CrowdStrike & Rubrik Customer Content Update Recovery For Windows Hosts

Joint customers utilizing Rubrik for immutable backup are recommended to utilize Rubrik in-place recoveries for impacted Windows VMware Virtual Machines (VMs), standard VM restores for Azure VMs, AWS EC2 instances, and live mounts for Hyper-V and AHV VMs. For VMware VMs this significantly reduces the recovery time by only recovering the changed blocks required to revert the VM to a snapshot before the 04:09 UTC CrowdStrike host update.

This enables large groups of VMs to be reverted to a working snapshot in minutes to quickly bring your environment back online. Please consider this recovery process will bring the state of the VM to a previous point in time so any changes to the system since the recovery point will be lost. To this end, the below recovery steps enable you to choose on a per-VM basis the recovery point and subsequent decision on appropriate course of action.

For Azure VMs and AWS EC2 instances Rubrik recommends recovering the VMs using the restore VM Rubrik recovery workflow, which recovers the VM to the snapshot selected, as there is no ability to boot these VMs into safe mode. For AHV and Hyper-V the Rubrik live mount capability will give you the fastest recovery time objective.

For physical hosts Rubrik recommends the CrowdStrike manual workaround on the host for the fastest recovery method.
 

Recovery Steps for VMware VMs:

1. Login to your Rubrik Security Cloud interface

2. Select the Data Protection app

3. Go to inventory then select vSphere VMs

4. Select the impacted VMs in batches by name, SLA, cluster, host or tag

5. Click the ellipsis in the top right corner then click recover

6. Select closest snapshot, before, then the date and time before the update occurred at  04:09 UTC as it pertains to your current time zone (the UI uses your current time zone)

7. The closest available snapshot for recovery of each VM will then be displayed

8. Select which VMs you wish to recover and click next, if the recovery point is older than the desired potential data loss from the time between the backup and the update, Rubrik recommends the manual workaround for the windows host

9. Select the 3rd option down for “In-place recovery” to ensure the existing VMs are recovered in-place with no new VM created, or full data transfer required, as just the blocks required are transferred

10. Click next then recover, the VMs selected will now be powered off automatically, a snapshot created to roll them back, required blocks transferred, VM snapshot removed and the VM powered on

11. The VM will now be in a working state again prior to the update

Recovery Steps for Azure VMs:

1. Login to your Rubrik Security Cloud interface

2. Select the Data Protection app

3. Go to inventory then select Azure VMs

4. For each VM impacted, click the VM

5. Select the most recent snapshot from before the CrowdStrike update from the calendar view

6. Click recover, then select restore, click next

7. Leave the default selections of maintain tags and powered off unchecked, click next

8. Click recover to restore the VM to a working state from the last working snapshot

Recovery Steps for AWS EC2 Instances:

1. Login to your Rubrik Security Cloud interface

2. Select the Data Protection app

3. Go to inventory then select AWS - EC2 & Applications

4. For each EC2 instance impacted, click the instance

5. Select the most recent snapshot from before the CrowdStrike update from the calendar view

6. Click recover, then select restore, click next

7. Leave the default selections of restore tags

8. Click recover to restore the EC2 instance to a working state from the last working snapshot

Reach out to your Rubrik account team for any questions or help in guiding you through this recovery process. In addition, check out the links below for more details or watch our walk through demo. 

Rubrik specific recovery demonstrations:

• Bulk In-place VMware VM Recovery Video Walkthrough 
  https://vimeo.com/987220337/ea8948ce6a?share=copy

• Bulk In-place VMware VM Recovery
  https://rubrik.storylane.io/share/1iactbnuqdwv

• Single In-place VMware VM Recovery
  https://rubrik.storylane.io/share/hidkxd2lpghd

• Azure VM Recovery
  https://www.rubrik.com/lp/demo/rubrik-data-protection-for-azure-vms

• AWS EC2 Recovery
  https://www.rubrik.com/lp/demo/rubrik-cnp-aws

• AHV VM Recovery
  https://www.rubrik.com/lp/demo/rubrik-protection-for-nutanix-ahv

Rubrik specific documentation:

• Rubrik Customer Support Portal: Advisory for CrowdStrike Falcon content update for Windows hosts

• In-Place Recovery of VMware Virtual Machines
  https://docs.rubrik.com/en-us/saas/common/vs_in_place_recovery.html?hl=in-place%2Crecovery%2Cvirtual%2Cmachines

• Performing in-place recovery for bulk recovery of VMware Virtual Machines
  https://docs.rubrik.com/en-us/saas/saas/vs_recovering_vm_bulk_using_inplace_recovery.html?hl=in-place%2Crecovery%2Cvirtual%2Cmachines

• Performing an in-place orchestrated recovery plan for VMware Virtual Machines
  https://docs.rubrik.com/en-us/saas/saas/performing_an_in-place_recovery.html

• Performing the restore of an Azure VM using a snapshot
  https://docs.rubrik.com/en-us/saas/saas/azr_restore_snapshot.html?hl=azure%2Cvm%2Crestore

• Performing the restore of an AWS EC2 instance using a snapshot
  https://docs.rubrik.com/en-us/saas/saas/restoring_an_ec2_instance_snapshot.html

• Performing the live mount of an AHV VM
  https://docs.rubrik.com/en-us/saas/cdm/ahv_vm_recovery_using_live_mount.html

• Performing the live mount of a Hyper-V VM
  https://docs.rubrik.com/en-us/saas/saas/hyper_v/hyperv_mount_batch_recovery.html?hl=mount%2Chyper-v

Crowdstrike Article

• https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/