close
close

Technical details on the service interruption on July 19, 2024

What happened?

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update for Windows systems. Sensor configuration updates are an ongoing part of the Falcon platform’s protection mechanisms. This configuration update triggered a logic error that resulted in a system crash and a blue screen of death (BSOD) on affected systems.

The sensor configuration update that caused the system to crash was fixed on Friday, July 19, 2024 at 05:27 UTC.

This issue is not a result of or related to a cyber attack.

Impact

Customers running Falcon Sensor for Windows version 7.11 and later who were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC may be affected.

Systems running Falcon Sensor for Windows 7.11 and above that downloaded the updated configuration between 04:09 UTC and 05:27 UTC were susceptible to a system crash.

Introduction to the configuration file

The configuration files mentioned above are called “Channel Archives” and are part of the behavioral protection mechanisms used by the Falcon sensor. Channel file updates are a normal part of the sensor’s operation and occur multiple times per day in response to new tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.

Technical details

On Windows systems, channel files reside in the following directory:

C:\Windows\System32\drivers\CrowdStrike\

and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The channel file affected in this event is 291 and will have a file name beginning with “C-00000291-” and ends with a .sys extension. Although channel files end with the SYS extension, They are not kernel drivers.

Channel file 291 controls how Falcon evaluates the named pipe1 Running on Windows systems Named pipes are used for normal, inter-process, or inter-system communication on Windows.

The update that occurred at 04:09 UTC was designed to target recently observed malicious named pipes using common C2 frameworks in cyberattacks. The configuration update triggered a logic error that caused the operating system to crash.

Channel 291 Archive

CrowdStrike has fixed the logic error by updating the contents of the 291 channel file. No additional changes will be implemented in the 291 channel file beyond the updated logic. Falcon is still evaluating and protecting against abuse of named pipes.

This is not related to the null bytes contained in channel file 291 or any other channel file.

Remediation

The most up-to-date remediation recommendations and information can be found on our Blog or in the Support Portal.

We understand that some customers may have specific support needs and ask that they contact us directly.

Systems that are No Currently affected facilities will continue to operate as expected, continue to provide protection, and will have Risk free to experience this event in the future.

Systems running Linux or macOS do not use the 291 channel file and were not affected.

Root cause analysis

We understand how this issue occurred and are conducting a thorough root cause analysis to determine how this logical failure occurred. This effort will be ongoing. We are committed to identifying any fundamental or workflow improvements we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.

1 https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes