OUTAGE OF MICROSOFT WINDOWS DUE TO CROWDSTRIKE AGENT FALCON SENSOR UPDATE
The Indian Computer Emergency Response Team (CERT-In) has issued a critical advisory following reports of a widespread outage caused by a recent update to the CrowdStrike Falcon Sensor. The advisory, designated CIAD-2024-0035, highlights that affected systems are experiencing the Screen of Death (8500).
Issue and Immediate Response
The issues were traced back to the latest update of CrowdStrike. The CrowdStrike team has since reverted these changes. However, if systems are still crashing and unable to go online to receive the updated channel file changes, the following steps can be used as a workaround:
Step-by-Step Guide to Resolve the Issue
1. Boot into Safe Mode
- Restart the server.
- Press F8 or Shift+F8 before Windows startup to enter the Advanced Boot Options menu.
- Select Safe Mode and press Enter.
2. Disable the CrowdStrike Agent
- Once in Safe Mode, open a Command Prompt with administrative privileges.
- Run the following command to disable the CrowdStrike service:
``shell
sc config csagent start= disabled
```
3.Reboot the Server
- Restart the server normally.
4.Set the CrowdStrike Agent to Idle
- After the server boots up, open a Command Prompt with administrative privileges again.
- Run the following command to set the CrowdStrike agent to idle mode:
```shell
sc config csagent start= demand
```
5.Re-enable the CrowdStrike Agent (if needed)
- If you need to re-enable the CrowdStrike agent later, you can run the following command:
```shell
sc config csagent start= auto
```
Affected Areas:-
The outage has significantly disrupted various sectors worldwide:
- Major banks, media, airports, and airlines: Critical IT outages.
- Payment systems: Impacted in various parts of the world, including Australia and the UK.
- Government: Australia's government called for an emergency meeting.
- Microsoft services: Significant disruption.
- 911 services: Disrupted in several US states, including Alaska, Arizona, Indiana, Minnesota, New Hampshire, and Chicago.
- London Stock Exchange: Services disrupted.
- Sky News: Temporarily off the air.
Users are advised to check the latest updates from the CrowdStrike portal to stay informed about further developments and updates. For detailed vendor information, visit CrowdStrike's support portal at [CrowdStrike Support](https://supportportal.crowdstrike.com/).