[ALERT] Incompatibility issues between CrowdStrike Falcon and the DLP Agent

book

Article ID: 185070

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

CrowdStrike recently released a new version of the Falcon Sensor for Windows, version 5.19. When the DLP Agent is on the same endpoint system as this version of the sensor, a system crash may occur.

Falcon Sensor 5.19 uses a Windows kernel feature called "Thread Agnostic I/O," which results in I/O Request Packets (IRPs) not being associated with a particular thread. With the DLP Agent service running, the DLP Agent mini-filter driver (vfsmfd.sys) could receive an IRP from the Falcon Sensor kernel component with the current thread context set to NULL. A null check is not implemented in the DLP driver, which results in a Windows system crash.

Resolution

Symantec and CrowdStrike engineers are working to resolve this issue as quickly as possible.

In the meantime, CrowdStrike has provided a workaround solution at the CrowdStrike community support portal. For details, click here.

Update December 30, 2019

After a thorough investigation and working closely with CrowdStrike engineers, Symantec has concluded that the issue is not exploitable from user mode, and thus poses no security risk to the DLP Agent. However, you should apply the public hot fix to avoid the system crash. 

Update November 13, 2019

A public hot fix that addresses this issue is available for Data Loss Prevention 15.1 MP2 and 15.5 MP2.

  • To obtain the hot fix for 15.1 MP2: Download Hotfix_15.1.0207.01003.zip from MySymantec.
  • To obtain the hot fix for 15.5 MP2: Download Hotfix_15.5.0205.01001.zip from MySymantec.

See additional details about the hot fix in the KB article "Public hot fix for Symantec Data Loss Prevention 15.1 MP2, Windows and macOS, various issues."