CrowdStrike: Microsoft’s Windows Kernel Update Process ‘Was Followed’

In a statement responding to CRN’s interview with SentinelOne CEO Tomer Weingarten, CrowdStrike says that its July 19 update did not bypass Microsoft’s ‘clear kernel review process.’

CrowdStrike said the July 19 update that led to a global IT outage did not bypass Microsoft’s “clear kernel review process” for Windows.

In a statement, CrowdStrike responded to comments from SentinelOne CEO Tomer Weingarten during his interview with CRN, suggesting that the update “bypassed” Microsoft’s typical process for updating the Windows kernel, which is the core control center for the Windows operating system.

Weingarten’s comments on the matter are “inaccurate,” CrowdStrike said in the statement.

CrowdStrike noted that its July 19 update was a “rapid response content update” — and “these updates don’t execute code in the kernel."

The CrowdStrike update was able to set off a “blue screen of death” scenario for 8.5 million devices worldwide, leading to massive impacts for air travel, health care and business. Experts have called it the largest IT outage of all time, and one estimate suggested the incident will cost U.S. Fortune 500 companies $5.4 billion in total direct financial loss.

CrowdStrike CEO George Kurtz previously disclosed that 97 percent of Windows sensors for Falcon were online as of Thursday.

In the interview with CRN, Weingarten attributed the outage to “bad design decisions” that CrowdStrike is responsible for.

CrowdStrike said in its statement responding to Weingarten that the opposite is true.

“The architecture as designed provides maximum protection against cyber threats for customers, which includes tamper protection and visibility into real-time threats across the entire system that is not possible in user-mode,” the company said.

What follows is the full statement from CrowdStrike provided to CRN in response to Weingarten’s comments.

The statement on which you are basing this additional reporting is inaccurate. To be clear, the July 19 update was not a new sensor release; it was a rapid response content update. These updates don’t execute code in the kernel. The sensor encountered a bug when interpreting the rapid response content update.

The architecture as designed provides maximum protection against cyber threats for customers, which includes tamper protection and visibility into real-time threats across the entire system that is not possible in user-mode. It gives customers a significant advantage over adversaries in an ever-changing threat environment, with the latest MITRE test resulting in CrowdStrike delivering a Mean Time To Detect (MTTD) 11x faster than Sentinel One.

Further adding to the inaccuracy of the statement you were given, Microsoft does have a clear kernel review process, and that process was followed. CrowdStrike certifies new sensor releases, including the latest versions of all channel files at the time of certification, through Microsoft’s Windows Hardware Quality Labs (WHQL) program, which includes extensive testing through Microsoft’s Hardware Lab Kit (HLK). The WHQL certification process marks the end of an extensive internal testing gauntlet involving functional tests, longevity tests, stress tests with fault injection, fuzzing, and performance tests.