Still Affected? Do This.

Still Affected? Do This.

Wakeyo Tolera Wakeyo Tolera

Wakeyo Tolera

Endpoint Security Specialist

发布日期: 2024年7月20日
+ 关注

We all heard of the news. Some are exaggerating for their own advantage, but it also evident this kind of bad development practices that has led to this worldwide incident is unacceptable.

Nevertheless, this post is about how you can fix the issue, if you are still affected.

CrowdStrike announced Windows hosts which are brought online before 0527 UTC are the one which are affected by the blue screen error related to the Falcon Sensor. This issue is not impacting Mac- or Linux-based hosts.

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file.?
  • If the host crashes again, then:

1. Boot Windows into Safe Mode or the Windows Recovery Environment

Note:? Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.??

2. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume

3. Locate the file matching “C-00000291*.sys”, and delete it.

4. Boot the host normally.

Note: Bitlocker-encrypted hosts may require a recovery key.

Use the following KBs if you require help with BitLocker:

领英推荐

Workaround Steps for servers:

Option 1:

  1. Detach the operating system disk volume from the impacted virtual server
  2. Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  3. Attach/mount the volume to to a new virtual server
  4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  5. Locate the file matching “C-00000291*.sys”, and delete it.
  6. Detach the volume from the new virtual server
  7. Reattach the fixed volume to the impacted virtual server

Option 2:

  • Roll back to a snapshot before 0409 UTC

Following the above steps will fix the issue. I recommend that you don't uninstall the sensor as a fix rather use the above steps to delete the file that is causing the issue.

If you need a query to identify impacted hosts via Advanced event search, let me know, I'll be happy to help.


#CrowdStrike #Microsoft #bluescreenofdeath #fix #cybersecurity




要查看或添加评论,请登录

Wakeyo Tolera的更多文章

  • The Data Privacy Dilemma and Threats
    2024年9月27日

    The Data Privacy Dilemma and Threats

    Introduction I think we all know the quote, "there is no privacy once you open your data and connect to internet" which…

  • What happened in July?
    2024年8月6日

    What happened in July?

    July 2024 was a significant month in the cybersecurity landscape, marked by several high-profile incidents and…

    1 条评论

社区洞察

其他会员也浏览了