www.crowdstrike.com
Open in
urlscan Pro
2606:4700::6810:b576
Public Scan
URL:
https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
Submission: On July 28 via api from IN — Scanned from DE
Submission: On July 28 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to main contentEnable accessibility for low visionOpen the accessibility
menu
x
* Preliminary Post Incident Review (PIR)
Read now
*
*
*
*
*
*
BLOG
* Featured
* Remediation and Guidance Hub: Falcon Content Update for Windows Hosts
Jul 19, 2024
* Preliminary Post Incident Review (PIR): Content Configuration Update
Impacting the Falcon Sensor and the Windows Operating System (BSOD)
Jul 24, 2024
* To Our Customers and Partners
Jul 19, 2024
* Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor
List
Jul 25, 2024
* Recent
* Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German
Entity via Spearphishing Website
Jul 25, 2024
* Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor
List
Jul 25, 2024
* Tech Analysis: Channel File May Contain Null Bytes
Jul 24, 2024
* Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update
Phishing Lure
Jul 24, 2024
* Videos
* Video Highlights the 4 Key Steps to Successful Incident Response
Dec 02, 2019
* Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less
[VIDEO]
Feb 21, 2019
* Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO]
Jan 23, 2019
* Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on
Trust [VIDEO]
Aug 20, 2018
* Categories
* Cloud and Application Security
Cloud and Application Security
Essential Considerations When Choosing a DSPM Solution
07/10/2024
Proactively Secure Serverless Functions Across AWS, Google Cloud and Azure
with Falcon Cloud Security
07/08/2024
Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless
Application Security
06/26/2024
3 Crucial Capabilities for Effective Cloud Detection and Response
06/24/2024
* Counter Adversary Operations
Counter Adversary Operations
Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German
Entity via Spearphishing Website
07/25/2024
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor
List
07/25/2024
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update
Phishing Lure
07/24/2024
Threat Actor Distributes Python-Based Information Stealer Using a Fake
Falcon Sensor Update Lure
07/23/2024
* Endpoint Security & XDR
Endpoint Security & XDR
CrowdStrike Named a Customers’ Choice in 2024 Gartner® Voice of the
Customer for Endpoint Protection Platform Report
07/11/2024
3 Ways Small Businesses Can Make Big Strides in Cybersecurity
06/14/2024
CrowdStrike Falcon for Mobile Unlocks New Mobile Security Options for SMBs
06/13/2024
Retailer Compares Microsoft with CrowdStrike for Security. The Verdict?
“It’s Not Even Close”
06/05/2024
* Engineering & Tech
Engineering & Tech
Tech Analysis: Channel File May Contain Null Bytes
07/24/2024
EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware
Analysis
06/06/2024
CrowdStrike Falcon Next-Gen SIEM Unveils Advanced Detection of Ransomware
Targeting VMware ESXi Environments
04/15/2024
CrowdStrike’s Advanced Memory Scanning Stops Threat Actor Using BRc4 at
Telecommunications Customer
09/27/2023
* Executive Viewpoint
Executive Viewpoint
Preliminary Post Incident Review (PIR): Content Configuration Update
Impacting the Falcon Sensor and the Windows Operating System (BSOD)
07/24/2024
Technical Details: Falcon Content Update for Windows Hosts
07/20/2024
To Our Customers and Partners
07/19/2024
Remediation and Guidance Hub: Falcon Content Update for Windows Hosts
07/19/2024
* Exposure Management
Exposure Management
July 2024 Patch Tuesday: Two Zero-Days and Five Critical Vulnerabilities
Amid 142 CVEs
07/10/2024
Seeing the Unseen: Preventing Breaches by Spotting Malicious Browser
Extensions
06/27/2024
June 2024 Patch Tuesday: 51 Vulnerabilities Addressed Including One
Critical and One Zero-Day
06/11/2024
Active Exploitation Observed for Linux Kernel Privilege Escalation
Vulnerability (CVE-2024-1086)
06/06/2024
* From The Front Lines
From The Front Lines
CrowdStrike Named a Leader with “Bold Vision” in 2024 Forrester Wave for
Cybersecurity Incident Response Services
06/10/2024
How to Defend Employees and Data as Social Engineering Evolves
03/22/2024
The Anatomy of an ALPHA SPIDER Ransomware Attack
02/29/2024
CrowdStrike Services Offers Incident Response Executive Preparation
Checklist
10/23/2023
* Identity Protection
Identity Protection
CrowdStrike Brings Industry-Leading ITDR to All Major Cloud-Based Identity
Providers
05/28/2024
CrowdStrike Named Overall Leader in Industry’s First ITDR Comparative
Report
04/30/2024
CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the
Cloud
04/10/2024
Falcon Fund in Focus: Aembit Strengthens Security for Workload-to-Workload
Access
01/30/2024
* Next-Gen SIEM & Log Management
Next-Gen SIEM & Log Management
