Steps to Take During the CrowdStrike Outage

Source: Center for Internet Security

As organizations work to remediate affected systems, it's crucial to stay alert to phishing campaigns and spoofed domains set up by threat actors attempting to exploit the outage.

CrowdStrike's Remediation Measures

CrowdStrike has provided a solution utilizing the Falcon sensor’s built-in quarantine functionality to remove the problematic channel file causing Windows systems to crash. According to CrowdStrike, when a Windows system with Falcon installed contacts the CrowdStrike Cloud, a request is issued to quarantine the faulty file, visible in the Falcon UI. If the file does not exist, no quarantine occurs, and systems operate normally. The solution may require two or three reboots to take effect due to a timing issue between the file's quarantine and activation. For best results, CrowdStrike recommends using a wired network connection to minimize latency.

Organizations still recovering from this issue and contracted directly with CrowdStrike should contact CrowdStrike Support for assistance with this remediation option.

Dashboard for Identifying Impacted Systems

CrowdStrike has launched a dashboard within the Falcon portal to help identify impacted Windows systems. This dashboard, named hosts_possibly_impacted_by_windows_crashes, uses the Advanced Event Search query provided on July 19 to simplify the identification process. You can find this dashboard under:

  • Next-GEN SIEM

  • Investigate -> Dashboard

Additional Guides and Workarounds

CrowdStrike has also provided guides and workarounds for administrators to recover from the update issue. These guides cover environments like individual physical workstations, Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Workspace ONE, Citrix, Rubrik, and more. Access these guides on the CrowdStrike blog webpage linked below.

Caution with Unverified Workarounds

Exercise extreme caution with any unverified workarounds circulating online. Stick to official guidance to ensure safe and effective recovery.

Channel File Update Resumption

On July 31, CrowdStrike announced the resumption of channel file updates starting August 7, 2024. Following the July 19 outage, CrowdStrike paused these updates to investigate and enhance their deployment and testing processes. Details of these enhancements are available in a Special Tech Alert on the CrowdStrike support portal.

CrowdStrike now offers customers options for how these updates are applied, accessible within the General Settings menu in the Falcon portal:

  1. Early Access: Receive the update immediately after internal testing and deployment to CrowdStrike-controlled assets.

  2. General Availability (Default): Receive the update as part of a phased deployment following successful deployment to Early Access customers. This setting is strongly recommended by CrowdStrike and is the default for CIS members using the ESS/EDR monitoring service.

  3. Pause Updates: Prevents sensors from receiving updates. While the sensor will continue to function, its effectiveness will diminish over time without new features or detection telemetry.

For more detailed information and updates, please refer to the Special Tech Alert on the CrowdStrike support portal.

To learn more Contact us