Vissensa is aware of issues impacting businesses across the world in relation to the Crowdstrike Windows crashes and therefore have provided an update for the workaround to assist businesses in resolving the issues. 

As a CrowdStrike partner, Vissensa is keen to ensure impacted businesses have the available workaround to resolve the situation to ensure normal operations. 

Summary

  • We are aware of reports of Crowdstrike Windows crashes related to the Falcon Sensor, this is impacting Microsoft Windows Laptops, Servers, Virtual Machines and more. 

Details

  • Symptoms include hosts experiencing a bugcheckblue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows 7/2008 R2 are not impacted
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file “C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file “C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

Current Situation and Actions

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes. 

  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file.  If the host crashes again, then:
  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:WindowsSystem32driversCrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Boot the host normally.

Note:  Bitlocker-encrypted hosts may require a recovery key.

Workaround Steps for public cloud or similar environment:

Option 1 

  • Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to to a new virtual server
  • Navigate to the C:WindowsSystem32driversCrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2

  • ​​​​​​​Roll back to a snapshot before 0409 UTC.

Need Help? 

If you are unable to resolve the issues faced by the above actions, the team would be more than happy to discuss how we can provide assistance to resolve the situation.