INFORMATIONAL SEVERITY HIGH TLP GREEN
Summary:
CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes
Impact:
Windows hosts are being stuck in a boot loop or experiencing bugcheck/blue screen errors related to the Falcon Sensor. Several organizations and services across the world have been impacted, including airports, airlines, banks, hospitals, as well as 911 services.
Mitigation:
The root cause has been associated with a Channel File, which contains data for the Falcon sensor. CrowdStrike has reverted the Channel file. Note: Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Hosts booted up after 5:27 AM UTC should not be experiencing any issues. If hosts are still crashing and unable to stay online to receive the Channel File Changes, CrowdStrike recommends:
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
Summary:
CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes
Impact:
Windows hosts are being stuck in a boot loop or experiencing bugcheck/blue screen errors related to the Falcon Sensor. Several organizations and services across the world have been impacted, including airports, airlines, banks, hospitals, as well as 911 services.
Mitigation:
The root cause has been associated with a Channel File, which contains data for the Falcon sensor. CrowdStrike has reverted the Channel file. Note: Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Hosts booted up after 5:27 AM UTC should not be experiencing any issues. If hosts are still crashing and unable to stay online to receive the Channel File Changes, CrowdStrike recommends:
- Boot Windows into Safe Mode or the Windows Recovery Environment. NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally. Note: Bitlocker-encrypted hosts may require a recovery key.
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
