The blue screen of death (BSOD) triggered on July 19, 2024 in Windows environments worldwide was caused by a faulty update of the CrowdStrike Falcon Senor’s Endpoint Detection and Response component.
How did an application’s update flaw cause a BSOD?
The CrowdStrike Falcon’s driver runs at the kernel level in all machines. This driver software is installed in the pre-OS initialization phase. When such threat detection and response drivers are installed early on, they prevent malware and other payloads from being installed in the machines. These drivers come under the category of early launch anti-malware (ELAM) protection.
Who creates ELAM drivers?
The vendors who create ELAM drivers should be members of the Microsoft Virus Initiative (MVI). MVI verifies the motives and technical prowess of these tools and only accepts vendors who meet their requirements.
One of MVI’s key requirements is that the vendor must be end-to-end responsible for keeping the software up-to-date on all client machines.
How does the CrowdStrike Falcon sensor’s ELAM get updated?
The client machines directly receive updates from CrowdStrike’s cloud infrastructures using the HTTPS protocol over port 443.
CrowdStrike updates the client machine’s folder automatically with additional channel files. Channel files contain detection rules to track threats and response workflows to remediate the threats.
What went wrong with the file (C-00000291*.sys)?
C-00000291*.sys was one of the channel files responsible for creating named pipes.
-
Named pipes facilitate inter-process communication within a client or between a server and a client within a network. A file object gets created in the machine’s file system—but the contents are written to memory rather than a disk.
-
To find out the named pipes on your machine, open your command prompt and enter the code: [System.IO.Directory]::GetFiles(“\\.\\pipe\\”).
This channel file’s code had a logic error: The memory allocated for pipe creation didn’t suffice. This hindered the pipe creation and thus the execution of the channel files corresponding to the new update. The question is how was this update not tested before it was rolled out.
But why BSOD?
Kernel-level operations affect both hardware and software in a Windows machine. If something goes wrong at this level, it can have severe repercussions on the state of a machine. So, if any of the processes fail, Windows immediately pulls the BSOD.
How can the BSOD caused by the Falcon sensor be fixed?
CrowdStrike addressed the memory allocation error in its fix. However, all affected systems had to be manually rebooted for the update to take effect.
This worldwide phenomenon will remain a classic example of how strong security basics can keep organizations running smoothly.
A simple update flaw, a misconfiguration, the use of default credentials, and loosely coupled permissions for users and entities—each of these can bring down businesses. Constantly monitoring for security and risk factors can help organizations stay secure in the long run.
