www.crowdstrike.com Open in urlscan Pro
2606:4700::6810:b576  Public Scan

Submitted URL: http://crowdstroke.io/
Effective URL: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Submission Tags: falconsandbox
Submission: On July 22 via api from US — Scanned from NL

Form analysis 0 forms found in the DOM

Text Content

Skip to main contentEnable accessibility for low visionOpen the accessibility
menu











x
 * Remediation and Guidance Hub: Falcon Content Update for Windows Hosts

Read now

Remediation and Guidance Hub: Falcon Content Update for Windows Hosts Read now

Skip to Main Content
 * Experienced a Breach?
 * Small Business
 * CrowdStrike Marketplace
 * Contact Us
 * Blog


English
 *  * Deutsch

 *  * English (AU)

 *  * English (UK)

 *  * English (US)

 *  * Español

 *  * Français

 *  * Italiano

 *  * LatAm

 *  * Português

 *  * عربى

 *  * 日本語

 *  * 繁體中文

 *  * 한국어

 * Platform
   Explore Platform
   
   
   
   THE DEFINITIVE AI-NATIVE CYBERSECURITY PLATFORM
   
   
    * Endpoint Security
      The leader in EPP and EDR, backed by pioneering adversary intelligence and
      native AI.
    * Exposure Management The leader in exposure management with complete attack
      surface visibility & AI-powered vulnerability management.
   
   
    * Identity Threat Detection & Response Stop modern attacks in real time with
      the only unified platform for identity protection and endpoint security.
    * IT Automation Consolidate security and IT with one platform, agent, and
      console to cut complexity and cost.
   
   
    * Threat Intelligence & Hunting The leader in cyber threat intelligence with
      world-class research and elite threat hunting to disrupt adversaries.
    * Cloud Security The most complete CNAPP with unified agent and agentless
      protection, from code to cloud.
   
   
    * Next-Gen SIEM
      The world’s only AI-native SOC platform that consolidates siloed security
      tools and data.
      
    * Generative AI Turn hours of work into minutes or seconds with generative
      AI workflows for cybersecurity and IT.
   
   
    * Data Protection
      Unified data protection that deploys instantly on existing agents to stop
      the theft of sensitive information.
    * Workflow Automation Build your own workflows with native security
      orchestration, automation, and response (SOAR).
   
   
   
 * Services
   Prepare
   
   --------------------------------------------------------------------------------
   
   Prepare and train your organization to defend against sophisticated threat
   actors using real-life simulation exercises.
   SEC Readiness Services
   Tabletop Exercise
   Red Team/Blue Team Exercise
   Adversary Emulation Exercise
   Penetration Testing
   Respond
   
   --------------------------------------------------------------------------------
   
   Available under a Services Retainer, giving you access to security
   consultants and expertise to respond to a breach.
   Incident Response
   Compromise Assessment
   Endpoint Recovery
   Network Detection
   Experienced a breach?
   Fortify
   
   --------------------------------------------------------------------------------
   
   Enhance your cybersecurity practices and controls with actionable
   recommendations to fortify your cybersecurity posture.
   Maturity Assessment
   Technical Risk Assessment
   SOC Assessment
   Cloud Security Assessment
   Identity Security Assessment
   Managed Services
   
   --------------------------------------------------------------------------------
   
   Managed Detection & Response
   Included in Falcon Complete and backed by CrowdStrike's Breach Prevention
   Warranty.
   Cloud Detection and Response
   The only CDR that unifies world-class threat intelligence and 24/7 services
   with the world’s most complete CNAPP.
   Additional Services
   
   --------------------------------------------------------------------------------
   
   Cloud Security Services
   Identity Protection Services
   Falcon LogScale Services
   Partner Services
 * Why CrowdStrike
   
   
   WHY CROWDSTRIKE
   
   
    * Industry Recognition CrowdStrike is the recognized leader in endpoint
      protection solutions.
    * MITRE ATT&CK CrowdStrike achieves industry-leading coverage for MITRE
      AT&CK evaluations.
    * Customer Stories Don’t take our word for it, hear what our customers have
      to say.
   
   
   
   
   COMPARE CROWDSTRIKE
   
   
    * vs. Microsoft Burdensome operations drive up TCO.
    * vs. Palo Alto Networks Hard to deploy, hard to use, harder to manage.
    * vs. SentinelOne Weak coverage, can’t stop breaches.
    * vs. Wiz Incomplete CNAPP that can't stop breaches.
    * vs. Other Competitors See why CrowdStrike is the top choice for
      comprehensive cybersecurity.
   
