Crowdstrike: If the IT outage affected you, try these fixes

Is your airline not working? Perhaps your bank’s IT systems are malfunctioning? Fret not, because here’s the latest fix from Crowdstrike.

Crowdstrike’s faulty update for its Falcon online security program caused banks and airlines worldwide to experience the Blue Screen of Death.

READ: Google explains AI overview issues

It is an error message that indicates a major technical error, disrupting these major institutions.

Crowdstrike reiterated in its official post that a cyberattack did not cause the issue.

More importantly, the US-based company shared ways to troubleshoot the issue.

Crowdstrike continues to work with affected parties to expedite solutions. 

How to fix the Crowdstrike issue

See more

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We…

— George Kurtz (@George_Kurtz) July 19, 2024

The US-based tech firm says the error affected Windows computers that installed the latest Falcon content update.

The root of the issue is a channel file in the %WINDIR%\System32\drivers\CrowdStrike directory.

Opening the directory will reveal numerous files, making it difficult to spot the problematic file.

Here are the differences between the correct file and the faulty one:

• Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version.
• Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0409 UTC is the problematic version.

READ: Websites globally hit by major internet outage

The company reminds the public that the directory will likely contain multiple “C-00000291*.sys” files. Those with a timestamp of 05:27 UTC or later are active contents. 

How to spot affected Windows hosts

See more

As CrowdStrike continues to work with customers and partners to resolve this incident, our team has written a technical overview of today’s events. We will continue to update our findings as the investigation progresses. https://t.co/xIDlV7yKVh

— George Kurtz (@George_Kurtz) July 20, 2024

Airlines, banks and other large establishments will likely have multiple Windows hosts.

Consequently, it’s more challenging to spot those with the Crowdstrike error. 

Fortunately, the company itself shared ways to identify affected hosts.

Start by running this query in Advanced Event Search with the search window set to seven days: 

#event_simpleName=ConfigStateUpdate event_platform=Win | regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16) | groupBy([cid], function=([max(CFVersion, as=GoodChannel)])) | ImpactedChannel:=GoodChannel-1 | join(query={#data_source_name=cid_name | groupBy([cid], function=selectLast(name), limit=max)}, field=[cid], include=name, mode=left)

Look for the number value listed in the “ImpactedChannel” column. You will need it to run the next query properly.

READ: Microsoft rolls out fix after thousands face access issues

How to execute a query to find Crowdstrike-affected hosts

Execute the query below and set its search windows to search window to seven days. It will look for systems with the following criteria: 

• Online activity during the impact window of 0400 – 0600 UTC 2024-07-19
• Processed an update for Channel File 291 in the impact window of 0400 – 0600 UTC 2024-07-19
• Reported that they loaded the impacted channel file.
• Systems you haven’t seen in the past hour

Most importantly, Line 26 of this query should contain the value derived from the previous query.

For example, if the smaller query pinpointed 31, you must use that number. 

You may also run it as a Scheduled Search so that it checks for other impacted hosts periodically.

Here’s the query for finding Crowdstrike-affected hosts: 

[…] | in(field=”CFVersion”, values=[0,31]) […] // Get ConfigStateUpdate and SensorHeartbeat events #event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win | cid=?cid // Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events | case{ #event_simpleName=ConfigStateUpdate | regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16); #event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]); } // Make sure both ConfigState update and SensorHeartbeat have happened | selfJoinFilter(field=[cid, aid, ComputerName], where=[{ConfigStateUpdate}, {SensorHeartbeat}]) // Aggregate results

Crowdstrike query continued

| groupBy([cid], function=[groupby(aid, function=([ {selectFromMax(field=”@timestamp”, include=[CFVersion])}, {selectFromMax(field=”@timestamp”, include=[@timestamp]) | rename(field=”@timestamp”, as=”LastSeen”)} ]), limit=max), max(CFVersion, as=MaxCFVersion) ], limit=max) // Perform check on selfJoinFilter | CFVersion=* LastSeen=* // Calculate time between last seen and now | LastSeenDelta:=now()-LastSeen // Only show the impacted channel | in(field=”CFVersion”, values=[?Channel]) // Calculate duration between last seen and now | LastSeenDelta:=formatDuration(“LastSeenDelta”, precision=2) // Enrich aggregation with aid_master details | aid=~match(file=”aid_master_main.csv”, column=[aid], strict=false) | aid=~match(file=”aid_master_details.csv”, column=[aid], include=[FalconGroupingTags, SensorGroupingTags], strict=false) // Convert FirstSeen time to human-readable format | FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”) // Move ProductType to human-readable format and add formatting | $falcon/helper:enrich(field=ProductType) | drop([Time]) | default(value=”-“, field=[MachineDomain, OU, SiteName, FalconGroupingTags, SensorGroupingTags], replaceEmpty=true) // Create conditions to check for impact | case{ CFVersion=0 | Status:=”VERIFY” | Details:=”Endpoint channel file version 0.”; test(CFVersion==(MaxCFVersion-1)) | Status := “CHECK” | Details:=”Endpoint has impacted channel file”; test(CFVersion==MaxCFVersion) | Status:=”OK” | Details:=”Endpoint has latest channel file and is operational.”; test(CFVersion<(MaxCFVersion-1)) | Status:=”OK” | Details:=”Endpoint has earlier channel file and is operational.”; * | Status:=”UNKNOWN” | Details:=”Cannot determine status.”; } // Convert FirstSeen time to human-readable format | FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”) // Convert LastSeen time to human-readable format | LastSeen:=formatTime(format=”%F %T”, field=”LastSeen”) // Filter on status. | Status=?Status | wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) // Create one final groupBy for easier export to CSV | groupby([cid, aid, ComputerName, Status, FirstSeen, LastSeen, CFVersion, MaxCFVersion, LastSeenDelta, Details, AgentVersion, aip, event_platform, FalconGroupingTags, LocalAddressIP4, MAC, MachineDomain, OU, ProductType, SensorGroupingTags, SiteName, SystemManufacturer,SystemProductName, Version], limit=max, function=[])

If the issue persists, contact www.crowdstrike.com/contact-us for further assistance.

Also, check out Inquirer Tech for more handy digital tips.