Crowdstrike Falcon: How to mitigate the IT Outage
A defect in a channel file pushed to all Crowdstrike Falcon EDR users on Microsoft Windows devices has caused a “Blue Screen of Death” image to appear.

Today, the world is experiencing what is reportedly the largest IT outage in history. It affects Microsoft Windows devices running the Crowdstrike Falcon EDR (Endpoint Detection and Response) sensor solution. Affected devices now display a “Blue Screen of Death” (BSOD), making the device unusable without a fix.

Crowdstrike President and CEO George Kurtz has confirmed the mass outage is not due to a cyberattack. Instead, it’s a “defect” with a local channel file in a single content update of its software pushed to all Falcon installations on Windows devices.

Crowdstrike CEO George Kurtz confirmed on X that the IT outage caused by its Crowdstrike Falcon EDR solution was not a cyberattack, but instead, a defect with a single content update of its software pushed to Microsoft Windows devices. (source: X)

Luckily, Crowdstrike has released a mitigation to fix the disruption if you’re affected. According to Kurtz, an automated update push has also been performed to help resolve the incident, and “systems are recovering.”

However, if you cannot wait or have not received the push, you can perform a fix manually.

Crowdstrike Falcon: Workaround to repair if you have the Windows “Blue Screen of Death”

Crowdstrike has provided a complete mitigation guide behind their customer service portal and official statement to workaround the outage causing the “Blue Screen of Death” (BSOD) on Windows devices. Crowdstrike has confirmed the workaround has been successful with numerous enterprise clients.

To workaround the Falcon EDR file issue, perform the following steps:

  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Boot the host normally. NOTE: Bitlocker-encrypted hosts may require a recovery key. Please see the Bitlocker recovery knowledge base (KBs) articles below.

Crowdstrike Falcon: AWS, Azure and GCP Mitigation Guides

Cloud Service Providers Amazon AWS, Microsoft Azure, and Google Cloud have posted mitigation guides for affected customers. If Falcon was running on a Windows-based cloud VM, the following mitigation guides can be used:

Microsoft Bitlocker Recovery KBs

Crowdstrike continuously responds to the incident–as it is a fluid situation–and provides updated guidance on its official blog when critical.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.