows\system32 by default.
.Navigate to the crowdstrike directory after selecting the relevant partition (C:\ by default):

.C:\cd crowdstrike.drivers\windows\system32
.Note: Open the Windows\System32\drivers\CrowdStrike directory on the OS volume when using WinRE or WinPE.

.Find and remove the file that matches “C-00000291*.sys.”
.Never remove or alter another file or folder.
.chilly Take the host off.
.Turn off the host.
.Launch the host in the offline mode.
.Reminder: hosts with BitLocker encryption could need a recovery key.

Steps for a workaround in a public cloud or comparable setting, including virtual:

Option 1:

Separate the operating system disk drive from the affected virtual server

.To avoid inadvertent changes, take a snapshot or backup of the disk volume before continuing.
.Mount or attach the volume to a fresh virtual server.
.Go to the directory %WINDIR%\System32\drivers\CrowdStrike.
.Find and remove the file that matches “C-00000291*.sys.”
.Take the volume out of the newly created virtual server.
.Reinstall the corrected volume on the virtual server that was affected.

Option 2:

.Revert to a snapshot taken prior to 0409 UTC.

Documentation unique to AWS:

How can I get back AWS resources that the CrowdStrike Falcon agent damaged?

Azure settings:

Kindly refer to this Microsoft article.

Use the Workspace ONE Portal’s User Access Recovery Key.

Users do not need to contact the HelpDesk for assistance when this setting is enabled because they may retrieve the BitLocker Recovery Key via the Workspace ONE portal. Proceed with the following procedures to activate the recovery key through the Workspace ONE interface. For additional details, kindly refer to this Omnissa article.

Tanium is used to manage Windows encryption.

For more details, please refer to this article about tantalum.

Citrix Bitlocker recovery

For further details, kindly refer to this Citrix article.

RevisionTechnology remediation guide for Intel vPro®

For additional details, kindly refer to this Intel article.