For all the armchair quarterbacks out there who are interested in how Crowdstrike came to make such a disastrous mistake, they’ve released a preliminary post-incident report. It’s worth the read: www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

RIP to all IT people dealing with bitlockered systems.

As a retired IT worker who went through Y2K and is still irritated by all those who said all the work we put in to prevent this sort of outcome was a waste of time and resources, I feel pained for those doing the firefighting, hopeful they get the recognition they deserve, but suspect they'll be in part scape goated for not having (unaffordable) automated backup and recovery systems in place.

I have to admit, this took me back to my IT days 20 years ago and i literally had chills up and down my back. My heart goes out to all the key boards warriors who had to go through what they've gone through and those who are still plugging away. There's got to be a better way and of course that's the same thing we said 20 years ago...

Working for a company that's still recovering from a cyberattack (we switched to CrowdStrike in the wake of that), this was the worst nightmare I could wake up to.

I appreciate you guys and gals. I work for a small IT company out of Alaska. We were not affected thankfully but I can't imagine the mass scale of this outage and the tedious manual work that will have to be implemented in order to get all systems back up. I'm in the sales dept. I bring in new clients for the company I work for. I've always had respect for Tech. I'm somewhat of a nerd/ sales guru. and appreciate the work behind the scenes that keeps systems running smooth and safe.

And suddenly, we went from no cash to a paper sign that says cash only.

We weren’t affected, but in the end it’s just dumb luck that we chose a different EDR product. Lots of lessons learned today, and I’m sure there are going to be a lot of great discussions in the coming weeks. Sleep well! You deserve it.

Something like this was inevitable in a world where enterprises don't control/delay updates and leave it to the vendors.

We had Azure VM and Microsoft suggested doing a disaster recovery process, which includes changing the region, etc. I was determined to not mess with the VMs because they are set up very specifically to the apps we had - basically I was hoping Microsoft would be willing to fix it, since I didn't do anything to break it. 45 minutes later it came on, I was glad that I waited.

My night/day started at 11:41 PM central time. Finished at 7:30PM tonight

right there with you...worked from 3:30AM to 8:00PM, with another long day tomorrow....

The first thing I thought about when I heard about the outage was the line "Skynet IS the virus".

Seeing so many machines down all at the same time was definitely the craziest thing I have ever seen in my 25+ years in IT

This is an EXCELLENT RECAP Thank YOU for explaining it for regular folks.

Happy to learn that I'm not the only one who thought of Lawnmower Man 🤓

Thanks for sharing your experience. I am not working in IT, but I do work in the tech industry. I am lucky my company don't use Crowdstrike, and so far in my country, only the airport and a few airlines were affected. I am not travelling, so I just went about with my day. To everyone involved in fixing this mess, thank you. I try my best to explain to my friends and family what is going on, and I have been emphasizing the situation the sysadmins, IT helpdesk staffs are facing, with the occasional F U to Crowdstrike. Everyone in IT should be appreciated more and I can only hope this can be studied every where and something can be done to prevent the same thing from happening again. Remember it is not just the good guys learning from this outage, I am pretty sure the bad guys, the thread actors are also learning from this.

It was a rough day for many for sure. I work for a university and it impacted a LOT of our production systems. I agree it's the best on the market. I think there may be some diversification in the platforms companies use after this, but I can't see there being any mass defections. Just my less than 2 cents. I'm tired too and I hope the weekend for everyone get much better. I appreciate your content and have learned a lot.

Fantastic video! I loved how you told the story of how it began at your org. That's exactly how I felt. What I suspect is going to come out of this is that CrowdStrike may have to segment its solution updates by industry. This failure was massive and even though they will check it countless times going forward, my guess is that companies will come forward and say that this cannot happen again. Just the fact that they test, test, test, and re-test going forward will not be enough. We saw a lot of side channel attacks coming in the form of phishing. While the event was not malicious, it did have somewhat the same net result and that is unavailability of services. What's also got put out front and center is, all the major companies that use Crowdstrike. I am sure that going forward they will test the hell out of their updates, but segmentation by industry is probably where they will need to go for rolling out global updates so that things like Healthcare or Travel are not impacted at the same time in the event of an issue. This will also place more focus on Microsoft Azure. While it's not Microsoft's fault, we will need to start planning for DR scenarios that we once thought were pie in the sky issues. Now those pie in the sky scenarios are real. Very real.

