Details of the Impact
The problematic version of the channel file, identified as "C-00000291*.sys" with a timestamp of 0409 UTC, caused these issues. However, certain environments remained unaffected:
Resolution Steps
For Individual hosts:
Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
1. Boot Windows into Safe Mode or the Windows Recovery Environment2. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys” and delete it.
4. Boot the host normally.
For Public Cloud or Virtual Hosts:
To address the issue, organizations can follow one of the two remediation options:
Option 1: Manual Fix
1. Detach the operating system disk volume from the impacted virtual server.
2. Create a snapshot or backup of the disk volume as a precaution.
3. Attach the volume to a new virtual server.
4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
5. Locate and delete the matching “C-00000291*.sys” file.
6. Reattach the fixed volume to the impacted virtual server.
Option 2: Snapshot Rollback
For organizations with BitLocker, the security key will be required during the remediation process. Additionally, an automated CrowdStrike workaround in Safe Mode using Group Policy Object (GPO) is available.
Impact on C1 Customers
Given C1’s close ties with our technology partners, we receive early notification regarding potential issues and remediation efforts. This enables C1 OnGuard Managed Services to maintain active monitoring, provide early support and minimize potential downtime. Customer impact for this recent outage was minimal. Intermittent issues were easily addressed due to our tailored Managed Services design deployed for each customer.
Stay tuned for further learnings based on this and other recent incidents.