Falcon Sensor Known Issues

Publish Date: 2021-06-28T21:20:15.000Z

Download Date: Tue Jun 29 2021 14:04:00 GMT-0500 (hora de verano central)
Tables may appear overly compressed with full navigation in the Support Portal. Click here to view this article's permalink page in a
more fullscreen view.

Jump to: Windows | Mac | Linux | Container | Android

Windows Sensor
Affected
Affected
Issue Resolution Sensor
Systems
Versions
Unresolved. Workarounds, if
running on Windows 7 or Server
2008 R2:
Customers
with both CrowdStrike ESU
Agreement and Microsoft
All Extended Support Updates
Windows installed:
hosts, 1. Downgrade sensors to
more 6.23.13702
Falcon sensor high memory prevalent 2. Lock update policies to 6.25.13905
consumption on Windows on prevent upgrade, until 6.24.13806
Hosts Windows issue is resolved.
7& Customers without Microsoft
Server Extended Support Updates
2008 installed:
1. Windows 7 and Server
2008 R2 are only
supported on specific
versions. Downgrade,
and lock to, one of these
versions.
 Affected
Affected
Issue Resolution Sensor
Systems
Versions
Unresolved. Workarounds:
Sensors at affected version
6.24.13806:
System crash (BSOD) due to 1. Downgrade sensors to
potential app compatibility 6.23.13702 or lower
issue between Falcon sensor 2. Lock update policies to
and Sophos on Windows 10. Windows
prevent upgrade to 6.24
10 6.24.13806
3. Confirm sensor
Tech Alert | Windows Sensor Sophos
downgrade
6.24.13806 System crashes Sensors at 6.23.13702 or
reported on hosts running both lower:
Falcon and Sophos 1. Lock update policies to
prevent upgrade to 6.24
Consult Tech Alert

Windows
Issue where a process may 10
crash with concurrent use of Windows
JScript on Windows 10, Upgrade sensor to 6.23.13702 or
Server 6.22.13607
Windows Server 2016, or higher
2016
and earlier
Windows Server 2019 when Windows
Script-Based Execution Server
Monitoring is enabled. 2019

Two related issues with file

renames that could result in Windows
Sensor Visibility Exclusions (all Upgrade sensor to 6.22.13607 or 6.21.13510
not being effective at supported higher 6.20.13408
improving performance, and )
network-based file renames
taking longer than expected.
Windows
7
Potential system hangs or poor Windows
performance with third-party Upgrade sensor to 6.22.13607 or
Server
higher, or, 6.21.13510
antivirus solutions on 2008 R2
Windows 7 and Windows Remove the third-party AV solution and earlier
Third-
Server 2008 R2 party AV
solutions

Issue where a Remote Windows

Response "put" command fails (all Upgrade sensor to 6.22.13607 or 6.21.13510
when Windows system supported higher and earlier
directory is not on the C: )
drive.
Windows
Reliability of file quarantine Upgrade sensor to 6.22.13607 or 6.21.13510
(all
in file-in-use scenarios. higher and earlier
supported)
 Affected
Affected
Issue Resolution Sensor
Systems
Versions
Windows
Windows Sensor 6.20 (all
introduced a regression in supported) 6.23.13702
Upgrade sensor to 6.24.13806 or
Device Control that can result Sensors 6.22.13607
higher
in a BSOD when a matching using 6.21.13510
policy is found for Device 6.20.13408
enforcement or monitoring. Control

Windows
(all
supported)
The issue
is limited
to
processes
(.exe files)
Sensor Visibility Exclusions being run
(SVEs) based on process paths 1. Upgrade sensor to 6.22.13607 or
from
may not be applied correctly higher.
excluded
with sensor versions 6.20 and 2. Refer to all warnings about SVE in
paths, and 6.20.13510
our Allowlisting Guide and the
6.21. This could result in does not
Detection and Prevention Policies 6.20.13408
performance regressions and affect
false positive detections if guide (Falcon console → Support →
exclusions
SVEs were previously used to Documentation).
that target
mitigate these problems. data files
such as
source
code or
object
files that
do not get
executed.

End user notification for Windows

Device Control events and 10 version
Network Containment events Upgrade sensor to 6.21.13510 or 6.20.13408
2004
would not always display on higher and earlier
(20h1)
Windows 10 version 2004 and later
(20h1) and later.
Possible
REFERENCE_BY_POINTER Windows
Upgrade sensor to 6.20.13408 or 6.18.13213
blue screen error. Fixed an (all
higher and earlier
incorrect reference taken on a supported)
temporary stream file object.
Windows
IE PAC URL proxy resolution Upgrade sensor to 6.20.13408 or 6.18.13213
(all
fails until the host is rebooted. higher and earlier
supported)
 Affected
Affected
Issue Resolution Sensor
Systems
Versions
Reduced unnecessary disk I/O
during process startup and
DLL loads. In VM Windows
environments with copy-on- Upgrade sensor to 6.20.13408 or 6.18.13213
(all
write disk images, this issue higher and earlier
supported)
could result in excessive disk
write I/O on the writable disk
image.
For PE files that are
downloaded in multiple stages
by the browser, PeFileWritten Windows
Upgrade sensor to 6.20.13408 or
events will now only contain (all 6.18.13213
the final hash of the fully- higher and earlier
supported)
downloaded file, rather than
the hash of any partially
downloaded files.
Improved the reliability of
GenericFileWritten, Windows
Upgrade sensor to 6.20.13408 or 6.18.13213
LocalPeFileWritten, and (all
higher and earlier
LocalKnownFileWritten supported)
events for USB devices.
Interoperability issues with
SMB which may occur during
analysis of files accessed over Windows Upgrade sensor to 6.18.13213 or
network shares. This issue (all higher 6.18.13212
presents as long delays in supported) and earlier
SMB related activities such as
domain logins and the use of
redirected folders.
The Device Instance ID did
not populate in the Files Windows
Written to USB Overview tab Upgrade sensor to 6.18.13212 or 6.16.13008
(all
and associated FileWritten higher 6.16.13005
supported)
events since sensor version
6.16.
Systems crashing when the
sensor loads after updating
from an earlier release.
Rebooting after this crash Windows
seems to resolve the issue. Upgrade sensor to 6.18.13008 or
(all 6.16.113005
higher
During sensor startup, a bad supported)
file object can be sent down
the file system stack, resulting
in corruption and/or a crash in
lower modules.
 Affected
Affected
Issue Resolution Sensor
Systems
Versions