   
   
   
   SOLUTIONS BY TOPIC
   
   
    * Cloud Detection and Response The only CDR that unifies world-class threat
      intelligence and 24/7 services with the world’s most complete CNAPP.
    * Zero Trust Real-time breach protection on any endpoint, cloud workload or
      identity, wherever they are.
    * Ransomware Protection Learn what you can do to stop ransomware threats in
      their tracks.
    * Observability & Log Management Fills in the gaps, logs everything, and
      realizes real-time observability for your entire system.
    * Log4Shell Mitigation Get the latest information on this evolving
      vulnerability.
   
   
   
   
   SOLUTIONS BY INDUSTRY
   
   
    * Small Business
    * Election Security
    * State and Local Government
    * Federal Government
    * Healthcare
    * Education
    * Financial Services
    * Retail
   
   
 * Learn
   Featured Resources
   
   --------------------------------------------------------------------------------
   
   Cybersecurity 101 Glossary
   Explanations, examples and best practices on a variety of cybersecurity
   topics.
   Get Your Threat Landscape
   Discover the adversaries targeting your industry.
   2024 Global Threat Report
   The must-read cybersecurity report of the year.
   2023 Threat Hunting Report
   CrowdStrike's threat hunting insights from July 1, 2022 to June 30, 2023.
   CrowdStrike Blog
   
   --------------------------------------------------------------------------------
   
   Under The Wing
   Discover how CrowdStrike protects you against the most advanced attacks.
   From The Front Lines
   Executive Viewpoint
   Counter Adversary Operations
   Customer Focused
   
   --------------------------------------------------------------------------------
   
   Free Trial Guide
   Customer Support Portal
   CrowdStrike University
   CrowdStrike Tech Hub
   Developer Portal
   Knowledge Resources
   
   --------------------------------------------------------------------------------
   
   Customer Stories
   White Papers
   Webinars
   Adversary Universe Podcast
   Reports
   Logging Guides
   Try interactive demos
   All Resources
 * Company
   Connect With Us
   
   --------------------------------------------------------------------------------
   
   Careers
   Events
   Fal.Con 2024
   Falcon Encounter Hands-on Labs
   Partner Programs
   
   --------------------------------------------------------------------------------
   
   Channel Partners and Distributors
   Service Providers
   Strategic Technology Partners
   CrowdStrike Marketplace
   View All
   Become a partner
   About Us
   
   --------------------------------------------------------------------------------
   
   Our Story
   Board of Directors
   Investor Relations
   CrowdStrike & F1 Racing
   Executive Team
   Latest News
   Environment, Social & Governance

 * Login


Contact Us


 * --------------------------------------------------------------------------------
   
   View bundles & pricing

 * --------------------------------------------------------------------------------
   
   Platform

 * --------------------------------------------------------------------------------
   
   Services

 * --------------------------------------------------------------------------------
   
   Why CrowdStrike

 * --------------------------------------------------------------------------------
   
   Learn

 * --------------------------------------------------------------------------------
   
   Company

 * --------------------------------------------------------------------------------
   
   Blog

 * --------------------------------------------------------------------------------
   
   Marketplace

 * --------------------------------------------------------------------------------
   
   Login

 * --------------------------------------------------------------------------------
   
   Contact us

 * --------------------------------------------------------------------------------
   
   Experienced a breach?

 * --------------------------------------------------------------------------------
   
   Languages
   
   --------------------------------------------------------------------------------


Back

Remediation and Guidance Hub: Falcon Content Update for Windows Hosts


REMEDIATION AND GUIDANCE HUB: FALCON CONTENT UPDATE FOR WINDOWS HOSTS





Page last updated 2024-07-22 1528 UTC

Updated 2024-07-22 1528 UTC

As stated in our social media post at 2024-07-21 2106 UTC, together with
customers, CrowdStrike tested a new technique to accelerate impacted system
remediation. We’re in the process of operationalizing an opt-in to this
technique. Customers are encouraged to follow the Tech Alerts for latest updates
as they happen and they will be notified when action is needed.

We have published a video outlining the steps required to self-remediate
impacted remote Windows laptops.

We will continue to provide updates here as information becomes available and
new fixes are deployed.

CrowdStrike is actively assisting customers affected by a defect in a recent
content update for Windows hosts. Mac and Linux hosts were not impacted. The
issue has been identified and isolated, and a fix has been deployed. This was
not a cyberattack.

Customers are advised to check the support portal for updates. We will also
continue to provide the latest information here and on our blog as it’s
available. We recommend organizations verify they are communicating with
CrowdStrike representatives through official channels.

We assure our customers that CrowdStrike is operating normally and this issue
does not affect our Falcon platform systems. If your systems are operating
normally, there is no impact to their protection if the Falcon sensor is
installed.

