As per the request from my blog users a small writeup on the issue that was reported due crowdstrike feature Falcon Sensor (EDR Solution)

crowdstrike update causes Blue Screen of Death (BSOD) on Microsoft Windows | Largest Outage in the history of Information Technology

Issue Summary

CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

Update release: July 18th 2024

Issue Reported: July 19th 2024

CrowdStrike Incident

On 19 July 2024, a faulty update to security software produced by CrowdStrike, an American cybersecurity company, caused innumerable computers and virtual machines running Microsoft Windows to crash.

Crowdstrike Falcon Sensor do:

The Falcon Sensor is a key component of CrowdStrike’s endpoint protection platform (EDR Solution). The software is installed on devices to provide real-time protection from cyber threats.

What is Falcon Sensor?

CrowdStrike is a well-known cybersecurity firm, and its Falcon Sensor software is designed to protect systems from cyberattacks. On Thursday, CrowdStrike warned users about a bug related to the Falcon Sensor that was causing Windows systems to crash with BSOD errors.

BSOD (Blue Screen of Death):

The blue screen of death is a critical error screen displayed by Microsoft Windows. It indicates a system crash, in which the operating system reaches a critical condition where it can no longer operate safely.

Effected Users:

Banks, Airlines, TV Broadcasters etc…. who reported first about this incident.

Symptoms/Indications:

a: Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.

b: Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

c: Windows hosts which are brought online after 0527 UTC will also not be impacted.

d: This issue is not impacting Mac- or Linux-based hosts.

e:  Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.

f: Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version.

Current Action from crowdstrike/Initial Response:

Below is the url from crowdstrike

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

a: CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

b: If hosts are still crashing and unable to stay online to receive the Channel File Changes, the workaround steps below can be used.

Resolution:

Workaround Steps for individual hosts:

Reboot the host to give it an opportunity to download the reverted channel file.  If the host crashes again, then:

Boot Windows into Safe Mode or the Windows Recovery Environment.

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.

Locate the file matching “C-00000291*.sys”, and delete it.

Boot the host normally.

Note:  Bitlocker-encrypted hosts may require a recovery key.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

Detach the operating system disk volume from the impacted virtual server.

Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes.

Attach/mount the volume to to a new virtual server.

Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory.

Locate the file matching “C-00000291*.sys”, and delete it.

Detach the volume from the new virtual server.

Reattach the fixed volume to the impacted virtual server.

Option 2:

Roll back to a snapshot before 0409 UTC.

Workaround Steps for Azure via serial

1. Login to Azure console –> Go to Virtual Machines –> Select the VM

2. Upper left on console –> Click : “Connect” –> Click –> Connect –> Click “More ways to Connect” –> Click : “Serial Console”

3. Step 3 : Once SAC has loaded, type in ‘cmd’ and press enter. type in ‘cmd’ command type in : ch -si 1

4. Press any key (space bar). Enter Administrator credentials

5. Type the following: bcdedit /set {current} safeboot minimal bcdedit /set {current} safeboot network

6. Restart VM

7. Optional: How to confirm the boot state?

Run command: wmic COMPUTERSYSTEM GET BootupState

For Support & Updates:

Support Portal (https://supportportal.crowdstrike.com/s/)

Thanks,

Praveen Kumar