The company I work for was hit hard. To make matters more fun some of our smaller locations, like mine, don’t have any IT personnel. That meant that 2 of us who know computers had to get all of them working once we were given instructions. On my computer I have local admin rights so on that computer I was able boot into safe mode and delete the file. On all other computers we either had to PXE boot or go through the Microsoft menus to get to the command prompt. We still have 3 computers with Bitlocker that we cannot access. No one in the company has the correct access code.

If you have VMWare, you could fire up a VM that has PowerCLI, shut down all the windows VM's, then loop through every disk image to mount it on the new VM, delete that file and unmount it again. PROBABLY best to use a Linux VM for this as Linux is far 'nicer' when it comes to mounting and unmounting drives. I'm GUESSING other hypervisors would have similar tools. HyperV shops will probably be an even bigger level of screwed with dataloss due to the hypervisors themselves resetting. Then there's next level screwed if bitlocker is in use.

I work for a large company that use to use crowstrike...we removed and replaced with MS E5 License Security Stuff when we went to e5 as a cost thing ..... But we had 40 machines still affected as even though it was removed we had had instances of crowdstrike re installing itself...real bizarre ...those 2 Servers have been fixed and the other PC's for users will be fixed when Desktop Staff come in Monday as they were at remote sites...what a mess.....

We worked in to Saturday morning man. It was brutal. When it was first happening I was like you. Immediately thought it was some kind of attack. Then I went online and saw it was happening everywhere. Crowdstrike's valuation is going to be interesting on Monday when trading starts again. There's still a whole bunch of people on remote laptops that are locked out due to Bitlocker. This is going to be such a PITA.

I feel your pain. Symantec Corporate Antivirus did this to me years ago... I had to boot over 100 computers using a USB stick with a fix on it and I was the only IT person in the company at the time. We got rid of it within the next week and switched to Sophos. "Knock on wood" that never happens again.

Great video and thanks for sharing your "horror story". I'm a retired IT guy, and still very much like to keep an ear to the ground on IT matters. When this event happened, I was hoping someone who was in the weeds in handling this event within their org would post their story so I can hear details. Having been through similar (albeit less widespread impactful) events, I can 100% relate. Still morbidly curious, I guess.

This was like listening to some strange dude describe my Friday.

My heart goes out to everyone affected. Way to hang in there, Rich! We were not impacted, but know quite a few shops here in Houston that were.

Lets move everything to the cloud!!! Great idea! 😂😂😂

As a non-tech person, I knew it looked bad yesterday when I started looking at flight delays. Hats off to you and all of the other IT folks dealing with this nightmare!

Every organisation’s IT teams find solace in each other demise thinking they are not alone to face this sh!t lol

It’s a Nightmare, you wouldn’t want it on your worst enemy…

Thank you for taking the time to put this together when you're clearly so exhausted. This is exactly the kind of content we need after an event like this, from real professionals who are there. There's too many "lol why didn't they just ..." Reddit Keyboard Commandos running around making me wish I had a way to smack people through my screen. Respect. One thing I still don't understand is how this actually got out of Crowdstrike's development systems (?) and into their production deployment systems. I realize that one of the big benefits of CS is its rapid response nature, I think backed in part by ML (?), but surely there should have been some sort of internal unit test package or an equivalent to catch a killer update before it was pushed? High speed automation with no QC is an invitation to exactly this sort of disaster. Given how many medical/hospital systems were impacted, including in some locations EMS helicopter service, CS will be lucky if they don't get sued for contributing to someone's death or injury.

Very clear and concise. Thanks so much for the video explaining what has to happen to delete the file. What a task to have to touch every machine!

The rather large global company I work for, doesn't use Crowdstrike, so, amazingly, I've been able to sit back at eat popcorn, all while saying "there but for the grace of God go I". I'm so glad I dodged this bullet.