We understand the gravity of this situation and are deeply sorry for the
inconvenience and disruption. Our team is fully mobilized to ensure the security
and stability of CrowdStrike customers.


OVERVIEW


STATEMENT FROM OUR CEO

Sent 2024-07-19 1930 UTC

Valued Customers and Partners,

I want to sincerely apologize directly to all of you for the outage. All of
CrowdStrike understands the gravity and impact of the situation. We quickly
identified the issue and deployed a fix, allowing us to focus diligently on
restoring customer systems as our highest priority.

The outage was caused by a defect found in a Falcon content update for Windows
hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.

We are working closely with impacted customers and partners to ensure that all
systems are restored, so you can deliver the services your customers rely on.

CrowdStrike is operating normally, and this issue does not affect our Falcon
platform systems. There is no impact to any protection if the Falcon sensor is
installed. Falcon Complete and Falcon OverWatch services are not disrupted.

We will provide continuous updates through our Support Portal at
https://supportportal.crowdstrike.com/s/login/.

We have mobilized all of CrowdStrike to help you and your teams. If you have
questions or need additional support, please reach out to your CrowdStrike
representative or Technical Support.

We know that adversaries and bad actors will try to exploit events like this. I
encourage everyone to remain vigilant and ensure that you’re engaging with
official CrowdStrike representatives. Our blog and technical support will
continue to be the official channels for the latest updates.

Nothing is more important to me than the trust and confidence that our customers
and partners have put into CrowdStrike. As we resolve this incident, you have my
commitment to provide full transparency on how this occurred and steps we’re
taking to prevent anything like this from happening again.

George Kurtz

CrowdStrike Founder and CEO


TECHNICAL DETAILS

 * Technical Details on the outage can be found here: Read the blog Published
   2024-07-19 0100 UTC
 * We assure our customers that CrowdStrike is operating normally and this issue
   does not affect our Falcon platform systems. If your systems are operating
   normally, there is no impact to their protection if the Falcon Sensor is
   installed. Falcon Complete and OverWatch services are not disrupted by this
   incident.
 * CrowdStrike has identified the trigger for this issue as a Windows sensor
   related content deployment and we have reverted those changes. The content is
   a channel file located in the %WINDIR%\System32\drivers\CrowdStrike
   directory.
    * Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or
      later is the reverted (good) version.
    * Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is
      the problematic version.

    * Note: It is normal for multiple “C-00000291*.sys files to be present in
      the CrowdStrike directory – as long as one of the files in the folder has
      a timestamp of 05:27 UTC or later, that will be the active content.

 * Symptoms include hosts experiencing a bugcheck\blue screen error related to
   the Falcon Sensor.
 * Windows hosts which have not been impacted do not require any action as the
   problematic channel file has been reverted.


NON-IMPACTED HOSTS

 * Windows hosts which are brought online after 2024-07-19 0527 UTC will not be
   impacted
 * Windows hosts installed and provisioned after 2024-07-19 0527 UTC are not
   impacted Updated 2024-07-21 1435 UTC
 * This issue is not impacting Mac- or Linux-based hosts


HOW DO I IDENTIFY IMPACTED HOSTS?


HOW DO I IDENTIFY IMPACTED HOSTS VIA ADVANCED EVENT SEARCH QUERY?
UPDATED 2024-07-22 0139 UTC

The queries utilized by the dashboards are listed at the bottom of the
appropriate dashboard KB articles.


HOW DO I IDENTIFY IMPACTED HOSTS VIA DASHBOARD?
UPDATED 2024-07-22 0139 UTC

An updated granular dashboard is available that displays the Windows hosts
impacted by the content update defect described in this Tech Alert. See Granular
status dashboards to identify Windows hosts impacted by content issue (v8.6)
(pdf) or log in to view in the support portal. Note that the queries utilized by
the dashboards are listed at the bottom of the appropriate dashboard KB
articles.


HOW DO I REMEDIATE IMPACTED HOSTS?

If hosts are still crashing and unable to stay online to receive the Channel
File update, the remediation steps below can be used.


HOW DO I REMEDIATE INDIVIDUAL HOSTS?
UPDATED 2024-07-21 0932 UTC

 * Reboot the host to give it an opportunity to download the reverted channel
   file. We strongly recommend putting the host on a wired network (as opposed
   to WiFi) prior to rebooting as the host will acquire internet connectivity
   considerably faster via ethernet.
 * If the host crashes again on reboot:
    * Option 1 – Manual
       * Please see this Microsoft article for detailed steps.
          * Note: Bitlocker-encrypted hosts may require a recovery key.
      
