Falcon Content Update Guidance and Repair Center

Updated on 2024-07-21 0023 UTC

CrowdStrike is actively assisting customers affected by a bug with a recent content update for Windows hosts. Mac and Linux hosts are not affected. The issue has been identified, isolated, and a fix has been deployed. This was not a cyberattack.

We recommend that customers check the support portal for updates. We will also continue to provide the latest information here and on our blog as it becomes available. We recommend that organizations verify that they are communicating with CrowdStrike representatives through official channels.

We assure our customers that CrowdStrike is operating normally and that this issue is not affecting our Falcon platform systems. If your systems are operating normally, there will be no impact to their protection if the Falcon sensor is installed.

We understand the seriousness of this situation and deeply apologize for the inconvenience and disruption. Our team is fully prepared to ensure the safety and stability of CrowdStrike customers.

Statement from our CEO

Submitted on 2024-07-19 1930 UTC

Our valued customers and partners,

I would like to extend my sincere apologies to all of you for the outage. Everyone at CrowdStrike understands the severity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our top priority.

The outage was caused by a bug discovered in the Falcon Content Update for Windows hosts. Mac and Linux hosts were not affected. This was not a cyberattack.

We are working closely with affected customers and partners to ensure all systems are restored, so you can provide the services your customers rely on.

CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if a Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disabled.

We will provide ongoing updates through our support portal at https://supportportal.crowdstrike.com/s/login/.

We have mobilized the entire CrowdStrike team to help you and your team. If you have questions or need additional support, please contact your CrowdStrike representative or technical support.

We know that adversaries and malicious actors will try to exploit events like this. I encourage everyone to remain vigilant and make sure to contact official CrowdStrike representatives. Our blog and technical support will remain the official channels for the latest updates.

There is nothing more important to me than the trust our customers and partners have placed in CrowdStrike. As we work to resolve this incident, I pledge to provide you with full transparency about how it happened and the steps we are taking to prevent anything like this from happening again.

George Kurtz

Founder and CEO of CrowdStrike

Technical details

• Technical details of the outage can be found here: Read the blog Posted on 2024-07-19 0100 UTC
• We assure our clients that CrowdStrike is operating normally and this issue is not affecting our Falcon platform systems.If your systems are operating normally, there will be no impact to their security if Falcon Sensor is installed. Falcon Complete and Overwatch services were not disabled due to this incident.
• CrowdStrike identified the trigger for this issue as a Windows Sensor-related content deployment and we have reversed these changes. The content is a channel file located in the %WINDIR%\System32\drivers\CrowdStrike directory.
• The channel file “C-00000291*.sys” with a timestamp of 2024-07-19 0527 UTC or later is the returned (good) version.
• The channel file “C-00000291*.sys” with timestamp 2024-07-19 0409 UTC is the version that has the problem.
• Note: It is normal to have multiple “C-00000291*.sys” files in the CrowdStrike directory – as long as One If a file in the folder has a timestamp of 05:27 UTC or later, that is the active content.
• Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon sensor.
• Windows hosts that have no The affected issues do not require any action as the problematic channel file has been returned.

Unaffected Hosts

• Windows hosts connected to the Internet after 2024-07-19 0527 UTC will not be affected.
• This issue does not affect Mac or Linux hosts.

How can I identify affected hosts?

How can I identify affected hosts via advanced event search query? Updated on 2024-07-21 0023 UTC

Please see this Knowledge Base article: How to Identify Hosts That May Be Affected by a Windows Crash (pdf) or Log in to view the support portal..

How can I identify affected hosts via the dashboard?

A dashboard showing affected channels, customer IDs, and sensors is available. Depending on your subscriptions, it is available in the console menu in either:

• Next Generation SIEM > Log Management > Dashboard, or;
• Investigation > Dashboards
• It was named after: Hosts may be affected by window crashes
• Note: The dashboard cannot be used with the Live button.

If the hosts continue to crash and are unable to stay online to receive the channel file update, it is possible to use the troubleshooting steps below.

How do I fix individual hosts?

• Reboot the host machine to give it a chance to download the return channel file. We highly recommend putting the host machine on a wired network (rather than WiFi) before rebooting as the host machine will be able to get a faster internet connection over Ethernet.
• If the host crashes again upon reboot, please see this. Microsoft article For detailed steps.
• Note: Hosts encrypted with Bitlocker may require a recovery key.

How do I recover Bitlocker keys? Updated on 2024-07-20 2259 UTC

How to Recover Cloud-Based Environment Resources

Third Party Seller Information Updated on 2024-07-20 2259 UTC

Additional Resources