CrowdStrike solution caused Blue Screen of Death in MS Windows
On 19 July 2024 with CrowdStrike's EDR/XDR product, the agent solution was causing the so-called Blue Screen of Death in Microsoft Windows platform on stations and servers. The global situation affected stations and servers regardless of the agent version installed. We were monitoring and updating the information continuously.
On July 19, 2024 at 06:09 CEST, CrowdStrike deployed a sensor configuration update to Windows systems as part of routine operations. This update resulted in a logic error causing system crashes to blue screen (BSOD) on affected stations. Customers using the Falcon sensor for Windows version 7.11 and above who were online between 06:09 CEST and 07:27 CEST on 19 July 2024 may have experienced system failures on stations.
Additional information
Stations that downloaded a configuration update during this period were prone to crashing. Specific configuration files, known as "Channel Files" and integral to the Falcon sensor protection mechanisms, were the trigger for the incident. These files are regularly updated to accommodate new tactics and procedures identified by CrowdStrike. The affected Channel File in this incident, identified as 291, controls the evaluation of named pipes execution on Windows systems.
Confirmed Facts:
The issue only affected stations running the Windows operating system with the Crowdstrike Falcon version 7.11 agent installed.Stations that were not online on 19 July between 06:09 and 07:27 CEST were not affected
Mac or Linux stations were not affected
Channel file "C-00000291*.sys" with a timestamp of 0527 or later is now fine
Channel file "C-00000291*.sys" with timestamp 0409 was causing the outage
Technical details:
On Windows systems, the "channel files" are located in the following directory:C:\Windows\System32\drivers\CrowdStrike\
and have a file name that starts with "c-". Each channel file is identified by a unique number. The affected file in this event is 291 and will have a filename that starts with "C-00000291-" and ends with ".sys". Although these files end with the SYS suffix, they are not kernel drivers.
The "channel file" 291 controls how Falcon evaluates the execution of "named pipes1" on Windows systems. "Named pipes" are used for normal inter-process or inter-system communication in Windows. The update, which took place at 06:09 CEST, was designed to target newly observed, malicious "named pipes" that are used by common C2 channels in cyberattacks. The configuration update triggered a logic error that led to a crash of the operating system. CrowdStrike has already fixed the logical error by updating the contents in "channel file" 291. The Falcon agent continues to evaluate and protect against "named pipes" exploits.
Identification and fix procedure:
Step 1: Identify stations on the Falcon platformUsing an advanced event lookup query.
The queries used by the dashboards are listed at the bottom of the relevant KB dashboard articles.
Through the toolbar
There is an updated granular dashboard that shows Windows hosts affected by the content update glitch described in this technical alert. See "Granular status dashboards to identify Windows hosts impacted by content issue (v8.6)". All queries used by control panels are listed at the bottom of the respective KB articles on control panels.
Step 2: Remedy
If stations are still crashing and are unable to stay online to receive updates from the "Channel File", the steps below can be used.
Correcting individual stations:
Reboot the stations to allow them to download the corrected channel file. We strongly recommend connecting to a wired network (not WiFi) before restarting the station, as the station will get an internet connection via Ethernet much faster.
If the host crashes again on reboot:
Option 1 - manual procedure
Please refer to this Microsoft article for a detailed procedure.
Note: Hosts with Bitlocker encryption may require a recovery key.
Option 2 - Automated via USB boot key
Follow the instructions in this KB article.
Note: Hosts with Bitlocker encryption may require a recovery key.
For more details on remedies, please visit Crowdstrike's support portal.
Crowdstrike's description of the incident can be found on their blog.
Media contact
Michal Malysa
Head of Brand and Communications
- +420 775708086
- michal.malysa@aricoma.com
- The Aricoma logo for download.
