Update: CrowdStrike CEO said the following about the situation:
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.
Multiple companies worldwide are currently forced to suspend their operations due to a faulty cybersecurity update from CrowdStrike. The update is taking down thousands of Windows computers, causing them to boot loop and crash to a blue screen of death with the error message csagent.sys (PAGE_FAULT_IN_NONEPAGED_AREA).
Affected companies include banks, airlines, TV channels, and more, and some of them are forced to halt their jobs almost completely, with most Windows PCs not working due to the Falcon Sensor agent from CrowdStrike, a system that monitors network activity and prevents cyberattacks. One user from Malaysia said on Reddit that 70% of their laptops are not stuck in a boot loop:
Malaysia here, 70% of our laptops are down and stuck in boot, HQ from Japan ordered a company wide shutdown, someone's getting fireblasted for this shit lmao
CrowdStrike has already confirmed the problem and reverted the update. However, the machines that are already affected still cannot operate properly. While IT admins are scratching their heads in attempts to understand what happened and how to resuscitate their computers, a lengthy thread on Reddit suggests deleting a file in the CrowdStrike directory:
Workaround Steps:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
In a statement to The Verge, Microsoft also confirmed that it is aware of the situation.
While booting into Safe Mode and deleting a single file does not sound too hard on a single machine, servicing hundreds of computers, remote devices, and cloud-based service will be quite a chore for IT admins.
31 Comments - Add comment