CrowdStrike Addresses Global Windows Issues

CrowdStrike is actively working with customers affected by a problem found in a recent update for Windows systems. Mac and Linux systems are not affected. This was not a cyberattack.

The issue has been identified, isolated, and a fix has been deployed. CrowdStrike advises customers to check the support portal for the latest updates and will continue to provide regular updates on their blog. They recommend that organizations communicate with CrowdStrike representatives through official channels.

The CrowdStrike team is fully mobilized to ensure the security and stability of their customers. They understand the gravity of the situation and apologize for the inconvenience and disruption caused. They are working with all affected customers to ensure systems are back up and running so they can continue to provide services to their own customers.

CrowdStrike assures customers that their Falcon platform systems are operating normally. If your systems are functioning correctly, there is no impact on protection if the Falcon sensor is installed.

### Summary

CrowdStrike is aware of reports of crashes on Windows systems related to the Falcon sensor. For more details, view the Tech Alert (pdf) or log in to the support portal.

### Details

- **Symptoms:** Affected hosts experience a bugcheck/blue screen error related to the Falcon sensor.

- **Unaffected Hosts:** Windows systems that have not been impacted do not require any action. The problematic file has been reverted.

- **Future Updates:** Windows systems brought online after 0527 UTC will not be impacted.

- **Other Systems:** Mac and Linux hosts are not affected.

- **Problematic File:** "C-00000291*.sys" with a timestamp of 0409 UTC is the problematic version. The reverted (good) version has a timestamp of 0527 UTC or later.

### Current Actions

CrowdStrike Engineering identified the problematic update and reverted the changes. If hosts are still crashing, follow the workaround steps below. Falcon Complete and OverWatch services are not disrupted by this incident.

#### Workaround Steps for Individual Hosts:

1. **Reboot the Host:** Try to download the reverted channel file. Using a wired network is recommended for faster internet connectivity.

2. **If Crashes Persist:**

   - Boot Windows into Safe Mode or the Windows Recovery Environment.

   - Navigate to the `%WINDIR%\System32\drivers\CrowdStrike` directory.

   - Locate and delete the file matching “C-00000291*.sys”.

   - Do not delete or change any other files or folders.

   - Cold boot the host by shutting it down and starting it from the off state.

#### Workaround Steps for Public Cloud or Similar Environments:

1. **Detach the OS Disk Volume:**

   - Create a snapshot or backup of the disk volume before proceeding.

   - Attach/mount the volume to a new virtual server.

   - Navigate to the `%WINDIR%\System32\drivers\CrowdStrike` directory.

   - Locate and delete the file matching “C-00000291*.sys”.

   - Detach the volume from the new virtual server and reattach it to the impacted virtual server.

### Additional Information

For identifying impacted hosts, refer to the KB article: How to identify hosts possibly impacted by Windows crashes (pdf) or log in to the support portal.

A dashboard displaying impacted channels and sensors is available in the console menu under Next-GEN SIEM > Dashboard or Investigate > Dashboards, named as: hosts_possibly_impacted_by_windows_crashes.

For automated recovery steps, see the article: Automated Recovery from Blue Screen on Windows Instances in GCP (pdf) or log in to the support portal.

This page will refresh every minute

The content of this page will automatically refresh every 60 seconds.