I understand from reliable sources, IT techs that understand servers, laptops and such, that the reason that only Microsoft systems were affected is that Falcon must communicate with the Microsoft kernel, the lowest level of the Operating System. Corruption in the kernel causes failure of the whole OS and must be restored in safe system mode. Linux and MacOS operation systems do not allow applications to communicate directly and so cannot be corrupted by a wayward application. Only the wayward application will fail on Linux and MacOS and could be easily rolled back to the original application. The Mac OS was rewritten some years ago to a Linux/Unix type architecture. I wonder if there is any kernel protection that will be implemented in the Microsoft OS anytime soon.

Really great boots on the ground, "this is how it went (down)" account. Surreal. Thank you!

Sure was a day for us. Luckily, by the time we got to the office the fix was know. It could have been a hell of a lot worse. Our DCs were good, a few servers went down but came back quickly. Then we trawled through all the desktops over an 8 hour stint. As IT, all we got from the business was praise because we had constant coms and updates running throughout the day and offloaded a bunch of the reporting responsibilities to the team leads rather than getting all users to make lots of noise reporting.

Yesterday was a big win for CrowdStrike. Finally a virus protection program that disabled the most prolific spyware program on the internet - Microsoft Windows. No Linux/Mac products were harmed.

Got my PROD SQL Servers back online within 6 hours! 300 TB Apocalypse!!!

Great recap of your very real world experiences! Thank you for sharing sir!

OUCH! 😮 All in the name of "Security" . . . Now we see how fragile our systems really are - and how dependent we are in today's technology! 🤐 Now we also know that major events aren't always caused by bad actors!! 😬 Stay Vigilant and Keep Safe !! 😷 #majorincident #dependencies #securityglitch

To provide greater clarity, the primary issue here is that cloudstrike falcon runs at kernel level and has internet connected privileged binaries so as to provide rolling updates to threat protection offerings. This was and always has been a massive attack vector that’s yet to have been exploited at a high level. It just so happens to have exposed its vulnerability to the world through incompetence. If Microsoft was half intelligent they’d step in and implement something similar to Apple who provides a system extension abstraction layer so as to not give direct kernel access. They will not do this, because they are stupid arrogant and lazy. Instead, I think most critical organizations should steer clear of crowdstrike and similar kernel level applications with internet dependent binaries. Even if that leaves you slightly more vulnerable to other threats.

Best vid so far on this topic. We had a long day as well, I got called at 3am my local time, got to take a nap at 5pm.

I'm an employee at a small company and had this crap on Friday morning. Our IT guy was abroad in vacation and he got the choise between finding the next flight or sending each employee the admin password by private e-mail. He chose to give us the passwords and change them when he comes back.

The only big question is why are drivers for windows not signed and then validated by the OS before being installed/loaded? That just seems so obvious. You would think there would also be a transaction log for most recently installed “system” stuff and if more than three reboots are triggered it would rollback the install log and quarantine the most recently installed items. That’s how I’ve designed patching systems in the past for mission critical infrastructure software systems. I had no idea this many people still used windows! I’ve not touched windows for 25yrs.

That sucks, sorry to hear. Im glad I didnt have to deal with it but Ive been through a malware event and know the feeling. Hang in there!

My question is after working as an update/patching admin why would you push an update on a Thursday/Friday best practices patch Tuesdays for those who know 🤔

The ITasS company I work for fielded 140 calls had 4 simultaneous war rooms on of which wrapped up at about 1 am this morning

Co. I work for still has over 12k users to bring back online. It's been a nightmare going on 48 hrs now

I was lucky that my org is currently only using crowdstrike for a few non-critical systems. I feel for you, and hope you get some recovery rest It will be interesting to see what lessons the industry (and world in general) take from this.

I'm a contractor to a large Australian retailer and I have to say they have their shit together. Had thousands of POS systems back up over the weekend and then the hundreds of the support laptops by mid morning today. Came down to them being easily able to report on the Bitlocker keys, and admin passwords to gain access to the CS folder. I have a new found respect for disaster preparedness and recovery.

Man i feel all your situation loins and 100% feel for you guys. Luckily this time, I Sitting pretty with S1 today.

Did not have issues at my site since we don't use Falcon, but my son's company did. I did not know that Azure did not have a console that sucks, and I was just toying with looking into it more. Whew, I dodged a bullet there. This reminds me of the MS service pack nightmare, which I did have to pull long days for. Good luck, folks. I hope you all get some sleep soon. Cheers

Thank You for this EXCELLENT ANALYSIS!

