Can someone please advise for creating task via BigFix console to uninstall CrowdStrike windows sensor ?
First of all make sure how to remove it manually and silently. Some times there are anti tempering restrictions on those kinds of agents.
If you need additional help contact and vendor.
After that, you can take those command and deploy them through BigFix.
Hi all, Uninstalling Crowdstrike isn’t that easy as typically it needs a Password to be removed etc… Uninstalling it isn’t going to fix the issues. Crowdstrike has already stopped pushing the update.
TL;DR:
Tech Alert | Windows crashes related to Falcon Sensor | 2024-07-19
Cloud:
US-1EU-1US-2
Published Date: Jul 18, 2024
Summary
CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.
Details
Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
Current Action
CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:
Workaround Steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
2 Likes
So to uninstall this can be done by BigFix However this requires a download of the CSUninstallTool from Falcon site which only admins have access to. I’m not sure if it is Version Specific (don’t think so). But this would be a simple fixlet to create.
If someone has access to this tool and would like to send me a link Please reach out to zane.sanderson at hcl . software.
I’d be glad to create something.
CsUninstallTool.exe MAINTENANCE_TOKEN=a0c76aa097218dc446082 /quiet
Example #1 contains:
- Installer = CsUninstallTool.exe
- Silent install = Yes
- End-user installation prompts = No
- Maintenance token = Yes
- Installation log directory =
%TEMP%- Default value since not defined.
If this is the 1st requirement BigFix cant help in here, right?
Here the action script to fix the issue …I have tested
action uses wow64 redirection false
waithidden cmd.exe /C del “C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys”
2 Likes
@veluri You tested it on an affected machine that was crashing? And after reboot the machine was able to load correctly?
We have done on all server where all Up & running which are connected to BigFix however for down machines windows team did manual solution as there is no solution can be done from BigFix
Are you sure this works as those file are in use by Crowdstike while running and can’t be deleted without first shutting down crowdstrike?
Correct i Did some testing running commands as NT Authority System, which is the context that BigFix runs in. And these files can NOT be deleted by simply doing a del. This is part of Crowdstikes, inbuilt tamper protection.
2 Likes
Correct The Falcon Sensor needs to be Disabled first or Not Running. The easiest why to do that is in recovery mode.
Technically you can’t just disable it either, but practically yes. It’s accurate to say the app doesn’t work that way. It’s not designed to be “off”.
So you can’t really stop the service, but you can move a device to a group that has a set of policies that disable everything. Prevention, firewall, device control, whatever and have all settings toggled off.
However, even in that mode, there is some level of dlls still loaded that may cause conflict (or more accurately will potentially still be blamed by app vendors simply for existing in memory).
So the only other way (that i know of) to Remotely remove those files, is to Uninstall Crowdstrike. Which as mentioned above requires a Maintenance Token.
Edit… There is one option in Crowdstike console. This is to turn off sensor tampering in the policy and then shut down the sensor with admin privileges. But Almost all Customers have tamper protection turned on in the policy, so this would require contacting IT Security.
But its working as expected without disabling CS
If its working in your Env then you must not have tamper protection enabled. This depends on how your policies are configured in Crowdstrike.
I’m not close enough to the source on this to give any concrete answers, but I wanted to share what I was seeing from my perspective.
Our organization is currently running the following PowerShell script via BigFix to resolve the issue and it has been relatively successful (from a BigFix console perspective). Of course, this won’t resolve the issue on systems which are stuck in a BSOD boot loop. Those will need to be remediated manually. This may be more of a preventative measure than a fix. I also have to assume we temporarily disabled (or never enabled) tamper protection.
# Define the directory and file pattern
$directory = "C:\Windows\System32\drivers\Crowdstrike"
$filePattern = "C-00000291*.sys"
# Navigate to the directory
Set-Location -Path $directory
# Locate and delete the file matching the pattern
$file = Get-ChildItem -Path $directory -Filter $filePattern
if ($file) {
Remove-Item -Path $file.FullName -Force
Write-Output "File $($file.FullName) deleted successfully."
} else {
Write-Output "No file matching the pattern $filePattern found."
}
2 Likes
CrowdStrike published a fixed version and the file name starts with the same name patern " C-00000291*".
If you run this script as it is it would also delete the fixed versions.
After a long research, we are certain that the only files you have to delete are:
C-00000291-00000000-00000035.sys
C-00000291-00000000-00000036.sys
1 Like
Check the thread at CrowdStrike Issue 2024-07-19 and the updated CrowdStrike bulletin at Statement on Falcon Content Update for Windows Hosts - crowdstrike.com
There are both good and bad versions of these same files. The C-00000291-*.sys files dated after 7/19/2024 05:27 UTC are good, older versions are problematic (with the known-bad one having a timestamp 04:09 UTC). The CSFalcon product will keep downloading new versions of the file if you remove them manually.
The Analysis we have on our GitHub page and linked in that forum post does check the timestamp on the files to determine whether they’re good/bad.
As far as manually deleting the files, we have not been successful at removing them manually as they appear to be locked by CrowdStrike’s kernel-mode drivers; but if you have been able to remove them manually outside of safe mode, then it may be some combination of anti-tamper policy & automation policy allows that. Our test systems have generally been locked-down as far as policy.
2 Likes