User Mode vs Kernel Mode. Apparently, the CrowdStrike's Falcon Sensor runs in Kernel Mode, indicative of the .sys file extension for the file in question that was corrupt (aka glitchy, buggy). The Falcon Sensor is a DRIVER (Location: c:\windows\system32\drivers\CrowdStrike\C-00000291*.sys). In Windows, Drivers run in Kernel Mode. The faulty driver caused a Kernel Panic. The Kernel Panic caused the Blue Screen of Death (BSOD) on the Windows Platform (a system protection mechanism triggered by corrupted drivers, incompatible software... etc.). In turn, this activated the Windows recovery mode. Solution on the USER's END: Remove the faulty driver (and all of its sub-files). Solution at CrowdStrike was to roll back the update that included the faulty driver. Rinse (of discrepancies). Test. Repeat (the rollout) without incident. The question remains: WHY was the driver faulty/corrupt :). CrowdStrike does not seem to be addressing this vital issue. They claim that the file worked fine in the test rollout but not in the actual rollout. Either this is a lie and it was rolled out without testing OR, something happened between the end of testing and the beginning of rollout to corrupt this file. What is that something? Who did that something. How? When, And well, we know Why :). The intentions behind corrupting a file or code or data, system, platform, etc. is to cause disruption (havoc, chaos, panic, loss..). So, we got the testing. We got the rollout. We don't know the in-between (What, Who, How). We know the end result: disruption. We need to get to that in-between to learn what happened and how. That's the only time we'd know that this was/ was not a cyberattack.
NOTE: C-00000291*.sys means any file starting with C-00000291 and ending in .sys
Read more
NOTE: C-00000291*.sys means any file starting with C-00000291 and ending in .sys
User Mode vs Kernel Mode. Apparently, the CrowdStrike's Falcon Sensor runs in Kernel Mode, indicative of the .sys file extension for the file in question that was corrupt (aka glitchy, buggy). The Falcon Sensor is a DRIVER (Location: c:\windows\system32\drivers\CrowdStrike\C-00000291*.sys). In Windows, Drivers run in Kernel Mode. The faulty driver caused a Kernel Panic. The Kernel Panic caused the Blue Screen of Death (BSOD) on the Windows Platform (a system protection mechanism triggered by corrupted drivers, incompatible software... etc.). In turn, this activated the Windows recovery mode. Solution on the USER's END: Remove the faulty driver (and all of its sub-files). Solution at CrowdStrike was to roll back the update that included the faulty driver. Rinse (of discrepancies). Test. Repeat (the rollout) without incident. The question remains: WHY was the driver faulty/corrupt :). CrowdStrike does not seem to be addressing this vital issue. They claim that the file worked fine in the test rollout but not in the actual rollout. Either this is a lie and it was rolled out without testing OR, something happened between the end of testing and the beginning of rollout to corrupt this file. What is that something? Who did that something. How? When, And well, we know Why :). The intentions behind corrupting a file or code or data, system, platform, etc. is to cause disruption (havoc, chaos, panic, loss..). So, we got the testing. We got the rollout. We don't know the in-between (What, Who, How). We know the end result: disruption. We need to get to that in-between to learn what happened and how. That's the only time we'd know that this was/ was not a cyberattack.
NOTE: C-00000291*.sys means any file starting with C-00000291 and ending in .sys
0 Comments
0 Shares
95 Views
0 Reviews