Windows Servers Incident: CrowdStrike Bug Reported

Incident Report for 11:11 Systems

Resolved

This incident has been resolved.

Posted Jul 19, 2024 - 03:56 EDT

Identified

11:11 Systems has been alerted to a service disruption impacting servers running the Windows Operating System that connect to the CrowdStrike company via a built in "Falcon Sensor." This issue is impacting Windows servers due to a CrowdStrike update that was recently pushed and is outside of the 11:11 Systems environment.

CrowdStrike has proposed a potential solution to disable the "csagent.sys" driver from loading in the Windows registry. This solution has not been fully tested by 11:11 Systems and is a vendor suggested workaround while they continue to fix the issue within their software. Customers may need to disable the "csagent.sys" driver in Windows servers until further updates are provided by CrowdStrike.

The following Tech Alert has been posted by CrowdStrike for this issue:

----------------------------------------------------------------------------

Tech Alert I Windows crashes related to Falcon Sensor | 2024-07-19

Published Date: Jul 18, 2024

Summary:

CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

Details:

Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.

Current Action:

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this is

Workaround Steps:

1. Boot Windows into Safe Mode or the Windows Recovery Environment

2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

3. Locate the file matching "C-00000291*.sys", and delete it.

4. Boot the host normally.

Latest Updates

2024-07-19 05:30 AM UTC I Tech Alert Published.

------------------------------------------------------------------------------------

Posted Jul 19, 2024 - 03:55 EDT

This incident affected: Private Cloud (Private Cloud - Atlanta, GA, Private Cloud - Greenville, SC, Private Cloud - Nashville, TN, Private Cloud - Houston, TX, Private Cloud - Phoenix, AZ) and IaaS (IaaS - Nashville, TN, IaaS - Greenville, SC, IaaS - Houston, TX, IaaS - Atlanta, GA, IaaS - Phoenix, AZ, IaaS - Minneapolis, MN).