The CrowdStrike situation at the back end of last week and likely for many still a current problem was another message to the world that bad things happen!
The technical details of the Falcon Update can be found here - https://lnkd.in/ept6d2tb
The TLDR; Their update that was sent to over 8 million devices, where Falcon was installed on Servers and clients. A filename that starts with “C-00000291-”. These files are stored in C:\Windows\System32\drivers\CrowdStrike\
The file with timestamp of 2024-07-19 0409 UTC is the problematic version. They have a fixed version noted below.
Remediation steps from CrowdStrike can be found here - https://lnkd.in/eQ6SKDSz
Some of those remediation tasks and steps are going to take someone a lot of their weekend and no doubt there are teams of people working through thousands of servers to bring them back online.
I am not going to comment on what the CrowdStrike development team should have done or point fingers and blame... there will be plenty of that coming from the industry and afar.
It got me thinking about how can your backups help in this situation, and how can this help the remediation process at scale.
My initial thought was Veeam has a feature called "Staged Restore" which was released years ago and it is for the purpose of removing data during the restore process so that the data does not land back in production. I actually demonstrated this at a VeeamON showing how to remove GDPR data from systems before restoring.
More details on Staged Restore - https://lnkd.in/eUc36hJh
We could create a script that focuses on the above file and directory and delete this as part of that recovery of the machine that is likely sat in a Blue Screen Of Death (BSOD) situation and requires manual intervention.
This is not the only feature that can help here, we have to consider instant recovery. Recover the machine pre update being made and update with the new updated .sys file from CrowdStrike.
Wishing all the admins working this weekend the best.