-
5. 9. 2024 | Aricoma expands into Western markets and acquires Luxembourg-based developers Neofacto
-
2. 9. 2024 | Aricoma partner of the Summer School of Quantum Technologies 2024
-
8. 7. 2024 | Ensuring business continuity of central storage for key E.ON Group systems in the Czech Republic
-
26. 6. 2024 | We provide key business processes for Wood & Paper
-
3. 6. 2024 | Long-term SAP support for HR process reliability for Continental
-
23. 5. 2024 | Aricoma acquires KCT Data, significantly expanding SAP offerings
-
16. 5. 2024 | Faster and safer login to computers and applications at the Jihlava Hospital
-
6. 5. 2024 | We have improved the quality of decision-making processes at all levels in Škoda Auto
-
29. 4. 2024 | From April 2024, you don't need both an ID and a driving licence in your car
-
27. 4. 2024 | Consolidation of GasNet websites and portals
-
15. 4. 2024 | We have completely renewed the network infrastructure of the T. Bata Regional Hospital in Zlín
-
11. 4. 2024 | Aricoma's 30th annual SECURITY 2024 conference broke the 700-attendee mark
-
8. 4. 2024 | Migrating MS SQL Clusters for a large EU institution
-
27. 3. 2024 | Volkswagen Slovakia innovates human capital management with paperless HR
-
15. 3. 2024 | We reduce manual work and speed up invoice and contract turnover for Heineken Slovakia
-
26. 2. 2024 | Modern HET website for fast customer interaction, more sales and lower costs
-
3. 2. 2024 | SOLSOL switches to cloud ERP Microsoft Dynamics 365 Business Central
-
23. 1. 2024 | Dlubal Software modernizes web portal with Sitecore platform
-
17. 1. 2024 | Aricoma introduced unlimited time off for employees in the Czech Republic
-
2. 1. 2024 | Aricoma completes the rebranding by renaming the last companies
-
12. 12. 2023 | Sodexo Benefits uses AC Cloud services for reliable business applications
-
10. 12. 2023 | Robust multi-level user and data protection of Military Hospital Olomouc
-
25. 11. 2023 | Deployment of ServiceNow at The Ministry of Regional Development
-
23. 11. 2023 | Reliable operation of the LOG Point 112 storage facility is ensured by "We are Your IT" services
-
20. 11. 2023 | BUDVAR systematically increases its cyber security
-
2. 11. 2023 | Successful tenant to tenant migration of Microsoft 365 to the Erste Group environment
-
18. 10. 2023 | Central management, backup and key infrastructure for the AGROMĚŘÍN Group
-
10. 10. 2023 | Kofola has cybersecurity under control
-
2. 10. 2023 | HPE GreenLake services ensure reliable operation of Ptáček - velkoobchod
-
22. 9. 2023 | Automation has brought Home Credit's HR department paperless HR
-
20. 9. 2023 | HB Reavis, international workspace provider, uses Dynamics 365 Finance
-
5. 9. 2023 | Data of CENTROPOL ENERGY customers and employees is safe thanks to the DLP system
-
1. 9. 2023 | The first four companies adopt the new name Aricoma
-
28. 8. 2023 | Complete management of the corporate IT of MORAVIA PROPAG
-
15. 8. 2023 | Building an internal portal on the Microsoft 365 platform for PNS
-
15. 8. 2023 | Operation of IT infrastructure in the cloud for ALCASYS
-
15. 8. 2023 | Comprehensive station management using Microsoft ECM for Ostrava University Hospital
-
15. 8. 2023 | Modern meeting rooms with Logitech and Microsoft technology
-
9. 8. 2023 | Modernisation of warehouse management in ČSAD Uherské Hradiště a.s.
-
27. 7. 2023 | Data centre modernisation for Central and Eastern Europe
-
25. 7. 2023 | Communications at Aricoma is led by Michal Malysa
-
18. 7. 2023 | Modern and secure IT infrastructure with operational services for Arkance Systems CZ
-
7. 7. 2023 | We have joined the EDIH NORTHEAST BOHEMIA consortium’s digitalization project
-
1. 7. 2023 | IT operation of restaurants and introduction of self-service kiosks in Mc Donald's
-
30. 6. 2023 | Citizen Portal for the Ministry of the Interior of the Czech Republic