Home Technology Notice on Falcon Content Update for Windows Hosts

Notice on Falcon Content Update for Windows Hosts

600
Notice on Falcon Content Update for Windows Hosts

CrowdStrike is working closely with customers affected by a defect in a recent content update for Windows hosts. This issue does not impact Mac or Linux hosts and was not a cyberattack.

Resolution Status:

  • The issue has been identified, isolated, and resolved.
  • Customers can refer to the support portal for the latest updates.
  • We will continue providing public updates on our blog.

Recommendations:

  • Ensure communication with CrowdStrike representatives through official channels.
  • Our team is dedicated to maintaining the security and stability of CrowdStrike customers.

We apologize for the inconvenience and disruption caused. We are committed to working with affected customers to restore their systems and services.

Operational Assurance:

  • CrowdStrike operations are normal.
  • The issue does not affect the Falcon platform systems.
  • If your systems are functioning normally, they remain protected with the Falcon sensor installed.

Tech Alert Summary:

  • Reports of crashes on Windows hosts related to the Falcon sensor have been noted.
  • For more details, view the Tech Alert (pdf) or log in to the support portal.

Details:

  • Symptoms include bugcheck/blue screen errors related to the Falcon sensor.
  • Hosts brought online after 0527 UTC or with the updated channel file are not impacted.
  • Channel file “C-00000291*.sys” with timestamp 0527 UTC or later is the good version.
  • The problematic version has a timestamp of 0409 UTC.

Current Actions:

  • Content deployment changes have been reverted.
  • If hosts continue to crash, follow the workaround steps provided.
  • Falcon Complete and OverWatch services are not disrupted.

Identification of Impacted Hosts:

  • Use Advanced event search or the provided Dashboard in the Console menu to identify affected hosts.
  • Queries and a Dashboard for impacted channels and sensors are available.

Automated Recovery Articles:

  • Refer to the support portal for automated recovery articles for various environments.

Workaround Steps for Individual Hosts:

  1. Reboot the host to download the reverted channel file.
  2. If crashes persist:
    • Boot Windows into Safe Mode or the Windows Recovery Environment.
    • Navigate to %WINDIR%\System32\drivers\CrowdStrike and delete the file matching “C-00000291*.sys”.
    • Cold Boot the host.

Workaround Steps for Public Cloud or Virtual Environments:

  • Option 1:
    1. Detach the OS disk volume from the impacted server.
    2. Create a snapshot or backup.
    3. Attach the volume to a new server.
    4. Delete the problematic file in the CrowdStrike directory.
    5. Reattach the fixed volume.
  • Option 2:
    • Roll back to a snapshot before 0409 UTC.

AWS, Azure, and Recovery Key Documentation:

  • Specific articles and resources are available for AWS, Azure, Workspace ONE, Tanium, Citrix, and BitLocker recovery in various environments. Please refer to the respective articles and support portal for detailed information.

We remain committed to providing updates to our community and the industry as they become available.