Fix: (have bitlocker keys READY before attempting)
From Safe-Mode:
cd %systemroot%\system32\drivers\CrowdStrike
del C-00000291*.sys
Impact
Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
Technical Details
On Windows systems, Channel Files reside in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
and have a file name that starts with “C- ”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291- ” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.
Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.
The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.
Not gonna lie, I went around and got a few new clients during the outage on Friday while our competitors are overwhelmed. Our local competition had already outsourced their tech support overseas, so customers are being told to run SFC and DISM on BSOD’d machines.
It’s really not. We’re a small business that specializes in niche computer fields (CNC manufacturing, media broadcast equipment, security compliance auditing / remediation, etc.)
I have MSP engineers and on-site techs; but the bulk of our income is esoteric computer applications, not basic tech support.
We do not have the man power to go fix computers being managed by other companies, especially since several have sent me texts along the lines of, “stop stealing our customers!!”
Those poor customers signed MSP contracts spanning years with no SLA and now they’re SOL.
For those who still needed, here is a bootable tool to remove the file for you from Microsoft. In case someone does not want to go through all the commands to get through this. You will need the Bitlocker key for this to work.