GenericFileWritten events Windows

Upgrade sensor to 6.18.13008 or
were no longer being (all 6.12.12601
higher
generated. supported)

Mac Sensor
Affected
Affected
Issue Resolution Sensor
Systems
Versions
An issue that can cause the sensor macOS
Upgrade to sensor 6.21.13403
to fail to connect to the cloud (all
6.23.13601 or higher and earlier
when DNS is unavailable. supported)

Power management issue causing macOS

some systems to have long delays Upgrade to sensor 6.21.13403
(all
when entering or leaving sleep 6.23.13601 or higher and earlier
supported)
mode.
Higher than normal kernel
memory usage. CrowdStrike macOS
found unbounded memory growth Upgrade to sensor 6.21.13402
(all
during execution of processes 6.21.13403 or higher 6.20.13304
supported)
under a Sensor Visibility
Exclusion.
macOS
The UpdateFlag or AppVersion of Upgrade to sensor
(all 6.20.13304
an InstalledApplication event 6.21.13403 or higher
supported) and earlier
could be inaccurate.

The AppVendor or macOS

AppIdentificationData fields in Upgrade to sensor 6.19.13210
(all
InstalledApplication events may 6.20.13304 or higher and earlier
supported)
have been inaccurate.
The ConnectionDirection field macOS
Upgrade to sensor 6.19.13210
was not set correctly in network (all
6.20.13304 or higher
supported) and earlier
events.
 Affected
Affected
Issue Resolution Sensor
Systems
Versions
Native support for Apple
macOS M1 introduced in
Big Sur 6.24.13701. Upgrade to
(11.x) 6.24.13701 or higher. This
6.19.13210
New agent IDs are generated for Apple M1- replaces the Rosetta 2 6.18.13102
sensors on hosts running macOS based support previously 6.17.13005
Big Sur on Apple M1-based hardware introduced with 6.16.12903
hardware, prior to sensor Any 6.20.13304. 6.15.12805
6.20.13304. Falcon Official support for 6.14.12704
sensor Rosetta2 was introduced in 6.12.12505
prior to 6.20.13304. Upgrade to
6.20.13304 sensor 6.20.13304 or
higher.

Linux Sensor
Affected
Issue Affected Systems Resolution Sensor
Versions
IPv4 UDP packet inspection introduced in Upgrade
CentOS/RHEL
6.19.11610 may cause memory leak sensor to
6 and 7
conditions, leading to allocation failures and 6.20.11611 6.19.11610
SLES 11 SP4
memory fragmentation. or higher

Upgrade
Linux (all sensor to
Larger memory allocations by sensor will fail, 6.12.10913
and dmesg log shows page allocation failures. supported) 6.14.11110 6.12.10912
or higher

Upgrade to
Creation of user space falcon-sensor crash Linux (all
sensor 6.16.11308
supported)
dumps when seccomp failures occur due to 6.16.11312 and earlier
Dynatrace
injection of code by Dynatrace. or higher

Upgrade to
Sensor overhead caused by kcs-evbreap, kcs- Linux (all sensor 6.16.11308
term, and kcs-created threads. supported) 6.16.11312 and earlier
or higher

Upgrade
Kernel memory growth issue that could be Linux (all sensor to 6.14.11110
supported) 6.16.11312
triggered by high rate of process creation. and earlier
or higher
 Affected
Issue Affected Systems Resolution Sensor
Versions
Upgrade
Larger memory allocations by sensor will fail, Linux (all sensor to 6.12.10913
supported) 6.14.11110
and dmesg log shows page allocation failures. 6.12.10912
or higher

Reduced functionality mode (RFM) false Upgrade

positive issue where sensors removed from Linux (all sensor to 6.12.10913
supported) 6.14.11110
RFM in the zero touch Linux (ZTL) update 6.12.10912
or higher
still report a true RFM status.

Container Sensor
Affected
Affected
Issue Resolution Sensor
Systems
Versions
Linux (all Upgrade sensor to
The ConfigBuild version in the Event
supported) 6.19.202 or higher 6.18.106
details shows incorrect values.

Mobile Sensor – Android

Affected Affected Sensor
Issue Resolution
Systems Versions
Abnormally high battery Unresolved.
Android
Workaround:
consumption when the (all 2021.04.3000003
Disable VPN in Mobile
CrowdStrike VPN is deployed supported) and later
and active. Policy.