Jul 23, 2024|3 min|Technology

Recommended recovery approaches for your impacted Windows machines with CrowdStrike Falcon Sensor

We’re sharing the most effective technical approaches our customers used—for your benefit.

Customer teams and Cohesity successfully recovered numerous businesses affected by the CrowdStrike Falcon Sensor updates that recently impacted millions around the globe. We are grateful to the teams for their resilience. Based on customer feedback, we’re sharing the most effective approaches they used so you can benefit from them.

Discovering impacted machines at scale

Our customers have successfully recovered data across HyperVisors (VMware, AHV), Cloud (Azure and EC2), and physical servers.

Across the impacted customer base, customers utilized the UI self-service to restore VMs quickly. Customers also employed CrowdStrike methods to delete the impacted files. In some instances, that wasn’t effective, and customers recovered from Cohesity to bring their businesses back online.

One of the most significant challenges reported by customers was the inability to discover impacted machines at scale. Customers used Cohesity Global Search to generate an inventory list of machines containing the impacted file. After remediation, they used the same method to verify that all machines had been successfully remediated.

Customers used the script CrowdStrikeReport to save time detecting impacted Windows hosts at scale.

Blog CrowdStrike update - Body Figure A

Blog CrowdStrike update - Body Figure B

Recovery for VMware VMs

Virtual disk recovery: Customers with a dedicated disk, aka VMDK, for the C drive, restored using the VMDK restore method to update only system files without rolling back business data on other disks. One customer used this method to restore all their impacted VMs to a working state within 7-12 minutes, successfully bringing their business back online.

We encourage you to use this method for high-speed recovery, ensuring you maintain the latest data changes without the risk of business data rollback.

Blog CrowdStrike update - Body Figure C

Differential restore of VMs: Customers without a dedicated VMDK for the C drive used differential restore. This method quickly recovers by transferring only the changed data between the current VM state and the selected backup snapshot before the 0409 UTC timestamp. However, note that this method also rolls back business data to that specified point in time.

Blog CrowdStrike update - Body Figure D

Recovery of cloud VMs: Customers who had impacted VMs in clouds like Azure, AWS, and GCP did a Copy recovery of the VMs as they wanted to restore from an immutable backup. In one example, the customer recovered their Azure VMs in 6-7 minutes and brought the business back online.

Continuing support for our customers

Cohesity is here to help our valued customers. Please contact your support or account team and let us know how we can assist you. We’re here to help you in any way we can.

Written by

Adai Arumugam headshot

Adai Arumugam

Sr. Director, Product Solutions

Adai Arumugam headshot

Adai Arumugam

Sr. Director, Product Solutions

You may also like

resource
Blog

Standing strong together: Cohesity’s support for CrowdStrike’s Falcon Sensor updates

resource
Press release

Cohesity Expands Industry’s Only Data Security Alliance and Announces New Integrations with Cybersecurity Leaders

resource
Blog

Cohesity expands support for Nutanix environments

X image
Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again