csagent.sys
CrowdStrike Falcon endpoint-protection driver
CSAgent.sys is the kernel driver at the core of CrowdStrike Falcon, one of the most widely deployed enterprise endpoint-protection products in the world. The driver is what gives Falcon its real-time visibility into kernel activity: process creation, image loads, network sockets, and the rest.
It is best known to the wider public from July 19, 2024, when a faulty configuration update (Channel File 291) parsed by CSAgent.sys triggered a null-pointer dereference inside the driver and crashed approximately 8.5 million Windows machines worldwide. Flights were grounded, hospital systems went down, banks went offline, and the incident became a working illustration of how much of modern infrastructure quietly depends on a single signed kernel driver running across millions of endpoints. CrowdStrike published a remediation within hours.
On a personal gaming PC the driver is uncommon, and its presence usually means the system is also managed by an employer's IT department. The entry on the LOLDrivers list reflects samples documented in defensive research, not a claim about the legitimate Falcon sensor on a current managed system.
csagent.sys is listed as malicious on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “csagent.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/csagent-sys