CrowdStrike Simplifies Ingestion of High-Value Data into the Falcon
Platform
07/08/2024
Stop Phishing Attacks with Next-Gen SIEM and SOAR
06/24/2024
Unlock Advanced Security Automation for Next-Gen SIEM
06/20/2024
Meeting the Need for Speed in the SOC
06/17/2024
* Public Sector
Public Sector
Achieving Ecosystem-level Cybersecurity: A U.S. Policy Perspective
06/11/2024
CrowdStrike Launches SEC Readiness Services to Prepare Boardrooms for New
Regulations
03/14/2024
Montage Health Consolidates Its Cybersecurity Strategy with CrowdStrike
03/04/2024
After Years of Success, State of Wyoming Looks to Expand CrowdStrike
Protections Statewide
02/28/2024
* Start Free Trial
* Cloud and Application Security
Cloud and Application Security
Essential Considerations When Choosing a DSPM Solution
07/10/2024
Proactively Secure Serverless Functions Across AWS, Google Cloud and Azure
with Falcon Cloud Security
07/08/2024
Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless
Application Security
06/26/2024
3 Crucial Capabilities for Effective Cloud Detection and Response
06/24/2024
* Counter Adversary Operations
Counter Adversary Operations
Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German
Entity via Spearphishing Website
07/25/2024
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor
List
07/25/2024
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update
Phishing Lure
07/24/2024
Threat Actor Distributes Python-Based Information Stealer Using a Fake
Falcon Sensor Update Lure
07/23/2024
* Endpoint Security & XDR
Endpoint Security & XDR
CrowdStrike Named a Customers’ Choice in 2024 Gartner® Voice of the
Customer for Endpoint Protection Platform Report
07/11/2024
3 Ways Small Businesses Can Make Big Strides in Cybersecurity
06/14/2024
CrowdStrike Falcon for Mobile Unlocks New Mobile Security Options for SMBs
06/13/2024
Retailer Compares Microsoft with CrowdStrike for Security. The Verdict?
“It’s Not Even Close”
06/05/2024
* Engineering & Tech
Engineering & Tech
Tech Analysis: Channel File May Contain Null Bytes
07/24/2024
EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware
Analysis
06/06/2024
CrowdStrike Falcon Next-Gen SIEM Unveils Advanced Detection of Ransomware
Targeting VMware ESXi Environments
04/15/2024
CrowdStrike’s Advanced Memory Scanning Stops Threat Actor Using BRc4 at
Telecommunications Customer
09/27/2023
* Executive Viewpoint
Executive Viewpoint
Preliminary Post Incident Review (PIR): Content Configuration Update
Impacting the Falcon Sensor and the Windows Operating System (BSOD)
07/24/2024
Technical Details: Falcon Content Update for Windows Hosts
07/20/2024
To Our Customers and Partners
07/19/2024
Remediation and Guidance Hub: Falcon Content Update for Windows Hosts
07/19/2024
* Exposure Management
Exposure Management
July 2024 Patch Tuesday: Two Zero-Days and Five Critical Vulnerabilities
Amid 142 CVEs
07/10/2024
Seeing the Unseen: Preventing Breaches by Spotting Malicious Browser
Extensions
06/27/2024
June 2024 Patch Tuesday: 51 Vulnerabilities Addressed Including One
Critical and One Zero-Day
06/11/2024
Active Exploitation Observed for Linux Kernel Privilege Escalation
Vulnerability (CVE-2024-1086)
06/06/2024
* From The Front Lines
From The Front Lines
CrowdStrike Named a Leader with “Bold Vision” in 2024 Forrester Wave for
Cybersecurity Incident Response Services
06/10/2024
How to Defend Employees and Data as Social Engineering Evolves
03/22/2024
The Anatomy of an ALPHA SPIDER Ransomware Attack
02/29/2024
CrowdStrike Services Offers Incident Response Executive Preparation
Checklist
10/23/2023
* Identity Protection
Identity Protection
CrowdStrike Brings Industry-Leading ITDR to All Major Cloud-Based Identity
Providers
05/28/2024
CrowdStrike Named Overall Leader in Industry’s First ITDR Comparative
Report
04/30/2024
CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the
Cloud
04/10/2024
Falcon Fund in Focus: Aembit Strengthens Security for Workload-to-Workload
Access
01/30/2024
* Next-Gen SIEM & Log Management
Next-Gen SIEM & Log Management
CrowdStrike Simplifies Ingestion of High-Value Data into the Falcon
Platform
07/08/2024
Stop Phishing Attacks with Next-Gen SIEM and SOAR
06/24/2024
Unlock Advanced Security Automation for Next-Gen SIEM
06/20/2024
Meeting the Need for Speed in the SOC
06/17/2024
* Public Sector
Public Sector
Achieving Ecosystem-level Cybersecurity: A U.S. Policy Perspective
06/11/2024
CrowdStrike Launches SEC Readiness Services to Prepare Boardrooms for New
Regulations
03/14/2024
Montage Health Consolidates Its Cybersecurity Strategy with CrowdStrike
03/04/2024
After Years of Success, State of Wyoming Looks to Expand CrowdStrike
Protections Statewide
02/28/2024
* Featured
* Recent
* Videos
* Categories
* Start Free Trial
TECHNICAL DETAILS: FALCON CONTENT UPDATE FOR WINDOWS HOSTS
July 20, 2024
|CrowdStrike |Executive Viewpoint
WHAT HAPPENED?
