…according to a Twitter post by the Chief Informational Security Officer of Grand Canyon Education.
So, does anyone else find it odd that the file that caused everything CrowdStrike to freak out, C-00000291-
00000000-00000032.sys was 42KB of blank/null values, while the replacement file C-00000291-00000000-
00000.033.sys was 35KB and looked like a normal, if not obfuscated sys/.conf file?
Also, apparently CrowdStrike had at least 5 hours to work on the problem between the time it was discovered and the time it was fixed.
Windows kernel drivers are signed by Microsoft. They must have rubber stamped this for this to go through, though.
What about the Mac and Linux PCs? Did Microsoft sign those too?
only the Windows version was affected
Not sure about Mac, but on Linux, they’re signed by the distro maintainer or with the computer’s secure boot key.
https://wiki.ubuntu.com/UEFI/SecureBoot
So… Microsoft couldn’t have “rubber-stamped” anything to do with the outage.
The outage only affected the Windows version of Falcon. OSX and Linux were not affected.
This time. Last time it did affect Linux. It doesn’t have anything to do with Microsoft.
Sorry to burst your bubble.
In this thread we’re talking about the recent problem with CrowdStrike on Windows that brought down various services around the world. So I don’t know who’s bubble you think you’re bursting by talking about something else.
You l people have a horrible time following threads.
what are you on about? who suggested anything about microsoft?
Try to keep up.
You look so kewl if I were a child again I’d speak just like you
This was not the driver, it was a config file or something read by the driver. Now having a driver in kernel space depending on a config on a regular path is another fuck up
isn’t .sys a driver?
So yes, .sys is by convention on Windows is for a kernel mode driver. However, Crowdstrike specifically uses .sys for non-driver files and this specifically was not a driver.
Not just drivers, no https://fileinfo.com/extension/sys