
Azure VM CrowdStrike is a powerful solution for protecting your virtual machines from threats.
CrowdStrike's Falcon sensor is installed on each Azure VM, providing real-time threat detection and response capabilities.
With CrowdStrike, you can discover and prioritize high-risk assets, identifying potential vulnerabilities before they're exploited.
This proactive approach helps reduce the attack surface and prevents costly security breaches.
CrowdStrike's protection capabilities include behavior-based detection, anomaly detection, and threat hunting, ensuring your Azure VMs are safeguarded against a wide range of threats.
In the event of a breach, CrowdStrike's recovery capabilities enable you to quickly contain and remediate the issue, minimizing downtime and data loss.
Expand your knowledge: Azure Advanced Threat Protection Sensor
Azure VM Discovery
Azure VM Discovery is a powerful tool that helps you understand your Azure virtual machine footprint. It provides real-time information about workloads, including context-rich metadata about virtual machines by state, type, region, and resource group.
This feature automatically discovers existing virtual machine deployments without installing an agent by enumerating Azure virtual machines. This means you can get a complete picture of your virtual machine environment without any extra setup.
Recommended read: How to Change Virtual Network/subnet in Azure Vm
With Azure VM Discovery, you can identify virtual machine resources that are not protected by the CrowdStrike Falcon platform. This is crucial for securing all workloads and reducing the attack surface.
Here's a breakdown of what Azure VM Discovery can do for you:
- Provides insight into your Azure virtual machine footprint
- Automatically discovers existing virtual machine deployments
- Provides real-time information about workloads
- Identifies virtual machine resources not protected by CrowdStrike Falcon
By using Azure VM Discovery, you can uncover and mitigate risks, and secure all your workloads. This is a game-changer for organizations looking to strengthen their security posture.
CrowdStrike Protection and Recovery
CrowdStrike combines the best and latest technologies to protect against active attacks and threats at runtime, including custom indicators of attack (IOAs), whitelisting and blacklisting, and integrated threat intelligence.
This protection includes 24/7 managed threat hunting to ensure stealthy attacks don't go undetected. It also offers the complete context of an attack, including attribution.
CrowdStrike Falcon agent can sometimes cause issues, such as unresponsiveness and startup failures on Windows machines. This happened on July 19, 2024, at 04:09 UTC, affecting both on-premises and cloud platforms.
If this caught your attention, see: Azure Atp
Customers can request Microsoft to apply a boot configuration to download the corrected CrowdStrike signature files. This can be done by opening the Support+Troubleshooting blade in the Azure Portal and providing consent.
Recovery options include attempting multiple manual Virtual Machine restarts, which may resolve the issue. If not, customers can leverage additional recovery options, such as restoring from a backup before July 19, 2024, at 04:09 UTC.
To restore from a backup, customers can follow the instructions in the article section, including using the Azure CLI or Azure Shell. They can also use the following commands:
- az vm repair create -g RGNAME -n BROKENVMNAME --verbose
- az vm repair create -g RGNAME -n BROKENVMNAME --unlock-encrypted-vm --verbose
- az vm repair run -g {your-resource-group} -n {vm-name} --run-id win-crowdstrike-fix-bootloop --run-on-repair --verbose
Runtime Protection
Runtime protection is a critical aspect of CrowdStrike's protection and recovery offerings. It combines the best and latest technologies to protect against active attacks and threats when Azure workloads are most vulnerable – at runtime.
This approach includes custom indicators of attack (IOAs), which allow for tailored detection and prevention. Whitelisting and blacklisting are also part of the mix, enabling you to block specific activities and ensure only trusted ones are allowed.
CrowdStrike's integrated threat intelligence helps block known malicious activities, delivering a complete context of an attack, including attribution. This means you can pinpoint the source of the attack and take swift action.
24/7 managed threat hunting is also on the table, ensuring stealthy attacks don't go undetected. This continuous monitoring and hunting capability helps prevent attacks from slipping through the cracks.
Here's a rundown of the features that make up CrowdStrike's runtime protection:
- Custom indicators of attack (IOAs)
- Whitelisting and blacklisting
- Integrated threat intelligence
- 24/7 managed threat hunting
Recovery Options for CrowdStrike Falcon Agent Affected VMs
If you're experiencing issues with your Azure Virtual Machines (VMs) due to the CrowdStrike Falcon agent, don't worry, there are recovery options available.
You can try restarting your affected VMs using the Azure Portal, Azure CLI, or Azure Shell. This might resolve the issue, especially if the reboot of the instance allows the CrowdStrike Falcon agent to update successfully.
In some cases, multiple reboots may be required, so be prepared to restart your VMs a few times. If a reboot doesn't resolve the issue, you can explore additional recovery options.
A unique perspective: Azure Virtual Machine Agent
If you have a backup of your VM from before July 19, 2024, 04:09 UTC, when the faulty update started rolling out, you can restore from it. To do this, follow the instructions for Azure Backup.
Here are the steps to restore from a backup:
- Run `az vm repair create -g RGNAME -n BROKENVMNAME --verbose` to create a repair VM.
- Run `az vm repair run -g {your-resource-group} -n {vm-name} --run-id win-crowdstrike-fix-bootloop --run-on-repair --verbose` to run the mitigation script on the repair VM.
- Finally, run `az vm repair run -g RGNAME -n BROKENVMNAME --run-id win-crowdstrike-fix-bootloop --run-on-repair --verbose` to apply the fix.
Alternatively, you can create a rescue VM, run the mitigation script, and then replace the affected VM's disk with the fixed one. This process involves using the `az vm repair` command to create a rescue VM, running the `win-crowdstrike-fix-bootloop` script on it, and then replacing the affected VM's disk with the fixed one.
Readers also liked: Azure Virtual Machine Increase Disk Size
Troubleshooting and Workarounds
If you're experiencing issues with your Azure VM due to the CrowdStrike Falcon agent, don't worry, there are some troubleshooting steps you can take.
First, you'll want to detach the operating system disk volume from the impacted virtual server to avoid any further complications. This will give you a clean slate to work with.
You can then create a snapshot or backup of the disk volume as a precaution against unintended changes. This is a good habit to get into when working with virtual servers.
Next, attach the volume to a new virtual server, which will give you a safe environment to delete the problematic file.
To locate the file, navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory. The file you're looking for is likely matching “C-00000291*.sys”.
You can delete this file manually, but to avoid any potential operational mistakes, you can use the az vm repair command to run a fix script. This will automatically delete the file for you.
Here are the steps to run the fix script:
- Use the az vm repair command to run the fix script.
- The script will delete the file matching “C-00000291*.sys” from the \Windows\System32\drivers\CrowdStrike directory.
Alternatively, you can follow the recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent as guided by Microsoft.
Sources
- https://www.crowdstrike.co.uk/products/cloud-security/falcon-for-azure/
- https://www.directdefense.com/response-to-crowdstrike-falcon-sensor-agent-issue-affecting-microsoft-devices/
- https://zenn.dev/awell/scraps/c9a2b764139c51
- https://techcommunity.microsoft.com/blog/azurecompute/recovery-options-for-azure-virtual-machines-vm-affected-by-crowdstrike-falcon-ag/4196798
- https://www.linkedin.com/pulse/how-recover-azure-vms-crowdstrike-step-by-step-guide-samarasinghe-rw5xf
Featured Images: pexels.com