| 4 minute read

MS outage linked to CrowdStrike: Falcon Content Update for Windows Hosts

blue screen of death

You are not alone if you woke up this morning with a Blue Screen of Death (BSOD). Please reach out to the Avalon Cyber team if you need assistance: 877.216.2511.

Avalon wants to provide you with the most up-to-date information, so will be adding to this blog throughout the day. 

From the CrowdStrike website:

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.

The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website.

We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels.

Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

Updated 1:25pm ET, July 19, 2024:

We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.

We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed.

Below is the latest CrowdStrike Tech Alert with more information about the issue and workaround steps organizations can take. We will continue to provide updates to our community and the industry as they become available.

Details:

  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows 7/2008 R2 are not impacted
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.
    • Note: It is normal for multiple "C-00000291*.sys files to be present in the CrowdStrike directory - as long as one of the files in the folder has a timestamp of 0527 UTC or later, that will be the active content.

Current action:

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the workaround steps below can be used to address this issue.
  • We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed. Falcon Complete and Overwatch services are not disrupted by this incident.

Query to identify impacted hosts via advanced event search:

Please see this KB article: How to identify hosts possibly impacted by Windows crashes.

Updated 9:22am ET, July 19, 2024:

We are working hard to provide comprehensive and continuous updates with our global customers as quickly as possible. Below is the latest CrowdStrike Tech Alert with more information about the issue and workaround steps organizations can take. We will keep this page updated with new information as it’s available.

Summary

  • CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

Details

  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows 7/2008 R2 are not impacted
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

Current Action

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
    • Boot Windows into Safe Mode or the Windows Recovery Environment
      • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
    • Locate the file matching “C-00000291*.sys”, and delete it.
    • Boot the host normally.

Note: Bitlocker-encrypted hosts may require a recovery key.

Workaround steps for public cloud or similar environment including virtual:

Option 1:

  • ​​​​​​​Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to a new virtual server
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2:

  • ​​​​​​​Roll back to a snapshot before 0409 UTC.

AWS-specific documentation:

Azure environments:

User access to recovery key in the Workspace ONE portal:

When this setting is enabled, users can retrieve the BitLocker Recovery Key from the Workspace ONE portal without the need to contact the HelpDesk for assistance. To turn on the recovery key in the Workspace ONE portal, follow the next steps. Please see this Omnissa article for more information.

Bitlocker recovery-related KBs:

Source: https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/ 

Blog Articles

Employee Spotlight: Sofia Johnson

 

 

Every once in a while, we like to show off one of our hard-working, detail-oriented problem solvers. Take a moment to see who's in the spotlight today!

Mastering Basic Cybersecurity Hygiene for Long-Term Success

As a cybersecurity leader who’s seen too many breaches start with the simplest oversights, I often say: “You can’t build castles on a sand foundation.” In today’s landscape, where ransomware attacks are a daily occurrence for businesses large and small, basic cybersecurity hygiene isn’t optional; it’s your first line of defense – the basics that keep your organization resilient.

Analyzing September 2025’s Critical Zero-Day Vulnerabilities

September 2025 has been a powerful reminder that today’s greatest cyber risks often come from the software we rely on most. In just a few short weeks, organizations faced a wave of critical zero-day vulnerabilities across remote access gateways, communication apps, password managers, and even everyday utilities. These weren’t hypothetical risks – they were live, actively exploited threats.