Crowdstrike: If the IT outage affected you, try these fixes

Crowdstrike: If the IT outage affected you, try these fixes

/ 12:33 PM July 21, 2024

Is your airline not working? Perhaps your bank’s IT systems are malfunctioning? Fret not, because here’s the latest fix from Crowdstrike.

Crowdstrike’s faulty update for its Falcon online security program caused banks and airlines worldwide to experience the Blue Screen of Death.

READ: Google explains AI overview issues

Article continues after this advertisement

It is an error message that indicates a major technical error, disrupting these major institutions.

FEATURED STORIES

Crowdstrike reiterated in its official post that a cyberattack did not cause the issue.

More importantly, the US-based company shared ways to troubleshoot the issue.

Article continues after this advertisement

Crowdstrike continues to work with affected parties to expedite solutions. 

Article continues after this advertisement

How to fix the Crowdstrike issue

The US-based tech firm says the error affected Windows computers that installed the latest Falcon content update.

The root of the issue is a channel file in the %WINDIR%\System32\drivers\CrowdStrike directory.

Article continues after this advertisement

Opening the directory will reveal numerous files, making it difficult to spot the problematic file.

Here are the differences between the correct file and the faulty one:

Article continues after this advertisement
  • Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version.
  • Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0409 UTC is the problematic version.

READ: Websites globally hit by major internet outage

The company reminds the public that the directory will likely contain multiple “C-00000291*.sys” files. Those with a timestamp of 05:27 UTC or later are active contents. 

How to spot affected Windows hosts

Airlines, banks and other large establishments will likely have multiple Windows hosts.

Consequently, it’s more challenging to spot those with the Crowdstrike error. 

Fortunately, the company itself shared ways to identify affected hosts.

Start by running this query in Advanced Event Search with the search window set to seven days: 

#event_simpleName=ConfigStateUpdate event_platform=Win
| regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData, strict=false) |
parseInt(CFVersion, radix=16)
| groupBy([cid], function=([max(CFVersion, as=GoodChannel)]))
| ImpactedChannel:=GoodChannel-1
| join(query={#data_source_name=cid_name | groupBy([cid], function=selectLast(name),
limit=max)}, field=[cid], include=name, mode=left)

Look for the number value listed in the “ImpactedChannel” column. You will need it to run the next query properly.

READ: Microsoft rolls out fix after thousands face access issues

How to execute a query to find Crowdstrike-affected hosts

This represents Crowdstrike's troubleshooting tips.
Free stock photo from Unsplash

Execute the query below and set its search windows to search window to seven days. It will look for systems with the following criteria: 

  • Online activity during the impact window of 0400 – 0600 UTC 2024-07-19
  • Processed an update for Channel File 291 in the impact window of 0400 – 0600 UTC 2024-07-19
  • Reported that they loaded the impacted channel file.
  • Systems you haven’t seen in the past hour

Most importantly, Line 26 of this query should contain the value derived from the previous query.

For example, if the smaller query pinpointed 31, you must use that number. 

You may also run it as a Scheduled Search so that it checks for other impacted hosts periodically.

Here’s the query for finding Crowdstrike-affected hosts: 

[…]
| in(field=”CFVersion”, values=[0,31])
[…]
// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/
event_platform=Win
| cid=?cid
// Narrow search to Channel File 291 and extract version number; accept
all SensorHeartbeat events
| case{
#event_simpleName=ConfigStateUpdate |
regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData,
strict=false) | parseInt(CFVersion, radix=16);
#event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);
}
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid, aid, ComputerName],
where=[{ConfigStateUpdate}, {SensorHeartbeat}])
// Aggregate results

Crowdstrike query continued

This represents Crowdstrike's troubleshooting tips.
Free stock photo from Unsplash
| groupBy([cid], function=[groupby(aid, function=([
{selectFromMax(field=”@timestamp”, include=[CFVersion])},
{selectFromMax(field=”@timestamp”, include=[@timestamp]) |
rename(field=”@timestamp”, as=”LastSeen”)}
]), limit=max),
max(CFVersion, as=MaxCFVersion)
], limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Only show the impacted channel
| in(field=”CFVersion”, values=[?Channel])
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration(“LastSeenDelta”, precision=2)
// Enrich aggregation with aid_master details
| aid=~match(file=”aid_master_main.csv”, column=[aid], strict=false)
| aid=~match(file=”aid_master_details.csv”, column=[aid],
include=[FalconGroupingTags, SensorGroupingTags], strict=false)
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)
// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value=”-“, field=[MachineDomain, OU, SiteName,
FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)
// Create conditions to check for impact
| case{
CFVersion=0 | Status:=”VERIFY” | Details:=”Endpoint channel file
version 0.”;
test(CFVersion==(MaxCFVersion-1)) | Status := “CHECK” |
Details:=”Endpoint has impacted channel file”;
test(CFVersion==MaxCFVersion) | Status:=”OK” | Details:=”Endpoint has
latest channel file and is operational.”;
test(CFVersion<(MaxCFVersion-1)) | Status:=”OK” | Details:=”Endpoint
has earlier channel file and is operational.”;
* | Status:=”UNKNOWN” |
Details:=”Cannot determine status.”;
}
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format=”%F %T”, field=”LastSeen”)
// Filter on status.
| Status=?Status
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
// Create one final groupBy for easier export to CSV
| groupby([cid, aid, ComputerName, Status, FirstSeen, LastSeen,
CFVersion, MaxCFVersion, LastSeenDelta, Details, AgentVersion, aip,
event_platform, FalconGroupingTags, LocalAddressIP4, MAC, MachineDomain,
OU, ProductType, SensorGroupingTags, SiteName,
SystemManufacturer,SystemProductName, Version], limit=max, function=[])


If the issue persists, contact www.crowdstrike.com/contact-us for further assistance.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

Also, check out Inquirer Tech for more handy digital tips. 

TOPICS: technology
TAGS: technology

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.