Windows Crashes Due to Crowdstrike Updates
Date of Publish : July 20,2024
Severity-Critical
System Affected
- Windows hosts
Non Affected systems
- MacOS
- Linux system
Summary
Crowdstrike released an update that is causing widespread "blue screens of death" (BSOD) on Windows systems.
Description,
This situation occur may be by sending a phishing emails circulating claiming come from "Crowdstrike Support" or "Crowdstrike Security" to update the component. One domain possibly associated with these phishing attacks is : crowdfalcon-immed-update [ .] com .once copned and download it will cause BSOD attack.
Workaround steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file. We strongly recommend putting the host on a wired network (as opposed to WiFi) prior to rebooting as the host will acquire internet connectivity considerably faster via ethernet.
- If the host crashes again, then:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Windows Recovery defaults to X:\windows\system32
- Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
- C:
- cd windows\system32\drivers\crowdstrike
- Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
- Locate the file matching “C-00000291*.sys” and delete it.
- Do not delete or change any other files or folders
- Cold Boot the host
- Shutdown the host.
- Start host from the off state.
Note: BitLocker-encrypted hosts may require a recovery key
References.
Vendor Reference.
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/.
NOTE : The information is provide is on “as is “ basis, without assurance of any kind .
Revision history
1. 19-Jun-24 - First advisory released. ---update -workaround available