Bluescreen on unirsd.sys ATTEMPTED WRITE TO READONLY MEMORY

[Sergio Masone1709161115]

We are using Falcon Crowdstrike as EDR solution in our PVS app layered image, these agents are very small in size and auto update themselves every month. everything looked to be working fine with the sensor version 6.29.x and below, after it updates to sensor versions 6.30+ it blue screens on unirsd.sys. I tried creating a new app layer entirely, install 6.30 or 6.31 version of the sensor, when rebooting the machine it bluescreens also on unirsd.sys.

 

Just curious if anyone else is running into this as well with falcon complete 6.30+ sensors using app layering. I already have a ticket opened up with citrix on this and sent them the debug logs waiting on return rom them.

[Sergio Masone1709161115]

The fix is GA now included in the latest ELM update, 2112

[Sergio Masone1709161115]

I've gotten an update from Citrix, they have provided me an upgrade package to test out that should resolve this issue. will update this once I have tested it.

[Maksym Havryliuk1709161199]

Just got the same issue.

Did you get any updates from Citrix support?

[Ken Berghom]

We are experiencing the same issue using VMware Horizon instant clones (version 8.1 2012) and vCenter 6.7.  With 6.30 I see the BSOD when logging in under a domain account and with 6.31 I get the BSOD after logging off the domain account.  When logging into the image as local admin account, I got the below message (This was with the 6.30 app layer):

 

 

 

[Sergio Masone1709161115]

On 11/29/2021 at 7:28 AM, Maksym Havryliuk1709161199 said:

Just got the same issue.

Did you get any updates from Citrix support?

Not yet, they are analyzing the full memory dump I sent them. CrowdStrike are doing the same. let you know what comes out of it once I receive something from them.

[Sergio Masone1709161115]

On 12/1/2021 at 8:14 AM, Ken Berghom said:

We are experiencing the same issue using VMware Horizon instant clones (version 8.1 2012) and vCenter 6.7.  With 6.30 I see the BSOD when logging in under a domain account and with 6.31 I get the BSOD after logging off the domain account.  When logging into the image as local admin account, I got the below message (This was with the 6.30 app layer):

 

 

 

I can confirm same behavior, logging in with domain account bluescreen on 6.30, 6.31 looks to be when logging off the machine.

[Andrew Poage1709162953]

Having the same issue. Anything 6.30 and higher just wont play nice. 

[Andrew Poage1709162953]

On 12/8/2021 at 5:58 AM, Sergio Masone1709161115 said:

I've gotten an update from Citrix, they have provided me an upgrade package to test out that should resolve this issue. will update this once I have tested it.

is it a system update or a App Layering update?

[Mike Kelly1709153237]

On 11/24/2021 at 1:23 PM, Sergio Masone1709161115 said:

We are using Falcon Crowdstrike as EDR solution in our PVS app layered image, these agents are very small in size and auto update themselves every month. everything looked to be working fine with the sensor version 6.29.x and below, after it updates to sensor versions 6.30+ it blue screens on unirsd.sys. I tried creating a new app layer entirely, install 6.30 or 6.31 version of the sensor, when rebooting the machine it bluescreens also on unirsd.sys.

 

Just curious if anyone else is running into this as well with falcon complete 6.30+ sensors using app layering. I already have a ticket opened up with citrix on this and sent them the debug logs waiting on return rom them.

 

I'm hearing that there was an app layering update that resolves this issue? Can you confirm?

[Sergio Masone1709161115]

49 minutes ago, Mike Kelly1709153237 said:

 

I'm hearing that there was an app layering update that resolves this issue? Can you confirm?

Thats correct, its an app layering update. I updated our ELM, created a new CS app layer, and the issue seems fixed. cannot reproduce the bluescreen. will ask citrix for ETA when the fix will be GA.

[Hemant Kumar]

51 minutes ago, Sergio Masone1709161115 said:

The fix is GA now included in the latest ELM update, 2112

For us - it is still not working. Same BSOD.

Can you share the exact steps you followed while setting up the template and also the command line switches? Did you use VDI=1 or VDI=1 and NO_START=1 both?

[Sergio Masone1709161115]

15 minutes ago, Hemant Kumar said:

For us - it is still not working. Same BSOD.

Can you share the exact steps you followed while setting up the template and also the command line switches? Did you use VDI=1 or VDI=1 and NO_START=1 both?

After updating the ELM appliance, I created brand new App Layer, inside that layer, installed crowdstrike with both VDI=1 NO_START=1, if when finalizing it asks to reboot the machine, reboot it, then log back in and delete the following two registry keys before finalizing again.