User Controls

Crowdstrike anti-malware breaking Windows PCs this morning

  1. #1


    Sky News Australia were hit, and are making drama out of it (as they are wont to do). They're going around posing in front of "broken" computers in a studio with the lights turned way down.

    BREAKING An update to a product from infosec vendor CrowdStrike is bricking computers running Windows.

    The Register has found numerous accounts of Windows 10 PCs crashing, displaying the Blue Screen of Death, then being unable to reboot.

    “We're seeing BSOD Org wide that are being caused by csagent.sys, and it's taking down critical services. I'll open a ticket, but this is a big deal,” wrote one user.

    Forums report that Crowdstrike has issued an advisory with a URL that includes the text "Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19" – but it's behind a regwall that only customers can access.

    An apparent screenshot of that article reads "CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor. Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor."

    CrowdStrike's engineers are working on the issue.
    https://www.theregister.com/2024/07/19/crowdstrike_falcon_sensor_bsod_incident/

    This is the fix: Current fix is to boot into safe mode and change the name of the CrowdStrike folder in c:\windows\system32\drivers\Crowdstrike
    Workaround Steps: 1. Boot Windows into Safe Mode or the Windows Recovery Environment 2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory 3. Locate the file matching “C-00000291*.sys”, and delete it. 4. Boot the host normally.
    https://news.ycombinator.com/item?id=41002269

    Looks like some fancy and expensive enterprise grade anti-virus software fucked up.
  2. #2
    ner vegas African Astronaut



    lol, lmao
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. #3
    ner vegas African Astronaut
    my guess would be they pushed a driver-level module from the wrong version of Windows to live
  4. #4
    https://www.linkedin.com/jobs/crowdstrike-jobs-bengaluru/
    Shocker.
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. #5
    ner vegas African Astronaut
    oh I was wondering why Crowdstrike sounded familiar, they're those retards that insisted Russia hacked the 2016 US election.

    lol fags
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. #6


    No idea why they'd all be different. How could that even be possible?

    It'll be interesting when the autopsy videos come out.

    Cloudstrike customers are busy today, billions of machines having to be individually fixed.

    Serves them right, they trusted a malware vendor.
  7. #7
    ner vegas African Astronaut
    Originally posted by Donald Trump

    No idea why they'd all be different. How could that even be possible?

    It'll be interesting when the autopsy videos come out.

    Cloudstrike customers are busy today, billions of machines having to be individually fixed.

    Serves them right, they trusted a malware vendor.



    if the modules are different they likely would've been built on-the-fly by the local agent; I don't really know enough about driver modules like this to know if that's a normal thing though.

    this is going to be a huge effort to fix - for some big companies they'll be able to network boot and remove the driver, but not everyone's going to have that enabled and for anyone who doesn't each terminal will need to be fixed manually, onsite
  8. #8
    BitLocker is Microsoft's encryption tool, and it makes a device's storage inaccessible without a recovery key. As such, trying to work through some of the current recovery options on a modern device will likely require the use of that recovery key. Pity the administrators who dutifully kept a list of those keys on a secure server share, only to find that the server is also now showing a screen of baleful blue.

    Another Redditor posted: "They sent us a patch but it required we boot into safe mode.

    "We can't boot into safe mode because our BitLocker keys are stored inside of a service that we can't login to because our AD is down.
    https://www.theregister.com/2024/07/19/admin_crowdstrike_update_mess/

    LMAO some organisations have encrypted themselves out of their own systems.
    The following users say it would be alright if the author of this post didn't die in a fire!
  9. #9
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    what the fuck is a cloud strike
  10. #10


    Just imagine how bad things could be if you didn't invest in expensive malware protection and got hacked.
  11. #11
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    I thought all the real white shirts used linux and only stinky beach pooping pajeets made windows modules
  12. #12
    Originally posted by Donald Trump

    Just imagine how bad things could be if you didn't invest in expensive malware protection and got hacked.

    and crowdstrike only serves a niche market, with very few customers
  13. #13
    Dirtbag African Astronaut (banned)
    I just checked mine. I didn't install the last two updates and it will only let me pause updates for another week. Do I need to change OS?
  14. #14
    ner vegas African Astronaut
    Originally posted by Dirtbag I just checked mine. I didn't install the last two updates and it will only let me pause updates for another week. Do I need to change OS?

    it's only an issue if you use crowdstrike security software


    I've been reading about their recent history, this shit is insane
  15. #15
    ner vegas African Astronaut
    Crowdstrike spent over a $1m USD over the last 3 years trying to lobby the government to make their software mandatory on secure government hardware.

    they had a very similar issue 3 months back, the same module (Falcon Sensor) where it bricked Debian machines (same thing - faulty driver/kernel modules would stop machines from booting), but few people/companies use Debian + Crowdstrike so nobody really cared a lot.
    The following users say it would be alright if the author of this post didn't die in a fire!
  16. #16
    ner vegas African Astronaut
    the issue is with Falcon Sensor, which as best I can tell is a module that feeds application data back to Crowdstrike's AI for heuristics training, so I don't understand why that particular service would even need a kernel module in the first place.

    they've disabled updates so it shouldn't brick any new machines but the whole thing is confusingly opaque, even in their own documentation
  17. #17
    Lanny Bird of Courage
    lol crowdstrike. Honestly most large outfits in the security space are basically cargo cultist chimps with keyboards imo. I worked for a mid size security company for a while, all the brains in the org were in the c-suite or sales (shocking, I know) who outsourced everything to vietnam supervised by a handful of onshore people who either didn’t know what they were doing or had given up trying to do anything more than make the sales material not be sufficiently untrue so as to open the company up to litigation
    The following users say it would be alright if the author of this post didn't die in a fire!
  18. #18
    Dirtbag African Astronaut (banned)
    It's affected the NHS.
  19. #19
    ner vegas African Astronaut
    might see if I can take one of the sys files apart
  20. #20
    ner vegas African Astronaut
    Originally posted by Dirtbag It's affected the NHS.

    Took down our entire emergency department as we were treating a heart attack. 911 down for our state too. Nowhere for people to be diverted to because the other nearby hospitals are down. Hard to imagine how many millions of not billions of dollars this one bad update caused.


    they have a huge number of contracts, and they charge $100-200USD per year per machine.


    LOL.
Jump to Top