A content update released by CrowdStrike is causing Windows devices to crash, resulting in global system outages. This has caused disruptions globally, affecting major banks, media outlets, enterprises, and airlines.

 

 

Although this sounds straightforward, it is a manual process. The challenge for enterprises is how to deploy it at scale while ensuring that users are informed of the process and downtime is kept to a minimum. This presents multiple challenges, but for 1E customers, this process can be automated.

Within just a couple of hours of this issue coming to light, 1E customers had already had success in preventing impact to their users.

One example is a global bank with over 80,000 endpoints, who had an uneventful day on July 19th 2024 by doing the following:

  1. Disabling anti-tampering for CrowdStrike within the CrowdStrike console
  2. Using a 1E instruction to delete the files.

Bringing it closer to the guidance from CrowdStrike we recommend renaming the files, rather than deleting them. You can install the relevant instruction by logging into the 1E Exchange and downloading the instruction at CrowdStrike bluescreen issue prevention – 1E Exchange.

When you run the instruction, you will get one of three possible responses:

  1. Crowdstrike issue prevented.
  2. File: C-00000291x.sys could not be renamed. Please ensure Crowdstrike anti-tampering is disabled.
  3. No files to rename. No action taken.

Responses number #1 and #2 are self-explanatory. If a machine has not got Crowdstrike on it, or if the rename has already taken place, you’ll get response #3.

Once you are getting response #3 from all devices, we recommend that you re-enable the Crowdstrike anti-tampering function in the Crowdstrike console.

CrowdStrike notes that not every user will be fixed with this. This seems to mean that a manual fix is required for those who have already bluescreened. The procedure described here is likely a preventative method.

Please reach out to 1E support ASAP if you are a customer of 1E and Crowdstrike and are impacted by this issue. We can help you implement a set of rules/policy to resolve this problem.

As with any change, please ensure you test this on a small number of machines and use a gradual roll-out to ensure the results are what you need.