Customer teams and Cohesity successfully recovered numerous businesses affected by the CrowdStrike Falcon Sensor updates that recently impacted millions around the globe. We are grateful to the teams for their resilience. Based on customer feedback, we’re sharing the most effective approaches they used so you can benefit from them.
Discovering impacted machines at scale
Our customers have successfully recovered data across HyperVisors (VMware, AHV), Cloud (Azure and EC2), and physical servers.
Across the impacted customer base, customers utilized the UI self-service to restore VMs quickly. Customers also employed CrowdStrike methods to delete the impacted files. In some instances, that wasn’t effective, and customers recovered from Cohesity to bring their businesses back online.
One of the most significant challenges reported by customers was the inability to discover impacted machines at scale. Customers used Cohesity Global Search to generate an inventory list of machines containing the impacted file. After remediation, they used the same method to verify that all machines had been successfully remediated.
Customers used the script CrowdStrikeReport to save time detecting impacted Windows hosts at scale.
Recovery for VMware VMs
Virtual disk recovery: Customers with a dedicated disk, aka VMDK, for the C drive, restored using the VMDK restore method to update only system files without rolling back business data on other disks. One customer used this method to restore all their impacted VMs to a working state within 7-12 minutes, successfully bringing their business back online.
We encourage you to use this method for high-speed recovery, ensuring you maintain the latest data changes without the risk of business data rollback.
Differential restore of VMs: Customers without a dedicated VMDK for the C drive used differential restore. This method quickly recovers by transferring only the changed data between the current VM state and the selected backup snapshot before the 0409 UTC timestamp. However, note that this method also rolls back business data to that specified point in time.
Recovery of cloud VMs: Customers who had impacted VMs in clouds like Azure, AWS, and GCP did a Copy recovery of the VMs as they wanted to restore from an immutable backup. In one example, the customer recovered their Azure VMs in 6-7 minutes and brought the business back online.
Continuing support for our customers
Cohesity is here to help our valued customers. Please contact your support or account team and let us know how we can assist you. We’re here to help you in any way we can.
- Read our previous blog: Standing strong together: Cohesity’s support for CrowdStrike Falcon Sensor updates