Lol. I am just a retired low-level PC Tech. When I got out of bed yesterday I heard the words 'bad update' on tv, so I ran in and quickly did an rst r u i on my own desktop. But apparently I was not even affected, anyhow. But the machines at the hospital where I work as a housekeeper are, and they are all bitlockered VMs. And they have a tiny IT Department with inexperienced techs. That Hands-On solution is not too difficult, as long as you can get the key. Should I offer them my services on a per system basis? More fun than cleaning toilets ! 😅 (Ouch. Poor you!! )

I wonder how long this will take to fully recover from, think about all the laptops that will probably have to be shipped back to the office and the kiosks that are hard to gain physical access too

This was the result of Crowdstrike’s incompetence but Microsoft is also to blame for not adequately protecting their OS at the kernel level. No 3rd party software, no matter the source, should be able to root-kit an OS like this, requiring manual deletion of files like it’s the 1990s. This kind of failure is not possible on MacOS for example.

Thanks for sharing your experience; hope you can get some sleep!

Crowdstrike is a proud world economic forum company. The plan for a global cyber attack isn't to have someone attack you but for the main cyber attack prevention company to actually be the point of failure in replacement of a "global cyber attack"

Wow, you got a front row seat....to me the fact that this was even possible indicates how fragile things are. What do you think we can do to prevent such a catastrophe in the future?

Yesterday was like a digital nuclear bomb going off

I’m a cybersecurity analyst and my company was on high alert yesterday as we assumed initially this was a cyberattack

Really relate to your story. I’m in Australia so it hit our IT team at Friday 3pm and I’m in development (not ops) and my surface crashed, then my colleagues did. Reported it to my boss then walked away while it rebooted. In the bathroom a woman from a totally different company sharing the building with us tells me “all our pcs crashed so we’re leaving for early drinks at the pub 😂”. I was so relieved! If I’d seen the SQL servers drop first before my laptop that wouldn’t have been a fun moment to live in at all.

Really, the World-Wide Fail wasn't caused by the bad update. The FAIL was in rolling out the update to EVERYONE at once -- a blitz. Had they done a Canary deployment and slow-roll, the problems would have tiny

For Azure VMs hopefully you have snapshots enabled. Restore a snapshot of the OS disk prior to the event, then do an OS disk swap. Boot the machine. Worked most of the time, once in a while NLA complained, but restoring a different snapshot typically worked. We have separate data disks for our apps so data loss wasn't a concern

I do wonder why huge companies are not diversified more. It is crazy that this can happen all over the world and shut so much down. Even Crowdstrike should be fully diversified I would think where under no circumstances everything goes out to all streams on the same day. I am not IT so I don't know the terminology, but I think you know what I mean. Even in this case it seems redundancy would not have helped because it was a single bad file that went to every computer. But if out of 5000 computers, they had 5 different services or versions of a service where that are getting a different set of downloads on each stream in a single day, this would have only shut down a fifth of them, leaving only a fifth of them disabled for a bit and 80% still operational and able to find the problem before the world comes to a halt. I feel like this incident has opened floodgates and we can and likely will see malciousness on this scale or worse sooner than later. What are your thoughts?

4k VMs, 3,5k notebooks, 4 gallons of coffee, 3 pizzas aaaaaannnddddddd counting........... (oh.. 2 keyboards too, RIP F8 key 😞)

Sorry that you got affected. Sounds like a hell of a thing.

The more I read about it the more insane it becomes - it wasn't a simple bug but literally a driver file of all zeros! How the hell wasn't it hash checked by the client update process before installation and requesting a reboot ? Or how the hell did ClownStrike update push server not also do basic sanity checks before sending it to _every_ customer at the same time ? /facepalm

Some companies are working with machines directly connected to the network, and during the reboot those machines will have from 10 to 12 seconds to which you can push a UNC update to delete the .sys file. Not sure fire by any means, but some are finding some success doing this. Seems to work the best for those machines just boot looping and are directly connected to the network. Edit - You may be able to leverage the Crowdstrike dashboard that will say what machines in your environment were affected. This is also helping enterprises identify which machines went down and have not come back up. Keep in mind "Enterprise" means thousands of machines and some of which can be scattered in various locations and even different countries. What's my take? There are advantages and disadvantages to running in kernel mode. The big advantage is visibility. We now know the possible disadvantage, but what happened to the days of when 3 reboots and the system automatically goes into Safe mode? Microsoft has some explaining to do as well.

