Crowdstrike: If the IT outage affected you, try these fixes

Is your airline not working? Perhaps your bank’s IT systems are malfunctioning? Fret not, because here’s the latest fix from Crowdstrike.

Crowdstrike’s faulty update for its Falcon online security program caused banks and airlines worldwide to experience the Blue Screen of Death.

READ: Google explains AI overview issues

It is an error message that indicates a major technical error, disrupting these major institutions.

Crowdstrike reiterated in its official post that a cyberattack did not cause the issue.

More importantly, the US-based company shared ways to troubleshoot the issue.

Crowdstrike continues to work with affected parties to expedite solutions. 

How to fix the Crowdstrike issue

The US-based tech firm says the error affected Windows computers that installed the latest Falcon content update.

The root of the issue is a channel file in the %WINDIR%\System32\drivers\CrowdStrike directory.

Opening the directory will reveal numerous files, making it difficult to spot the problematic file.

Here are the differences between the correct file and the faulty one:

READ: Websites globally hit by major internet outage

The company reminds the public that the directory will likely contain multiple “C-00000291*.sys” files. Those with a timestamp of 05:27 UTC or later are active contents. 

How to spot affected Windows hosts

Airlines, banks and other large establishments will likely have multiple Windows hosts.

Consequently, it’s more challenging to spot those with the Crowdstrike error. 

Fortunately, the company itself shared ways to identify affected hosts.

Start by running this query in Advanced Event Search with the search window set to seven days: 

#event_simpleName=ConfigStateUpdate event_platform=Win
| regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData, strict=false) |
parseInt(CFVersion, radix=16)
| groupBy([cid], function=([max(CFVersion, as=GoodChannel)]))
| ImpactedChannel:=GoodChannel-1
| join(query={#data_source_name=cid_name | groupBy([cid], function=selectLast(name),
limit=max)}, field=[cid], include=name, mode=left)

Look for the number value listed in the “ImpactedChannel” column. You will need it to run the next query properly.

READ: Microsoft rolls out fix after thousands face access issues

How to execute a query to find Crowdstrike-affected hosts

Free stock photo from Unsplash

Execute the query below and set its search windows to search window to seven days. It will look for systems with the following criteria: 

Most importantly, Line 26 of this query should contain the value derived from the previous query.

For example, if the smaller query pinpointed 31, you must use that number. 

You may also run it as a Scheduled Search so that it checks for other impacted hosts periodically.

Here’s the query for finding Crowdstrike-affected hosts: 

[…]
| in(field=”CFVersion”, values=[0,31])
[…]
// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/
event_platform=Win
| cid=?cid
// Narrow search to Channel File 291 and extract version number; accept
all SensorHeartbeat events
| case{
#event_simpleName=ConfigStateUpdate |
regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData,
strict=false) | parseInt(CFVersion, radix=16);
#event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);
}
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid, aid, ComputerName],
where=[{ConfigStateUpdate}, {SensorHeartbeat}])
// Aggregate results

Crowdstrike query continued

Free stock photo from Unsplash
| groupBy([cid], function=[groupby(aid, function=([
{selectFromMax(field=”@timestamp”, include=[CFVersion])},
{selectFromMax(field=”@timestamp”, include=[@timestamp]) |
rename(field=”@timestamp”, as=”LastSeen”)}
]), limit=max),
max(CFVersion, as=MaxCFVersion)
], limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Only show the impacted channel
| in(field=”CFVersion”, values=[?Channel])
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration(“LastSeenDelta”, precision=2)
// Enrich aggregation with aid_master details
| aid=~match(file=”aid_master_main.csv”, column=[aid], strict=false)
| aid=~match(file=”aid_master_details.csv”, column=[aid],
include=[FalconGroupingTags, SensorGroupingTags], strict=false)
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)
// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value=”-“, field=[MachineDomain, OU, SiteName,
FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)
// Create conditions to check for impact
| case{
CFVersion=0 | Status:=”VERIFY” | Details:=”Endpoint channel file
version 0.”;
test(CFVersion==(MaxCFVersion-1)) | Status := “CHECK” |
Details:=”Endpoint has impacted channel file”;
test(CFVersion==MaxCFVersion) | Status:=”OK” | Details:=”Endpoint has
latest channel file and is operational.”;
test(CFVersion<(MaxCFVersion-1)) | Status:=”OK” | Details:=”Endpoint
has earlier channel file and is operational.”;
* | Status:=”UNKNOWN” |
Details:=”Cannot determine status.”;
}
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format=”%F %T”, field=”LastSeen”)
// Filter on status.
| Status=?Status
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
// Create one final groupBy for easier export to CSV
| groupby([cid, aid, ComputerName, Status, FirstSeen, LastSeen,
CFVersion, MaxCFVersion, LastSeenDelta, Details, AgentVersion, aip,
event_platform, FalconGroupingTags, LocalAddressIP4, MAC, MachineDomain,
OU, ProductType, SensorGroupingTags, SiteName,
SystemManufacturer,SystemProductName, Version], limit=max, function=[])


If the issue persists, contact www.crowdstrike.com/contact-us for further assistance.

Also, check out Inquirer Tech for more handy digital tips. 

Read more...