cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Articles
>
Global Crowdstrike Outage
Cythera Cyber Security

Global Crowdstrike Outage

CrowdStrike released a dashboard query to assist customers in finding assets that may be impacted by the malformed channel file.
Talk to an expert

Preliminary Post Incident Review Executive Summary - CrowdStrike

CrowdStrike has released an executive summary for the preliminary post incident review.

You can view the executive summary PDF here - crowdstrike.com

Preliminary Post Incident Review - CrowdStrike

CrowdStrike have provided a preliminary post incident review.

A full root cause analysis will be provided once the full investigation has been completed by CrowdStrike.

You can view the preliminary post incident review here - crowdstrike.com

Dashboard to Discover Affected Assets

CrowdStrike released a dashboard query to assist customers in finding assets that may be impacted by the malformed channel file. At Cythera, we have adapted this dashboard to provide additional counts and better visibility to host data to assist in remediation. This dashboard has been uploaded to all of our managed customers and is accessible using the following method.

  1.  Login to the Falcon via falcon.crowdstrike.com
  2. Access the navigation menu by clicking the icon in the top left corner. Then click on Next-Gen SIEM -> under Log Management click on the menu item Dashboards
  3. In the search bar, copy and paste the following “cythera_hosts_possibly_impacted_by_windows_crashes” and click on the resulting dashboard.
  4. Read the Dashboard Details widget to learn how the dashboard functions.

Status Definitions

Status

Definition

OK

Asset is functioning as normal. No intervention required.

Check

Asset received the malformed channel file. Manual intervention may be required.

Verify

CrowdStrike has not been able to determine if the asset is in a normal or abnormal state.

Crowdstrike has begun dissecting the outage with their technical analysis here.

Microsoft has released a more automated recovery tool. You will still need the Bitlocker key for the device. Instructions HERE. 


CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes. Ongoing Updates from Crowdstrike can be found HERE

Cythera have re-enabled auto updates for all our managed clients and they will automatically receive the correct update; No other action is required unless you have devices that have blue screened and are not resolved with a reboot.

- If you want to search for devices that have received a fix and will not be affected, from the Crowdstrike Falcon user interface you can run the following search query: 

(#event_simpleName = * or #ecs.version = *) | ("C-00000291*.sys") and (CompletionEventId = "Event_ChannelDataDownloadCompleteV1") | groupBy([ComputerName]) 

If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue: 

Workaround Steps (This fix is only for machines that have blue screened and are not resolved with a reboot.) :

Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation. There are also reports that simply rebooting affected machines multiple times may allow the device to finally get the fixed patch and boot normally.

1. Boot Windows into Safe Mode or the Windows Recovery Environment

2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

3. Locate the file matching “C-00000291*.sys”, and delete it. 

4. Shutdown the host. Start host from the off state.


Note: Bitlocker-encrypted hosts may require a recovery key.

BitLocker recovery via GPO Document

BitLocker recovery via SCCM

BitLocker in Azure     Additional Microsoft Azure Detail

Crowdstricke Support

This is a tested fix provided by Crowdstrike support. This just removes the patch with issues, your endpoint protection remains in place and functional.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

Detach the operating system disk volume from the impacted virtual server

Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes

Attach/mount the volume to to a new virtual server

Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory

Locate the file matching “C-00000291*.sys”, and delete it.

Detach the volume from the new virtual server

Reattach the fixed volume to the impacted virtual server

Option 2:

Roll back to a snapshot before 0409 UTC.

Workaround Steps for Azure via serial

Login to Azure console --> Go to Virtual Machines  --> Select the VM

Upper left on console --> Click : "Connect" --> Click --> Connect --> Click "More ways to Connect"  --> Click : "Serial Console"

Step 3 : Once SAC has loaded, type in 'cmd' and press enter.

type in 'cmd' command

type in : ch -si 1

Press any key (space bar).  Enter Administrator credentials

Type the following:

bcdedit
/set {current} safeboot minimal

bcdedit
/set {current} safeboot network

Restart VM

Optional:

 How to confirm the boot state? Run command:

wmic COMPUTERSYSTEM GET BootupState

Events

Latest events

Join Cythera experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
No items found.
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
Silverstripe - Host Header Injection
Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
FarCry Core Framework - Multiple Issues
FarCry Core contains multiple vulnerabilities that could let unauthenticated users upload arbitrary files and execute remote code on the hosting server.
Silverstripe – Cross-Site Scripting (XSS) Vulnerability
With local organisation admin credentials, an attacker can exploit the API to create, delete, or revert virtual machine snapshots in other organisations’ Virtual Data Centres (VDCs), breaching isolation boundaries.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved