Endpoint Security, CrowdStrike, OS Feature Manager and Reduced Functionality Mode
University of Illinois IT Pros leveraging Technology Services CrowdStrike
- What is OS Feature Manager (OSFM)?
- Why does OSFM exist?
- What is Reduced Functionality Mode (RFM)?
- Are Sensors in RFM Deactivated Sensors?
- Most Frequent Causes of RFM
OS Feature Manager, also known as OSFM, monitors the shift in the kernel. This helps the sensor be more agile in during any unforeseen or foreseen kernel updates Windows may push.
OSFM was built for resilience and agility. Microsoft releases Windows patches which could contain kernel level changes, and OSFM changes will be leveraged through OSFM to become compatible with any new kernel changes that were updated to the OS. Since these changes to Windows by Microsoft could affect the kernel, without our testing, there is a potential that there could be system crashes (BSoDs).
Reduced Functionality Mode - also known as "safe mode" or "RFM" for short - is a state OSFM will fall into when the Windows kernel is unknown. This state usually occurs when Microsoft updates or patches the Windows operating system. RFM will cause the sensor to temporarily unhook from certain Windows kernel elements. As a result of having to unhook from these kernel elements, there are some downstream effects: Without being hooked into these elements, there are a number of sensor events that can no longer trigger since we give up the access to the source data for safety. And as a result of not triggering these events, further downstream, we stop triggering some specific detection patterns. A few of these are related to Prevention, so there can be some impact to Prevention.
These events and subsequent detection patterns are given up in favor of avoiding system crashes due to kernel support. We refer to this state as "Reduced Functionality Mode."
No, these sensors are still very much functioning, just in a reduced capacity due to the kernel elements we unhook from to prevent us from causing BSoD issues if the kernel is unknown to the sensor. A sensor in RFM is still monitoring your system, reporting events, and triggering detection patterns - but at a reduced capacity as a result of being unhooked from the kernel elements listed above.
Reduced Functionality Mode does not mean that sensor deactivates or goes into a sleep state.
Microsoft Patch Tuesday Updates
The most common cause of seeing RFM in your sensor fleet is Microsoft's Patch Tuesday updates, on the second Tuesday of every month. You can read more about Patch Tuesday on TechNet and Wikipedia.
When Microsoft releases their Patch Tuesday security updates, these updates will update the Windows kernel. When this happens, the kernel build level will exceed what the sensor knows about, and what we can confidently provide full support for without potentially us being the cause of a BSoD. As soon as these patches release from Microsoft, the CrowdStrike sensor engineering team aggressively moves to build an "OSFM certification" file to provide support for the new kernel changes Microsoft makes; we usually have this certification done and released within a few days of the Patch Tuesday release.
Any sensors on a system that have applied these Patch Tuesday patches before getting our certification to support the new kernel builds will shift into RFM for safety. When our certification is released and applied to your sensors, providing the support for the new kernel changes, those sensors will automatically shift back out of RFM into full functionality again.
Patch Tuesday updates are not the sole reason that a kernel may suddenly become not fully supported by the Sensor, requiring CrowdStrike to build and push new OSFM certification files. Occasionally, Microsoft releases kernel updates that are out-of-band from their normal monthly Patch Tuesday release cycle. The net result isn't really any different, except that these can happen outside of the expectations of the monthly Patch Tuesday update event. Naturally, CrowdStrike has no control over when Microsoft decides to due this, we will merely adopt the same process of analyzing their release, developing a new OSFM certification file, and pushing these out to sensors.
Windows Insider Preview Builds
Another cause we occasionally see from Customers are systems running builds of Windows that are part of the Windows Insider rings, such as Fast Ring. As a general reminder, CrowdStrike fully supports and certifies Windows builds which are in general release availability by Microsoft. While these Insider builds may successfully install and run the Falcon Sensor, we do not fully support, and do not certify the kernels for Insider builds.