wstar33 Crowdstrike: If the IT outage affected you, try these fixes

Is your airline not working? Perhaps your bank’s IT systems are malfunctioning? Fret notwstar33, because here’s the latest fix from Crowdstrike.

Crowdstrike’s faulty update for its Falcon online security program caused banks and airlines worldwide to experience the Blue Screen of Death.

READ: Google explains AI overview issues

Article continues after this advertisement

It is an error message that indicates a major technical error, disrupting these major institutions.

FEATURED STORIES TECHNOLOGY vivo launches V40 Lite with 5000mAh battery covered by 50-month warranty, starts at Php 13,999 TECHNOLOGY Galaxy Buds3 Pro: Delivering tailored sound wherever you go TECHNOLOGY Very mindful, very intuitive: ASUS’ most superior AI PC yet, the Zenbook S 14, empowers you to achieve more

Crowdstrike reiterated in its official post that a cyberattack did not cause the issue.

More importantly, the US-based company shared ways to troubleshoot the issue.

Article continues after this advertisement

Crowdstrike continues to work with affected parties to expedite solutions. 

Article continues after this advertisement How to fix the Crowdstrike issue

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We…

— George Kurtz (@George_Kurtz) July 19, 2024

The US-based tech firm says the error affected Windows computers that installed the latest Falcon content update. The root of the issue is a channel file in the %WINDIR%\System32\drivers\CrowdStrike directory.

Article continues after this advertisement

Opening the directory will reveal numerous files, making it difficult to spot the problematic file.

Here are the differences between the correct file and the faulty one:

Article continues after this advertisement Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version. Channel file “C-00000291*.sys” with the timestamp of 2024-07-19 0409 UTC is the problematic version.

READ: Websites globally hit by major internet outage

The company reminds the public that the directory will likely contain multiple “C-00000291*.sys” files. Those with a timestamp of 05:27 UTC or later are active contents. 

How to spot affected Windows hosts

As CrowdStrike continues to work with customers and partners to resolve this incident, our team has written a technical overview of today’s events. We will continue to update our findings as the investigation progresses. https://t.co/xIDlV7yKVh

— George Kurtz (@George_Kurtz) July 20, 2024

Airlines, banks and other large establishments will likely have multiple Windows hosts.

Consequently, it’s more challenging to spot those with the Crowdstrike error. 

Fortunately, the company itself shared ways to identify affected hosts.

Start by running this query in Advanced Event Search with the search window set to seven days: 

#event_simpleName=ConfigStateUpdate event_platform=Win| regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData, strict=false) |parseInt(CFVersion, radix=16)| groupBy([cid], function=([max(CFVersion, as=GoodChannel)]))| ImpactedChannel:=GoodChannel-1| join(query={#data_source_name=cid_name | groupBy([cid], function=selectLast(name),limit=max)}, field=[cid], include=name, mode=left)

Look for the number value listed in the “ImpactedChannel” column. You will need it to run the next query properly.

READ: Microsoft rolls out fix after thousands face access issues

How to execute a query to find Crowdstrike-affected hosts Free stock photo from Unsplash

Execute the query below and set its search windows to search window to seven days. It will look for systems with the following criteria: 

Online activity during the impact window of 0400 – 0600 UTC 2024-07-19 Processed an update for Channel File 291 in the impact window of 0400 – 0600 UTC 2024-07-19 Reported that they loaded the impacted channel file. Systems you haven’t seen in the past hour

Most importantly, Line 26 of this query should contain the value derived from the previous query.

For example, if the smaller query pinpointed 31, you must use that number. 

You may also run it as a Scheduled Search so that it checks for other impacted hosts periodically.

