Someone on X has shared the kernel stack trace of the crash
The faulting driver in the stack trace was csagent.sys.
Now, Crowdstrike has got two mini filter drivers registered with Microsoft (for signing and allocation of altitude).
1) csagent.sys - Altitude (321410)
This altitude falls within the range for Anti-Virus filters.
2) im.sys - Altitude (80680)
This altitude falls within the range for access control drivers.
So, it is clear that the driver causing the crash is their AV driver, csagent.sys.
The workaround that CrowdStrike has given is to delete C-00000291*.sys files from the directory:
C:\Windows\System32\Drivers\CrowdStrike\
These files being suggested to be deleted are not driver files (.sys files) but probably some kind of virus definition database files.
The reason they name these files with the .sys extension is possibly to leverage Windows System File Checker tool's ability to restore back deleted system files.
This seems to be a workaround and the actual fix might be done in their driver, csagent.sys and the fix will be rolled out later.
Anyone having access a Falcon endpoint might see a change in the timestamp of the driver csagent.sys when the actual fix rolls out.
The faulting driver in the stack trace was csagent.sys.
Now, Crowdstrike has got two mini filter drivers registered with Microsoft (for signing and allocation of altitude).
1) csagent.sys - Altitude (321410) This altitude falls within the range for Anti-Virus filters. 2) im.sys - Altitude (80680) This altitude falls within the range for access control drivers.
So, it is clear that the driver causing the crash is their AV driver, csagent.sys.
The workaround that CrowdStrike has given is to delete C-00000291*.sys files from the directory: C:\Windows\System32\Drivers\CrowdStrike\
These files being suggested to be deleted are not driver files (.sys files) but probably some kind of virus definition database files.
The reason they name these files with the .sys extension is possibly to leverage Windows System File Checker tool's ability to restore back deleted system files.
This seems to be a workaround and the actual fix might be done in their driver, csagent.sys and the fix will be rolled out later.
Anyone having access a Falcon endpoint might see a change in the timestamp of the driver csagent.sys when the actual fix rolls out.