       * Review the following video on CrowdStrike Host Self-Remediation for
         Remote Users. Follow the instructions contained within the video if
         directed to do so by your organization’s IT department. Updated
         2024-07-22 1510 UTC
   
       * Option 2 – Automated via bootable USB key
          * Follow the instructions in this KB article (pdf) or log in to view
            in the support portal.
             * Note: Bitlocker-encrypted hosts may require a recovery key.


HOW DO I RECOVER BITLOCKER KEYS?
UPDATED 2024-07-21 1810 UTC

Bitlocker Recovery Guidance for Knowledge Base (KB) Articles Resources


UPDATED 2024-07-21 1810 UTC
MICROSOFT AZURE

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 1810 UTC
SCCM

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 1810 UTC
ACTIVE DIRECTORY AND GPOS

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 1810 UTC
IVANTI ENDPOINT MANAGER

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 1810 UTC
MANAGEENGINE DESKTOP CENTRAL

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 1810 UTC
BIGFIX

(PDF) or log in to view in the support portal.


UPDATED 2024-07-21 0023 UTC
BITLOCKER RECOVERY WITHOUT RECOVERY KEYS

(PDF) or log in to view in the support portal.


WORKSPACE ONE PORTAL

Omnissa article


TANIUM

Tanium article


CITRIX

Citrix article


HOW TO RECOVER CLOUD-BASED ENVIRONMENT RESOURCES

Cloud Environment Guidance


AWS

AWS article


AZURE

Microsoft article


GCP

(PDF) or log in to view in the support portal


PUBLIC CLOUD/VIRTUAL ENVIRONMENTS

Option 1:

 * Detach the operating system disk volume from the impacted virtual server
 * Create a snapshot or backup of the disk volume before proceeding further as a
   precaution against unintended changes
 * Attach/mount the volume to to a new virtual server
 * Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
 * Locate the files matching “C-00000291*.sys”, and delete them
 * Detach the volume from the new virtual server
 * Reattach the fixed volume to the impacted virtual server

Option 2:

 * Roll back to a snapshot before 2024-07-19 0409 UTC


THIRD PARTY VENDOR INFORMATION
UPDATED 2024-07-20 2259 UTC

Third Party Vendor Guidance


INTEL VPRO TECHNOLOGY REMEDIATION GUIDE

Remediate CrowdStrike Falcon® update issue on Windows systems with Intel vPro®
technology


RECOVERY FOR RUBRIK CUSTOMERS

CrowdStrike & Rubrik Customer Content Update Recovery For Windows Hosts


COHESITY SUPPORT

Cohesity’s support for CrowdStrike’s Falcon Sensor updates


ADDITIONAL RESOURCES

 * Statement from our CEO
   Published 2024-07-19 1915 UTC
 * Falcon Sensor Content issue Likely Used to Target CrowdStrike Customers
   Published 2024-07-19 2030 UTC
 * Technical Details: Falcon Content Update for Windows Hosts
   Published 2024-07-19 0100 UTC
 * Likely eCrime Actor Uses Filenames Capitalizing on Falcon Sensor Content
   Issues in Operation Targeting LATAM-based CrowdStrike Customers
   Published 2024-07-20 0145 UTC

 * Statement from our CEO
 * Technical Details
 * How do I identify impacted hosts?
 * How do I remediate impacted hosts?
 * How do I recover Bitlocker Keys?
 * How do I recover Cloud–Based Environments?
 * Third Party Vendor Information
 * Additional Resources


Start your
free trial now.

Total protection has never been easier. Take advantage of our free 15-day trial
and explore the most popular solutions for your business:

 * Protect against malware with next-gen antivirus.
 * Get unrivaled visibility with USB device control.
 * Simplify your host firewall management.
 * Defeat adversaries with automated threat intelligence.

Request free trial
 * 
 * 
 * 
 * 
 * 

New to CrowdStrike? About the platform Explore products Services Why choose
CrowdStrike?
Company About CrowdStrike Careers Events Newsroom Partners CrowdStrike
Marketplace
Learn with CrowdStrike 2024 Global Threat Report Cybersecurity 101 Your Threat
Landscape Tech Center View all resources
Contact us Experienced a breach?
Copyright © 2024
 * Contact us
 * Privacy
 * Cookies
 * Your Privacy Choices
 * Terms of Use
 * Accessibility




ABOUT COOKIES ON THIS SITE

By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Notice
Cookie Settings Reject All Accept All Cookies



COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * FUNCTIONAL COOKIES


 * PERFORMANCE COOKIES


 * TARGETING COOKIES

YOUR PRIVACY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer. 
More information.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. This includes diagnostic functions such as identifying 404
errors and monitoring page load speed. They are usually only set in response to
actions made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collet is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


COOKIE LIST

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All