Here’s the query for finding Crowdstrike-affected hosts: 

[…]| in(field=”CFVersion”, values=[0,31])[…]// Get ConfigStateUpdate and SensorHeartbeat events#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/event_platform=Win| cid=?cid// Narrow search to Channel File 291 and extract version number; acceptall SensorHeartbeat events| case{#event_simpleName=ConfigStateUpdate |regex(“\|1,123,(?<CFVersion>.*?)\|”, field=ConfigStateData,strict=false) | parseInt(CFVersion, radix=16);#event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);}// Make sure both ConfigState update and SensorHeartbeat have happened| selfJoinFilter(field=[cid, aid, ComputerName],where=[{ConfigStateUpdate}, {SensorHeartbeat}])// Aggregate results Crowdstrike query continued Free stock photo from Unsplash | groupBy([cid], function=[groupby(aid, function=([{selectFromMax(field=”@timestamp”, include=[CFVersion])},{selectFromMax(field=”@timestamp”, include=[@timestamp]) |rename(field=”@timestamp”, as=”LastSeen”)}]), limit=max),max(CFVersion, as=MaxCFVersion)], limit=max)// Perform check on selfJoinFilter| CFVersion=* LastSeen=*// Calculate time between last seen and now| LastSeenDelta:=now()-LastSeen// Only show the impacted channel| in(field=”CFVersion”, values=[?Channel])// Calculate duration between last seen and now| LastSeenDelta:=formatDuration(“LastSeenDelta”, precision=2)// Enrich aggregation with aid_master details| aid=~match(file=”aid_master_main.csv”, column=[aid], strict=false)| aid=~match(file=”aid_master_details.csv”, column=[aid],include=[FalconGroupingTags, SensorGroupingTags], strict=false)// Convert FirstSeen time to human-readable format| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)// Move ProductType to human-readable format and add formatting| $falcon/helper:enrich(field=ProductType)| drop([Time])| default(value=”-“, field=[MachineDomain, OU, SiteName,FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)// Create conditions to check for impact| case{CFVersion=0 | Status:=”VERIFY” | Details:=”Endpoint channel fileversion 0.”;test(CFVersion==(MaxCFVersion-1)) | Status := “CHECK” |Details:=”Endpoint has impacted channel file”;test(CFVersion==MaxCFVersion) | Status:=”OK” | Details:=”Endpoint haslatest channel file and is operational.”;test(CFVersion<(MaxCFVersion-1)) | Status:=”OK” | Details:=”Endpointhas earlier channel file and is operational.”;* | Status:=”UNKNOWN” |Details:=”Cannot determine status.”;}// Convert FirstSeen time to human-readable format| FirstSeen:=formatTime(format=”%F %T”, field=”FirstSeen”)// Convert LastSeen time to human-readable format| LastSeen:=formatTime(format=”%F %T”, field=”LastSeen”)// Filter on status.| Status=?Status| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)// Create one final groupBy for easier export to CSV| groupby([cid, aid, ComputerName, Status, FirstSeen, LastSeen,CFVersion, MaxCFVersion, LastSeenDelta, Details, AgentVersion, aip,event_platform, FalconGroupingTags, LocalAddressIP4, MAC, MachineDomain,OU, ProductType, SensorGroupingTags, SiteName,SystemManufacturer,SystemProductName, Version], limit=max, function=[])

If the issue persists, contact www.crowdstrike.com/contact-us for further assistance.

Your subscription could not be saved. Please try again. Your subscription has been successful.

Subscribe to our daily newsletter

SIGN ME UP

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

Alsowstar33, check out Inquirer Tech for more handy digital tips. 

TOPICS: technology READ NEXT Indian firm launches world’s 1st cold fusion tech for green ... Outage, technological havoc worldwide caused by faulty softwar... EDITORS' PICK Party-list system: What to know ahead of 2025 polls QC Mayor Belmonte highlights social services in State of City Address WPS: US missile deployment to PH key for combat readiness – US general Tropical Storm Kristine slightly intensifies; Signal No. 2 in 5 areas Central Visayas’ most wanted killed in shootout in Argao, Cebu Heart Evangelista: Woman to woman, I never had a problem with Pia Wurtzbach MOST READ SC issues TRO vs Comelec resolution on dismissed public officials Tropical Storm Kristine slightly intensifies; Signal No. 2 in 5 areas Walang Pasok: Class suspensions on Wednesday, Oct. 23 LIVE UPDATES: Tropical Storm Kristine View comments

• The
• It
• If
• wstar33
• CrowdStrike