2:43 was the CrowdStrike driver? That stop code otherwise, usually means loss of RAM stability, such as badly-seated RAM, or dirty RAM slots.

So I wonder what happens to the executive who chose Crowdstrike in each company? And more generally, how do you actually select an EDR/EPP/XDR?

Did the Azure storage outage cause Crowdstrike processes to download a null file stub meaning the mass BSOD outage was triggered by Microsoft but caused by Crowdstrike not parsing input files safely?

years ago, I worked on a supportdesk and watched a whole bank scream to a halt after Symantec was rolled out. As soon as it loaded the first time, it ran a full scan pegging the IO and CPUs making devices unusable for hours, if someone restarted, it started over

Worked through from 11pm to 10am Was right in the middle of it as all out monitors vms, pc, db, all bsod.

I work in IT for a large company. I personally repaired about 50 of these via the phone to the users in the past two days. It is a mess for sure.

Good job -first person POV. Thanks!

Thanks for this. My MSP uses a competitor for our MDR, but my previous employer wasnt that lucky. Nuts.

imagine if a hacker did get into an enterprise software company that is used worldwide and pushed nefarious code out. You would not be able to get them back online because no one would know the file location.

Thank you for sharing your experience sir.😊

How can they upload a blank file [0...0]? Why CRC does not detected the anomaly? Why Win Kernel allow blank files to be load? Why MS allow 3th party "base file" to be updated?...This was JUST a TEST! 😉

so does this affect people only with crowdstrike installed? Im not seeing any full actual details of how it affects you entirely, what is it that causes you to get it, ect. Is it crowdstrike that you download on your pc? or is it windows defender? what exactly? Since i can only pause windows updates for so long

Automated updates are a time bomb waiting to explode. Good luck, because you will need it!

Worst thing that happened to me at my job was UKG was down for ~9 hours No one could clock in/out etc.

I just spent an hour (50 min on hold, they are SLAMMED) on the phone with my IT guy to get the bitlocker key for my workstation. I told him he’s fighting the good fight and to get some sleep.

My computer is stuck in an infinite reboot loop, preventing me from accessing the command prompt or deleting any files. The repair options never appear, and I've tried all the methods to enter safe mode without success. I've pressed the F keys and repeatedly forced shutdowns with the power button, but nothing works. Despite all my efforts, the computer remains in this constant reboot loop.

Bro, msconfig allows you to boot a server into safe mode with networking. Not sure if you'd be able to access the vm from azure still.

FYI if you were creating new vms and attaching disks you could have scripted that part. Think about using powercli next time

Man this is my NIGHTMARE, we dodged this being on S1 instead but the description of figuring it out. Nightmare fuel

Is your company going to continue to use CloudStrike?

I’m an IT System Analyst, crazy how much we rely on computers. Yesterday was insane. By the way in healthcare.. FUN

makes me realize CS does not use falcon on their own system

People:" waaah waaah i cant browse memes becaue of this!!" People in hospitals on a death bed:...... - - ........

Will you guys continue using CrowdStrike Falcon software? Also, CrowdStrike suggested a few reboots (up to 15!) may give their software the change to pull the latest update and fix the problem. Did that work in practice?

You dont have to press F8, you tell your server to display the menu on next restart. On many systems it's impossible to press F8 anyway. On non server systems, the menu appears automatically after 3 BSOD. But yeah, when you cant press F8 on a server, you have to ask Windows Server to present the menu on the next cycle.

Not to mention the people with bitlocker and no access to their keys.

This put a big target on CrowdStrike now, it it wasn't big enough before

Still working - Shares in redbull went through the roof over the past 24 hours - or at least they would have if the systems were working right.

Great video. The life of an it-guy. Also, like almost every it person, no self reflection on something like "system design" and fall back scenarios.

RIP, in some airports they did go back to giving handwritten boarding passes