Microsoft released an explanation detailing the specifics of the Blue Screen of Death (BSOD) issue from the CrowdStrike incident. This was based on the kernel crash dump data submitted by users via Windows Error Reporting (WER) in large quantities (4 million times on the day of the incident) and analyzed using standard tools like WinDBG Kernel Debugger.
The analysis by Microsoft aligned with CrowdStrike’s preliminary report, indicating that the CSagent.sys driver accessed memory in a prohibited area (a read out-of-bounds access violation). Microsoft explained that CrowdStrike opted to create a file system filter driver to monitor file changes on the machine (which could be infected by viruses or malware). This method is commonly used in anti-virus software, including Microsoft’s own.
CrowdStrike developed a total of 4 driver modules that function differently, with one driver responsible for receiving updates from CrowdStrike as previously announced and causing the crash due to a channel file update issue.
Additionally, Microsoft further explained that the security company chose to create a kernel driver to monitor file changes in the system, citing three primary reasons:
– Enhanced visibility by loading the kernel module during boot, aiding in capturing boot kit/root kit malware loaded before user-mode applications run.
– Improved efficiency in cases where vast amounts of data pass through the network, allowing for faster data extraction at the network driver level.
– Strong tamper resistance, even if hackers or malware infiltrate the computer system, as the security software operates at a lower privilege level.
Microsoft has allowed security software to load itself from the early boot stages since the Windows 8 era, known as Early Launch AntiMalware (ELAM). This process is followed correctly by CrowdStrike.
However, running operations at the kernel driver level grants extensive access, requiring caution from security software developers. If issues arise, restarting only the affected app, unlike at the user level, is not possible; a complete OS reboot is necessary. Therefore, Microsoft is attempting to shift various functions from the kernel level to run in user mode and enhance security systems that run in user mode as well.
In the long term, Microsoft plans to collaborate with anti-virus software companies to enhance security channels or features further, aiming to increase stability and trustworthiness, decrease kernel driver access, while maintaining overall security levels through various integrated measures.
TLDR: Microsoft explains the BSOD issue from the CrowdStrike incident, detailing the kernel crash dump analysis and aligning with CrowdStrike’s report. They highlight the use of kernel drivers for monitoring file changes and affirm their commitment to enhancing security measures in collaboration with anti-virus software companies.
Leave a Comment