Table of Contents
As many are aware, there has been an issue with CrowdStrike whereby a faulty channel file has caused many Windows computers to blue screen.
ThreatLocker® detected a significant issue impacting multiple devices running CrowdStrike software in the early hours of the morning on Friday July 19th, shortly after 11:30PM EST. ThreatLocker® has not been affected by this issue, as we do not use CrowdStrike internally. However, ThreatLocker® and CrowdStrike have numerous mutual customers.
CrowdStrike's advice is to boot affected machines into Recovery/Safe Mode, and delete "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"
ThreatLocker® is working on a global solution to remove the problematic CrowdStrike update file from any/all machines running ThreatLocker®.
Solutions for CrowdStrike blue screen
Solutions that have worked for some customers may help you get your machines back online.
- In the interim we have published a new Community Storage Control Policy – named CrowdStrike C-00000291*.sys block, which blocks reads and writes to the files named by CrowdStrike as problematic.
- Some customers have had success in alleviating the issue by creating a Global Deny policy for CrowdStrike (Built-In), but this approach should be used with caution and only if the above Community Policy does not help.
- If you come through ThreatLocker support, the Cyber Hero Team can assist you in deleting "C-00000291-00000000-00000032.sys"
If any customers need MDR services, you can contact your ThreatLocker® account manager to have it enabled free of charge.
This blog post will continue to be updated as more information becomes available.