FLASH ALERT: LATEST UPDATE OF CROWDSTRIKE AGENT CAUSING BSOD LOOP ON WINDOWS!
Risks
The CCB received information that the update for csagent.sys from CrowdStrike is causing blue screen loops. (BSOD) CCB recommends not to execute the update for the CrowdStrike agent until a verified fix is available.
Update
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
CrowdStrike has identified and addressed a defect in a recent content update affecting Windows hosts.
This defect caused crashes and blue screen errors related to the Falcon Sensor.
Crowdstrike confirms this is NOT a Security Breach, but a technical error
Mac and Linux hosts are unaffected
Hosts running Windows 7/2008 R2 are not impacted
- The issue was isolated, a fix has been deployed, Recommendations are available at https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/.
- CrowdStrike is advising affected customers to follow guidance on the support portal and use official communication channels.
Current Status:
- The issue was isolated and a fix has been deployed.Systems brought online after 0527 UTC are safe.
- CrowdStrike is advising affected customers to follow guidance on the support portal and use official communication channels.
Description
The faulty channel file 291 has been reverted and we hope that this will mitigate further expansion. For already crashing systems, some are rebooting to a normal working state, and we believe they should pick the new channel file 3) Some systems are just loop crashing and might need a manual intervention.
Recommended Actions
Workaround Steps for individual hosts:
Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
Remark: Bitlocker-encrypted hosts may require a recovery key.
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
- Attach/mount the volume to a new virtual server:
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
option 2:
- Rollback Roll back to a snapshot before 0409 UTC.
Update
For more information visit :
AWS-specific Documentation
Azure Environments
- Please see this Microsoft article