CrowdStrike, a leading cybersecurity firm, has successfully addressed a defect in a recent Falcon content update for Windows hosts that caused widespread system outages. The defect, which affected Channel File 291, resulted in significant disruptions across various critical infrastructures, including airports, hospitals, banks, and government agencies.
The configuration files, known as ‘Channel Files,’ are integral to Falcon’s behavioural protection mechanisms. These files, updated several times daily, help Falcon adapt to new tactics, techniques, and procedures discovered by CrowdStrike. As per the company, the architecture for these updates has been in place since Falcon’s inception.
Channel File 291, the file impacted in this incident, controls how Falcon evaluates named pipe execution on Windows systems. The update targeted malicious named pipes, facilitating communication between processes or systems used by command-and-control (C2) frameworks in cyberattacks. However, this update inadvertently introduced a logic error that caused operating system crashes.
Channel Files in the C:\Windows\System32\drivers\CrowdStrike\ directory on Windows systems are identified by a unique number and a .sys extension. Despite the extension, these files are not kernel drivers but configuration files that guide how Falcon evaluates certain system activities.
To resolve the issue, CrowdStrike suggests that affected hosts reboot to allow them to download the reverted channel file. Additionally, the company strongly recommends connecting the host to a wired network for faster internet connectivity.
If the issue continues, it is recommended that you manually remove the faulty update or use a bootable USB key for automated remediation. However, IT administrators may have issues manually removing the file from thousands of systems.
Microsoft releases tool for IT administrators
To assist IT administrators in swiftly addressing the issue, Microsoft released a custom recovery tool that automates the removal of the faulty CrowdStrike update. According to the Microsoft support bulletin, the tool was designed to expedite the repair process, enabling impacted systems to return to normal operation more efficiently.
The tool, available for download from the Microsoft Download Centre, requires a Windows 64-bit client with at least 8 GB of space, administrative privileges, a USB drive with a minimum of 1 GB of storage, and a BitLocker recovery key if necessary.
The recovery tool is created through a PowerShell script provided by Microsoft. The script, which needs to be run with administrative privileges, formats a USB drive and creates a custom WinPE image, making the drive bootable. Once the USB drive is prepared, IT staff can boot the impacted Windows device, which will automatically execute a batch file named CSRemediationScript.bat, reports BleepingComputer.
This batch file prompts users to enter any required Bitlocker recovery keys and then searches for and deletes the faulty CrowdStrike kernel driver in the C:\Windows\system32\drivers\CrowdStrike folder. While the script effectively removes the problematic driver, it does not create logs or backups of the removed files.
In the News: MediSecure data breach affects 12.9 million customers