Falcon Content Update Remediation and Guidance Hub

Web page final up to date 2024-07-23 0740 UTC

CrowdStrike is actively aiding prospects affected by a defect in a current content material replace for Home windows hosts. Mac and Linux hosts weren’t impacted. The difficulty has been recognized and remoted, and a repair has been deployed. This was not a cyberattack.

Prospects are suggested to verify the help portal for updates. We may even proceed to offer the newest data right here and on our weblog because it’s accessible. We advocate organizations confirm they’re speaking with CrowdStrike representatives by means of official channels.

We guarantee our prospects that CrowdStrike is working usually and this concern doesn’t have an effect on our Falcon platform techniques. In case your techniques are working usually, there is no such thing as a impression to their safety if the Falcon sensor is put in.

We perceive the gravity of this case and are deeply sorry for the inconvenience and disruption. Our staff is absolutely mobilized to make sure the safety and stability of CrowdStrike prospects.

Assertion from our CEO

Despatched 2024-07-19 1930 UTC

Valued Prospects and Companions,

I need to sincerely apologize on to all of you for the outage. All of CrowdStrike understands the gravity and impression of the state of affairs. We rapidly recognized the difficulty and deployed a repair, permitting us to focus diligently on restoring buyer techniques as our highest precedence.

The outage was attributable to a defect present in a Falcon content material replace for Home windows hosts. Mac and Linux hosts should not impacted. This was not a cyberattack.

We’re working intently with impacted prospects and companions to make sure that all techniques are restored, so you possibly can ship the providers your prospects depend on.

CrowdStrike is working usually, and this concern doesn’t have an effect on our Falcon platform techniques. There isn’t any impression to any safety if the Falcon sensor is put in. Falcon Full and Falcon OverWatch providers should not disrupted.

We’ll present steady updates by means of our Assist Portal at https://supportportal.crowdstrike.com/s/login/.

We now have mobilized all of CrowdStrike that will help you and your groups. If in case you have questions or want extra help, please attain out to your CrowdStrike consultant or Technical Assist.

We all know that adversaries and unhealthy actors will attempt to exploit occasions like this. I encourage everybody to stay vigilant and make sure that you’re partaking with official CrowdStrike representatives. Our weblog and technical help will proceed to be the official channels for the newest updates.

Nothing is extra vital to me than the belief and confidence that our prospects and companions have put into CrowdStrike. As we resolve this incident, you have got my dedication to offer full transparency on how this occurred and steps we’re taking to forestall something like this from taking place once more.

George Kurtz

CrowdStrike Founder and CEO

Technical Particulars

• Technical Particulars on the outage might be discovered right here: Learn the weblog Revealed 2024-07-20 0100 UTC
• We guarantee our prospects that CrowdStrike is working usually and this concern doesn’t have an effect on our Falcon platform techniques. In case your techniques are working usually, there is no such thing as a impression to their safety if the Falcon Sensor is put in. Falcon Full and OverWatch providers should not disrupted by this incident.
• CrowdStrike has recognized the set off for this concern as a Home windows sensor associated content material deployment and now we have reverted these modifications. The content material is a channel file situated within the %WINDIRpercentSystem32driversCrowdStrike listing.
• Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or later is the reverted (good) model.
• Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is the problematic model.
• Word: It’s regular for a number of “C-00000291*.sys information to be current within the CrowdStrike listing – so long as one of the information within the folder has a timestamp of 05:27 UTC or later, that would be the energetic content material.
• Signs embrace hosts experiencing a bugcheckblue display error associated to the Falcon Sensor.
• Home windows hosts which have not been impacted don’t require any motion because the problematic channel file has been reverted.

Non-Impacted Hosts

• Home windows hosts that are introduced on-line after 2024-07-19 0527 UTC won’t be impacted
• Home windows hosts put in and provisioned after 2024-07-19 0527 UTC should not impacted Up to date 2024-07-21 1435 UTC
• This concern shouldn’t be impacting Mac- or Linux-based hosts

How do I Determine Impacted Hosts?

How do I Determine Impacted Hosts by way of Superior Occasion Search Question?
Up to date 2024-07-22 0139 UTC

The queries utilized by the dashboards are listed on the backside of the suitable dashboard manuals.

How do I Determine Impacted Hosts by way of Dashboard?
Up to date 2024-07-23 0217 UTC

An up to date granular dashboard is on the market that shows the Home windows hosts impacted by the content material replace defect described on this Tech Alert. See Granular standing dashboards to determine Home windows hosts impacted by content material concern (v8.6) (pdf) or log in to view within the help portal. Word that the queries utilized by the dashboards are listed on the backside of the suitable dashboard manuals.

If hosts are nonetheless crashing and unable to remain on-line to obtain the Channel File replace, the remediation steps beneath can be utilized.

How do I Remediate Particular person Hosts?
Up to date 2024-07-21 0932 UTC

• Reboot the host to present it a chance to obtain the reverted channel file. We strongly advocate placing the host on a wired community (versus WiFi) previous to rebooting because the host will purchase web connectivity significantly quicker by way of ethernet.
• If the host crashes once more on reboot:
Up to date 2024-07-22 1758 UTC
• Possibility 1 – Construct automated restoration ISOs with drivers
• Observe the directions for Constructing Falcon Home windows Host Restoration ISOs on this guide (PDF) or log in to view within the help portal. Up to date 2024-07-23 0740 UTC
• Word: Bitlocker-encrypted hosts might require a restoration key.
• Possibility 2 – Handbook course of
• Evaluate the next video on CrowdStrike Host Self-Remediation for Distant Customers. Observe the directions contained inside the video if directed to take action by your group’s IT division. Up to date 2024-07-22 1510 UTC
• Alternatively, please see this Microsoft article for detailed steps.
• Word: Bitlocker-encrypted hosts might require a restoration key.

How do I Recuperate Bitlocker Keys?
Up to date 2024-07-21 1810 UTC

Tips on how to Recuperate Cloud-Primarily based Setting Assets

Third Celebration Vendor Data
Up to date 2024-07-20 2259 UTC

This video outlines the steps required to self-remediate impacted distant Home windows laptops. Observe these directions if directed to take action by your group’s IT division.

Watch the video now

Further Assets