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike
released a sensor configuration update to Windows systems. Sensor configuration
updates are an ongoing part of the protection mechanisms of the Falcon platform.
This configuration update triggered a logic error resulting in a system crash
and blue screen (BSOD) on impacted systems.
The sensor configuration update that caused the system crash was remediated on
Friday, July 19, 2024 05:27 UTC.
This issue is not the result of or related to a cyberattack.
IMPACT
Customers running Falcon sensor for Windows version 7.11 and above, that were
online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27
UTC, may be impacted.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the
updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system
crash.
CONFIGURATION FILE PRIMER
The configuration files mentioned above are referred to as “Channel Files” and
are part of the behavioral protection mechanisms used by the Falcon sensor.
Updates to Channel Files are a normal part of the sensor’s operation and occur
several times a day in response to novel tactics, techniques, and procedures
discovered by CrowdStrike. This is not a new process; the architecture has been
in place since Falcon’s inception.
TECHNICAL DETAILS
On Windows systems, Channel Files reside in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
and have a file name that starts with “C-”. Each channel file is assigned a
number as a unique identifier. The impacted Channel File in this event is 291
and will have a filename that starts with “C-00000291-” and ends with a .sys
extension. Although Channel Files end with the SYS extension, they are not
kernel drivers.
Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows
systems. Named pipes are used for normal, interprocess or intersystem
communication in Windows.
The update that occurred at 04:09 UTC was designed to target newly observed,
malicious named pipes being used by common C2 frameworks in cyberattacks. The
configuration update triggered a logic error that resulted in an operating
system crash.
CHANNEL FILE 291
CrowdStrike has corrected the logic error by updating the content in Channel
File 291. No additional changes to Channel File 291 beyond the updated logic
will be deployed. Falcon is still evaluating and protecting against the abuse of
named pipes.
This is not related to null bytes contained within Channel File 291 or any other
Channel File.
REMEDIATION
The most up-to-date remediation recommendations and information can be found on
our blog or in the Support Portal.
We understand that some customers may have specific support needs and we ask
them to contact us directly.
Systems that are not currently impacted will continue to operate as expected,
continue to provide protection, and have no risk of experiencing this event in
the future.
Systems running Linux or macOS do not use Channel File 291 and were not
impacted.
ROOT CAUSE ANALYSIS
We understand how this issue occurred and we are doing a thorough root cause
analysis to determine how this logic flaw occurred. This effort will be ongoing.
We are committed to identifying any foundational or workflow improvements that
we can make to strengthen our process. We will update our findings in the root
cause analysis as the investigation progresses.
1 https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes
* Tweet
* Share
RELATED CONTENT
TO OUR CUSTOMERS AND PARTNERS
STATEMENT ON FALCON CONTENT UPDATE FOR WINDOWS HOSTS
CROWDSTRIKE UNIFIES THREAT DATA AND AI FOR NEXT-GEN MANAGED DETECTION AND
RESPONSE
Categories
* Cloud and Application Security
95
* Counter Adversary Operations
180
* Endpoint Security & XDR
303
* Engineering & Tech
78
* Executive Viewpoint
156
* Exposure Management
80
* From The Front Lines
189
* Identity Protection
34
* Next-Gen SIEM & Log Management
84
* Public Sector
36
CONNECT WITH US
FEATURED ARTICLES
Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German
Entity via Spearphishing Website
Juli 25, 2024
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List
Juli 25, 2024
Tech Analysis: Channel File May Contain Null Bytes
Juli 24, 2024
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update
Phishing Lure
Juli 24, 2024
SUBSCRIBE
Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up
SEE CROWDSTRIKE FALCON® IN ACTION
Detect, prevent, and respond to attacks— even malware-free intrusions—at any
stage, with next-generation endpoint protection.
See Demo
Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target
CrowdStrike Customers
Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor
Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers
*
*
*
*
* Copyright © 2024 CrowdStrike
* Privacy
* Request Info
* Blog
* Contact Us
* 1.888.512.8906
* Accessibility
ABOUT COOKIES ON THIS SITE
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Notice
Cookie Settings Reject All Accept All Cookies
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* FUNCTIONAL COOKIES
* PERFORMANCE COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. This includes diagnostic functions such as identifying 404
errors and monitoring page load speed. They are usually only set in response to
actions made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collet is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All