7 preceding BSODs due to security solution update

CrowdStrike is not the first and will not be the last. Fernando Denis Ramirez, Country Manager Spain at Sofistic, analyzes in this article the history of the solutions that have left a large part of their clients’ computers blocked.

The main issue is that an antivirus (AV) needs access to information from other applications to function correctly and block them if it considers them fraudulent. In a very basic or primitive way, this is what an antivirus does. However, if in this process it blocks something essential for the proper functioning of the system, it can cause failures.

What happened with CrowdStrike is more complex, but this explanation is enough to understand why such incidents occur. For those who want a more technical explanation of what happened, I recommend this post by Sergio de los Santos on social media X.

First, let's list a series of cases where malware protection solutions have left their clients ‘stranded’ after an update. Surely there are many more, but these are the 7 cases that came to mind.

McAfee and AVG (2010)

To find the first BSODs, or Blue Screens of Death, we need to go back to 2010, the year the first iPad was launched or the year Stuxnet was discovered, considered the world’s first cyberweapon.

McAfee and AVG kicked things off with very similar errors; both identified a vital file for the operation of the system as malware, the usual case. In McAfee’s case, it was the file (svchost.exe), and it only affected Windows XP SP3. In AVG’s case, it affected all systems, but a system reboot was necessary to prevent the system from booting again.

Kaspersky and Panda (2015)

To talk about the next "black year," we need to go to 2015, the year Microsoft launched Windows 10. This time it was Kaspersky and Panda's turn. In the case of Kaspersky, while it didn't have a clear impact, it did the same thing antivirus software has been doing throughout its history: marking something important or vital for the system’s operation as malware, causing performance and stability issues in the affected systems.

One of the most memorable cases was the one involving Panda that year, where it identified itself as malware. This incident wouldn't have had such serious consequences as the previous ones if it weren't for the fact that, in addition to itself, several applications like Microsoft Office, Google Chrome, and Mozilla Firefox were affected.

CrowdStrike (2024)

The CrowdStrike incident is just another example in a long list of update errors by companies managing the cybersecurity of operating systems, especially on Microsoft Windows. What’s most concerning about the CrowdStrike case, from my point of view, is how this failure bypassed all the QA checks during the production release of updates, as there were no specific circumstances that could have caused this failure to occur, which could have been overlooked. Perhaps there was a lack of a production environment in the QA process.

It should be clarified that, in this case, Microsoft Windows is not at fault for what happened. We could criticize them for granting certain authority to these manufacturers, allowing them, in cases of malpractice, to cause these kinds of problems. However, this is an internal policy issue, about how they decide to manage communication with the kernel: the more they restrict this communication, the less functionality these solutions will have to detect threats.

Soon, we will know how this was possible, because honestly, knowing the long history of similar failures from these kinds of companies, the volume of CrowdStrike’s customers, and the excellent work they’ve demonstrated over the years, it’s hard for me to believe that these processes didn’t exist.