Page last updated on 2024-07-23 1757 UTC
Updated on 2024-07-23 1757 UTC
Update file classification status
The channel file responsible for the system crash was identified on Friday, July 19, 2024, starting at 04:09 UTC, and has been stopped on operational systems. When a crash occurs, a new file is published, but the old file can remain in the sensor directory.
Out of caution, and to prevent Windows systems from being further compromised, the affected version of the channel file has been added to the Falcon Known Bad List in CrowdStrike Cloud.
No sensor updates, new channel files, or code have been published from CrowdStrike Cloud.
For working machines, this is a healthy procedure. For affected systems with strong network connectivity, this procedure may also result in automatic recovery of systems in a boot loop.
This was created in US-1, US-2, and EU on July 23, 2024 UTC.
Gov-1 and Gov-2 customers can request that a known bad channel 291 file be classified by contacting CrowdStrike Support.
Updated on 2024-07-22 2237 UTC
CrowdStrike tested an update to fix the issue that was published on Friday, July 19, 2024 05:27 UTC. The update has accelerated our ability to fix hosts. We encourage customers to follow technical alerts for the latest updates as they occur.
We have posted a video that shows the steps to fix affected Windows remote laptops.
We will continue to provide updates here as information becomes available and new fixes are deployed.
CrowdStrike is actively assisting customers affected by a bug with a recent content update for Windows hosts. Mac and Linux hosts are not affected. The issue has been identified, isolated, and a fix has been deployed. This was not a cyberattack.
We recommend that customers check the support portal for updates. We will also continue to provide the latest information here and on our blog as it becomes available. We recommend that organizations verify that they are communicating with CrowdStrike representatives through official channels.
We assure our customers that CrowdStrike is operating normally and that this issue is not affecting our Falcon platform systems. If your systems are operating normally, there will be no impact to their protection if the Falcon sensor is installed.
We understand the seriousness of this situation and deeply apologize for the inconvenience and disruption. Our team is fully prepared to ensure the safety and stability of CrowdStrike customers.
Statement from our CEO
Submitted on 2024-07-19 1930 UTC
Our valued customers and partners,
I would like to extend my sincere apologies to all of you for the outage. Everyone at CrowdStrike understands the severity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our top priority.
The outage was caused by a bug discovered in the Falcon Content Update for Windows hosts. Mac and Linux hosts were not affected. This was not a cyberattack.
We are working closely with affected customers and partners to ensure all systems are restored, so you can provide the services your customers rely on.
CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if a Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disabled.
We will provide ongoing updates through our support portal at https://supportportal.crowdstrike.com/s/login/.
We have mobilized the entire CrowdStrike team to help you and your team. If you have questions or need additional support, please contact your CrowdStrike representative or technical support.
We know that adversaries and malicious actors will try to exploit events like this. I encourage everyone to remain vigilant and make sure to contact official CrowdStrike representatives. Our blog and technical support will remain the official channels for the latest updates.
There is nothing more important to me than the trust our customers and partners have placed in CrowdStrike. As we work to resolve this incident, I pledge to provide you with full transparency about how it happened and the steps we are taking to prevent anything like this from happening again.
George Kurtz
Founder and CEO of CrowdStrike
Technical details
Technical details on the outage can be found here: Read the blog published on 2024-07-20 0100 UTC We assure our customers that CrowdStrike is operating normally and that this issue is not impacting our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if Falcon Sensor is installed. Falcon Complete and OverWatch services were not down due to this incident. CrowdStrike identified the trigger for this issue as a Windows Sensor-related content deployment and we have rolled back those changes. The content is a channel file located in the %WINDIR%\System32\drivers\CrowdStrike directory. The channel file “C-00000291*.sys” with a timestamp of 2024-07-19 0527 UTC or later is the rolled back (good) version. The channel file “C-00000291*.sys” with a timestamp of 2024-07-19 0409 UTC is the problematic version. Note: It is normal to have multiple “C-00000291*.sys” files in the CrowdStrike directory – as long as one of the files in the directory has a timestamp of 05:27 UTC or later, that is the active content. Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon sensor. Unaffected Windows hosts require no action as the problematic channel file has been reversed.
Unaffected Hosts
Windows hosts that are connected to the Internet after 2024-07-19 0527 UTC will not be affected Windows hosts that are installed and provisioned after 2024-07-19 0527 UTC will not be affected Updated on 2024-07-21 1435 UTC
This issue does not affect Mac or Linux hosts.
How can I identify affected hosts?
How can I identify affected hosts via advanced event search query?
Updated on 2024-07-22 0139 UTC
The queries that dashboards use are listed at the bottom of the appropriate dashboard guides.
How can I identify affected hosts via the dashboard?
Updated on 2024-07-23 0217 UTC
An updated detailed dashboard is available that displays the Windows hosts affected by the content update flaw described in this technical alert. See the detailed status dashboards to identify Windows hosts affected by the content issue (version 8.6) (pdf) or sign in to view them in the support portal. Note that the queries that the dashboards use are listed at the bottom of the appropriate dashboard guides.
If the hosts continue to crash and are unable to stay online to receive the channel file update, it is possible to use the troubleshooting steps below.
How do I fix individual hosts?
Updated on 2024-07-21 0932 UTC
Reboot the host machine to give it a chance to download the recovered channel file. We highly recommend putting the host machine on a wired network (rather than WiFi) before rebooting as the host machine will gain a faster internet connection over Ethernet. If the host machine crashes again upon reboot:
Updated on 2024-07-22 1758 UTC
Option 1 – Create Automatic Recovery ISO files using drivers Follow the instructions for creating Falcon Windows Host recovery ISO files in this guide (PDF file) or sign in to view them in the support portal. Updated on 2024-07-23 0740 UTC
Note: Hosts encrypted with Bitlocker may require a recovery key. Option 2 – Manual Process See the following video on CrowdStrike Host Self-Remediation for Remote Users. Follow the instructions in the video if you are directed to do so by your organization’s IT department. Updated on 2024-07-22 1510 UTC
Alternatively, please see this Microsoft article for detailed steps. Note: Hosts encrypted with Bitlocker may require a recovery key.
How do I recover Bitlocker keys?
Updated on 2024-07-21 1810 UTC
How to Recover Cloud-Based Environment Resources
Cloud Environment Guidelines
Amazon Web Services
AWS Article
blue sky
Microsoft article
JCB
Updated on 2024-07-22 1758 UTC
Public/Virtual Cloud Environments
Option 1:
Disconnect the OS disk volume from the affected virtual server. Create a snapshot or backup of the disk volume before proceeding as a precaution against unintended changes. Mount/mount the volume on a new virtual server. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory. Locate and delete the files corresponding to “C-00000291*.sys”. Disconnect the volume from the new virtual server. Reconnect the fixed volume to the affected virtual server.
Option 2:
​​​​​​​Return to snapshot before 2024-07-19 0409 UTC
Third Party Seller Information
Updated on 2024-07-20 2259 UTC
This video shows the steps required to repair remote Windows laptops. Follow these instructions if your organization's IT department asks you to do so.
Watch the video now
