Today, the world is experiencing what is reportedly the largest IT outage in history. It affects Microsoft Windows devices running the Crowdstrike Falcon EDR (Endpoint Detection and Response) sensor solution. Affected devices now display a “Blue Screen of Death” (BSOD), making the device unusable without a fix.
Crowdstrike President and CEO George Kurtz has confirmed the mass outage is not due to a cyberattack. Instead, it’s a “defect” with a local channel file in a single content update of its software pushed to all Falcon installations on Windows devices.
Luckily, Crowdstrike has released a mitigation to fix the disruption if you’re affected. According to Kurtz, an automated update push has also been performed to help resolve the incident, and “systems are recovering.”
However, if you cannot wait or have not received the push, you can perform a fix manually.
Crowdstrike Falcon: Workaround to repair if you have the Windows “Blue Screen of Death”
Crowdstrike has provided a complete mitigation guide behind their customer service portal and official statement to workaround the outage causing the “Blue Screen of Death” (BSOD) on Windows devices. Crowdstrike has confirmed the workaround has been successful with numerous enterprise clients.
To workaround the Falcon EDR file issue, perform the following steps:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally. NOTE: Bitlocker-encrypted hosts may require a recovery key. Please see the Bitlocker recovery knowledge base (KBs) articles below.
Crowdstrike Falcon: AWS, Azure and GCP Mitigation Guides
Cloud Service Providers Amazon AWS, Microsoft Azure, and Google Cloud have posted mitigation guides for affected customers. If Falcon was running on a Windows-based cloud VM, the following mitigation guides can be used:
- AWS: https://health.aws.amazon.com/health/status
- Azure: https://azure.status.microsoft/en-gb/status/
- Google Cloud (GCP): https://status.cloud.google.com/incidents/DK3LfKowzJPpZq4Q9YqP
Microsoft Bitlocker Recovery KBs
- BitLocker recovery in Microsoft Azure
- BitLocker recovery in Microsoft environments using SCCM
- BitLocker recovery in Microsoft environments using Active Directory and GPOs
- BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager
Crowdstrike continuously responds to the incident–as it is a fluid situation–and provides updated guidance on its official blog when critical.
