Problem description
On July 19, 2024, at 12:30 GMT, Alibaba Cloud has detected abnormal reboots on some ECS instances with Windows systems. After investigation, the problem is caused by an automatic update of the software - Falcon Sensor, which is owned by a third-party security company - CrowdStrike. Until the company releases an official solution, a temporary solution to alleviate the system anomaly is renaming the directory where the software is located.
Solution
Please be aware that this temporary solution may cause the CrowdStrike security software to fail, impacting instance security and other ancillary features. We recommend that before proceeding you should complete a risk assessment.
On the instance with Windows sytem, connect through VNC. In the following screen, click F8 to enter the Startup Settings.
Choose 4) Enable Safe Mode.
Login as administrator.
NoteIf the system automatically logged in as a non-administrator account, please log out and re-enter the login screen, enter Administrator and password to log in.
Check the system disk drive letter and rename the
Windows\system32\drivers\CrowdStrikefolder under the system disk to CrowdStrike.bak.Restart the Windows system to enter normal mode.
Alibaba Cloud will keep monitoring the progress of the incident, if you encounter any problem or need further assistance, you can contact us at any time by submitting a ticket or calling our service hotline