Forum Discussion

Roger_Gooner's avatar
Roger_Gooner
Alessandro Volta
6 months ago

CrowdStrike

Has VM been affected by the CrowdStrike bug? It has hit Windows devices in lots of businesses worldwide. Interestingly, if you are wondering why systems as diverse as airline check-in and payments are affected, the reason is probably because in the background there is communication with a Windows PC which has gone down, so the whole system fails. A chain is only as strong as its weakest link.

  • Tudor's avatar
    Tudor
    Very Insightful Person

    I blame all the users, not the people who issued the bad fix. When I worked in corporate IT all fixes were tested in totally firewalled ring fenced systems away from the main systems. You always test everything twice and then when released it’s always a staged release. You never ever rely on a vendor if they say it’s just a minor update and will not affect anything. Always, test, test, test.

  • Client62's avatar
    Client62
    Alessandro Volta

    Welcome to the modern world where Agile demands delivery on time and regardless of the fragility of the product.

    The IT world I see in the rear view mirror of my 35+ year technology career is not one I'd like to rejoin.

    CloudStrike is a cracking name for a company that has rained on so many.

    Will Darktrace be next ?

  • Adduxi's avatar
    Adduxi
    Very Insightful Person

    It’s pretty ironic that a Cybersecurity firm has crashed so many computers. But have to agree with Tudor  all patches should be tested before release in a controlled manner. 

  • Roger_Gooner's avatar
    Roger_Gooner
    Alessandro Volta

    In a statement this afternoon, Microsoft said it estimated the error had affected at least 8.5million machines or one per cent of Windows computers worldwide. I've never known anything like this, and I've been around for a long time.

    Edit to add that some PCs are encrypted with Bitlocker - and not everyone has the recovery key.

    What we also don't know is why a buggy driver file can cause repetitive BSODs - which led to another problem in that affected PCs have to be logged into safe mode to delete the file. I presume that choosing the "Safe mode with networking" is not an option as the buggy file would be loaded, a pity because this option would enable a small script file to be downloaded and run to navigate to the file and delete it.

  • Roger_Gooner's avatar
    Roger_Gooner
    Alessandro Volta

    The core analysis and processing are certainly done in the cloud, and a lightweight sensor agent is installed on each endpoint (computer, server, mobile device) within a network. The sensor gathers data on running processes, file activity, network connections, and other system events. This data is sent to the CrowdStrike Falcon platform in the cloud for real-time analysis.

    What happened recently was the installation of a buggy driver file on Windows PCs. We don't know the cause of the fault, which might be compatibility issues with the Windows kernel, mishandling of memory allocation or access or something else we don't know about. The problem then is that when a Windows device fails, it can have consequences which are unpredictable as there are so many of them in corporate networks. This is why such a diverse range of applications failed.

  • Adduxi's avatar
    Adduxi
    Very Insightful Person

    The problem seems to be a badly written driver file. The solution is to delete this file. However in a Corporate environment this is easier said than done. The share price of CloudStrike took a hit on the Markets. I’m guessing this is one program that will be uninstalled pdq. 

    • Roger_Gooner's avatar
      Roger_Gooner
      Alessandro Volta

      One thing that's been underreported was what had to be done where virtual machines are hosted on a cloud provider like Microsoft Azure. These VMs on Azure have no console access (as is common), so you can't boot them into safe mode by constantly whacking the F8 key.  Instead each VM had to be shut down, a replacement VM had to be created, the system disk from the affected VM had to be mounted to the new VM, delete the buggy file, unmount and start the new VM. Then repeat for the load of other affected VMs as the company had outsourced to a cloud provider.

    • goslow's avatar
      goslow
      Alessandro Volta

      It's a bit rich of Microsoft piling in with that when MS routinely trashes computers every month, and in all manner of ways, with inadequately tested Windows updates.

      • Adduxi's avatar
        Adduxi
        Very Insightful Person

        In fairness, I've a few Win 10 / 11 Pro machines here and I honestly can't remember the last time WU "trashed" any of them.  However, I run quite "clean" machines and don't install stuff willy nilly.  

  • Adduxi's avatar
    Adduxi
    Very Insightful Person

    That's a bit of a lame advertisement for Windows Defender.  I would still be blaming Cloudstrike for not testing patches before sending out.  Anyway, lets see how many Corporates think about using Cloudstrike in the future?

  • Roger_Gooner's avatar
    Roger_Gooner
    Alessandro Volta

    My understanding is that for Azure, and I'm sure for other cloud providers, it's simple to create and manage snapshots of your VM's OS disk for recovery. The whole thing can be automated with scripts.