CrowdStrike recently released a new version of the Falcon Sensor for Windows, version 5.19. When the DLP Agent is on the same endpoint system as this version of the sensor, a system crash may occur.
Falcon Sensor 5.19 uses a Windows kernel feature called "Thread Agnostic I/O," which results in I/O Request Packets (IRPs) not being associated with a particular thread. With the DLP Agent service running, the DLP Agent mini-filter driver (vfsmfd.sys) could receive an IRP from the Falcon Sensor kernel component with the current thread context set to NULL. A null check is not implemented in the DLP driver, which results in a Windows system crash.
Symantec and CrowdStrike engineers are working to resolve this issue as quickly as possible.
In the meantime, CrowdStrike has provided a workaround solution at the CrowdStrike community support portal. For details, click here.
After a thorough investigation and working closely with CrowdStrike engineers, Symantec has concluded that the issue is not exploitable from user mode, and thus poses no security risk to the DLP Agent. However, you should apply the public hot fix to avoid the system crash.
A public hot fix that addresses this issue is available for Data Loss Prevention 15.1 MP2 and 15.5 MP2.