Today, we are witnessing the impact of an IT outage to an upgrade in Crowdstrike endpoint sensors. This is causing major disruption across key industries such as healthcare, finance, IT, and aviation. While the outage is due to a failed attempt to upgrade the sensor due to installing a new kernel driver, it raises the following question - is there a less aggressive setting needed for you to be able to detect malicious behavior but not cause key outages? Ultimately, the goal is to be able to detect key activity in your Windows endpoints for incident response, vulnerabilities, and malicious risk. This requires the need to have a passive mode which unlike kernel drivers when affected, will not crash the system and kernel and cause system outages. With eBPF not being available for Windows, how do you solve for endpoint protection without having to use a kernel driver? With this approach you also get security visibility through insights into the state and activity of your Windows endpoints that can be applied to a fleet to detect what is anomalous, what is common vs what is rare. At Uptycs, our Uptycs Sensor team is actively monitoring affected assets in our customers. To workaround the issue you should do the following: : An example of a bulk remediation powershell script that can be used to disable the faulty driver on affected endpoints is : There are better alternatives to using kernel modules to solve your security for Windows endpoints. While eBPF developments are being pursued for Windows, leveraging less intrusive but equally effective sensors as highlighted above provides a distinct advantage that is also more adaptable while providing in-depth visibility and security into your Windows fleet. The Uptycs team is ready to help. If you would like to learn more about the Uptycs Platform, speak to one of our experts, and see a demo of how to investigate and remediate issues like this one contact us today. Key Considerations
Better Approaches
Kernel driver based callbacks are only one of the many available techniques on Windows to obtain fine grained operating system telemetry and apply detection rules over a combination of them. Over the years Microsoft Windows has evolved to provide many user-mode interception and observation techniques both inline and passive. Still a lot of vendors choose kernel mode callbacks for their ease of implementation and one-stop nature of the solution.
Leveraging Uptycs sensor allows you to have deep visibility into the telemetry of your Windows endpoints. However, more importantly, the Uptycs sensor for Windows can be configured to run completely in passive mode in your most critical workloads. This gives the following advantages:
Solving For This Issue
ConclusionConnect with our Team