Alibaba Cloud detected unexpected reboots on specific Windows Elastic Compute Service (ECS) instances at 12:30 (UTC+8) on July 19, 2024. The issue is caused by an automatic update of the Falcon Sensor software from the third-party security company CrowdStrike. Before CrowdStrike releases an official solution, you can rename the installation directory of the software to temporarily allow the system to work as expected. This topic provides a temporary solution for the issue and security hardening suggestions.
Issue description
At 12:30 (UTC+8) on July 19, 2024, a large number of Windows users encounter the blue screen error after software provided by CrowdStrike is updated.
Temporary solution
This temporary solution may render the security software provided by CrowdStrike ineffective and affect instance security and related features of the security software. Before you implement the solution, we recommend that you conduct a risk assessment on your system. Alibaba Cloud will follow up on the development of the issue. You can visit the official website of CrowdStrike for the latest updates. If you have questions or require assistance during the solution implementation, submit a ticket.
You can rename the corresponding folder to allow the system to work as expected. For more information, see Temporary solution for the July 19th Windows blue screen problem.
Security hardening suggestions
Perform a snapshot backup
If you use Falcon Sensor, we recommend that you perform a snapshot backup on your system. This ensures that you can use the snapshot to quickly restore your system when a blue screen error occurs. For more information, see Create a snapshot for a disk and Roll back a disk by using a snapshot.
Focus on system security after issue resolution
If you implement the temporary solution, the protection provided by the security driver may become ineffective. After you fix the issue, closely monitor the security status of your system.
Use Security Center to improve security
Security Center is a cloud security management platform that can be used to continuously monitor the security status of assets. Security Center provides in-depth threat defense, comprehensive analysis, and quick response capabilities. Security Center uses a cloud-native architecture to provide multiple features such as asset management, baseline check, proactive defense, security hardening, configuration assessment, and security status visualization. Security Center can detect and block risks such as viruses, attacks, encryption ransomware, vulnerability exploits, and AccessKey pair leaks. Security Center is an end-to-end automated system that can be used to perform security operations and protect workloads on servers, containers, and virtual machines that are deployed on hybrid clouds. The following list describes the core capabilities of Security Center:
Asset management and status monitoring: Security Center monitors the status of assets added to Security Center such as servers and containers in real time. If the protection status of the Security Center agent is abnormal, alerts are generated in real time.
Continuous detection of potential threats: Security Center detects vulnerabilities, cloud service misconfigurations, baseline risks, and Internet exposure risks on assets. More than 250 built-in threat detection models can detect the following types of security threats in real time: web tamper proofing, suspicious process, webshell, unusual logon, and malicious process.
In-depth defense against attacks: The malicious host behavior defense feature automatically blocks and removes threats such as common ransomware, DDoS trojans, mining and trojan programs, malicious programs, webshells, and computer worms.
Comprehensive analysis of alerts: An AI tool can be used to analyze and describe alerts online. Security Center also provides alert source tracing reports to help you identify similar risks on other servers. This helps you thoroughly understand the risks on your assets and handle the risks.
Quick event response and notification: Security Orchestration Automation Response (SOAR) can be used to perform automated handling on alerts and security events.
You can apply for a 7-day free trial of the Enterprise or Ultimate edition of Security Center. After the free trial, you can fully understand the security capabilities of Security Center in protection scenarios. This helps you evaluate the effectiveness in preventing, detecting, and responding to different security threats and select the most suitable cloud security solution. For more information, see Apply for a 7-day free trial of Security Center.
If you want to use the security capabilities of Security Center to protect servers and cloud systems, we recommend that you use the Enterprise or Ultimate edition. You can perform the following operations to get started with Security Center:
Purchase the Enterprise or Ultimate edition of Security Center by using the subscription billing method. For more information, see Purchase Security Center.
Install the Security Center agent on your server and add the server to Security Center. For more information, see Install the Security Center agent.
Enable the malicious host behavior defense feature. For more information, see Enable features on the Host Protection Settings tab.
Enable the client protection feature. For more information, see Enable the client protection feature for a server.
View and handle alerts. For more information, see View and handle alerts.
View and handle vulnerabilities. For more information, see View and handle vulnerabilities.
References
Security Center provides various features such as agentless detection, anti-ransomware, and virus detection and removal to protect servers. For more information, see What is Security Center?
To obtain a more secure and reliable desktop solution, we recommend that you use Alibaba Cloud Elastic Desktop Service (EDS). For more information, see What is EDS?