Our team at Arctic Wolf has been following the CrowdStrike issue affecting Windows endpoints since approximately 12 AM EST on July 19th, 2024. Although Arctic Wolf’s service is not impacted, some of our customers who leverage CrowdStrike for endpoint security are experiencing widespread outages. Arctic Wolf continues to protect and monitor these customers’ environments while they focus their attention on recovering from this event.
In an effort to guide users through the prescribed remediation steps provided by CrowdStrike, Arctic Wolf has created a video which illustrates the following steps.
- Boot Windows into Safe Mode or the Windows Recovery Environment
- NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
- Note: Bitlocker-encrypted hosts may require a recovery key.
Additional remediation steps provided by CrowdStrike are to reboot the host so that it can download the reverted channel file. It is strongly recommended to put the host on a wired network (as opposed to WiFi) prior to rebooting as the host will acquire internet connectivity considerably faster via ethernet, thereby increasing the chances the updated channel file will get applied and resolve the issue.
As this issue continues to evolve Arctic Wolf will monitor for changes and provide updates when they become available.
Additional Resources:
- Arctic Wolf Incident Updates: https://arcticwolf.com/global-it-outage/
- Contact Arctic Wolf: https://arcticwolf.com/company/contact-us/
- CrowdStrike Blog Statement: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
- Support Forum: https://supportportal.crowdstrike.com/s/login/?ec=302&startURL=%2Fs%2Farticle%2FTech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19
BitLocker recovery-related KBs:
- BitLocker recovery in Microsoft Azure (pdf) or log in to view in support portal.
- BitLocker recovery in Microsoft environments using SCCM (pdf) or log in to view in support portal.
- BitLocker recovery in Microsoft environments using Active Directory and GPOs (pdf) or log in to view in support portal.
- BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager (pdf) or log in to view in support portal.
- BitLocker recovery in Microsoft environments using ManageEngine Desktop Central (pdf) or log in to view in support portal.
- BitLocker recovery in Microsoft environments using IBM BigFix (pdf) or log in to view in support portal.
