- Article
- July 22, 2024
Crowdstrike Update Chaos
Things have been quite busy in the world of IT in recent weeks. An update to Microsoft’s cyber protection on the client-side component of Crowdstrike, one of the biggest endpoint protection brands on the market, reportedly caused widespread disruption around the globe to home and corporate workstations, airports, factories, hospitals, even bank ATMs. It effectively impacted almost all facets of life for many people.
According to the published postmortem on their website, Crowdstrike engineers have now been able to pinpoint the root cause of the issue and have come up with a plan to bring most affected computers back to life again.
The basic premise of the Crowdstrike Falcon technology is to use minimal local footprint, focusing on their cloud environment to detect threats. Essentially, any new/unknown file introduced to the client machine is instantly reported, uploaded and evaluated by a cloud-based API endpoint. This is a sensible approach, however, the problem that caused havoc all over the world recently is integral to their core components.
To ensure the highest level of security on Windows, any AV must use kernel drivers, loading a custom kernel driver (as a base of the entire operation) before anything else can be started on the system. The superpower of the kernel driver is loading before even the Windows boot circle appears in the system kernel memory and before anything with system or user rights is loaded. This setup cannot be circumvented by any malware introduced to the system without a forced reboot.
In the course of our testing work, we experienced similar critical system failures several times in our hardening efforts of the Tempus images, as issues in kernel drivers destabilise the very core of Windows. Should the self-check features of Windows detect anything wrong, the result will be the infamous Blue Screen Of Death.
Better not to boot at all than to boot up in an inconsistent state!
Mistakes happen, this is just one of those things. But could it have been avoided?
Yes! Our real-time test environment, Tempus, can also be used to detect any potential disruptions caused by updates within the AV components. Tempus, amongst many other things, can be used to sanity-check updates, processes or actions before anything gets installed on large-scale IT infrastructure.
Get in touch to find out more.
Contact us
Read more about the cutting-edge work we do with cybersecurity vendors and enterprises
Sign up
to receive advance copies of our 360° reports
Sign up to receive news and reports or follow us on LinkedIn and X