On Wed, Sep 23, 2015 at 10:21 AM, Michael Leone <[email protected]> wrote:
>> Can you throw some security auditing on the key and scour the event logs for >> what is changing it? Meet the smoking gun ... In the Kaspersky specific event log: Log Name: Kaspersky Event Log Source: klnagent Date: 9/22/2015 10:03:27 AM Event ID: 1 Task Category: None Level: Information Keywords: Classic User: N/A Computer: DCTRAPP009.wrk.ads.pha.phila.gov Description: Switching Windows Update Agent to Kaspersky Security Center mode! Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> <System> <Provider Name="klnagent" /> <EventID Qualifiers="0">1</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> <EventRecordID>9792</EventRecordID> <Channel>Kaspersky Event Log</Channel> <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> <Security /> </System> <EventData> <Data>Switching Windows Update Agent to Kaspersky Security Center mode!</Data> </EventData> </Event> Log Name: Kaspersky Event Log Source: klnagent Date: 9/22/2015 10:03:27 AM Event ID: 1 Task Category: None Level: Information Keywords: Classic User: N/A Computer: DCTRAPP009.wrk.ads.pha.phila.gov Description: Web address for Windows Update Agent: http://127.0.0.1:1550 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> <System> <Provider Name="klnagent" /> <EventID Qualifiers="0">1</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> <EventRecordID>9793</EventRecordID> <Channel>Kaspersky Event Log</Channel> <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> <Security /> </System> <EventData> <Data>Web address for Windows Update Agent: http://127.0.0.1:1550</Data> </EventData> </Event> Log Name: Kaspersky Event Log Source: klnagent Date: 9/22/2015 4:29:51 PM Event ID: 1 Task Category: None Level: Information Keywords: Classic User: N/A Computer: DCTRAPP009.wrk.ads.pha.phila.gov Description: Windows Update Agent has been switched out of Security Center mode. Default settings of Windows Update Agent have been restored. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> <System> <Provider Name="klnagent" /> <EventID Qualifiers="0">1</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-09-22T20:29:51.000000000Z" /> <EventRecordID>9807</EventRecordID> <Channel>Kaspersky Event Log</Channel> <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> <Security /> </System> <EventData> <Data>Windows Update Agent has been switched out of Security Center mode. Default settings of Windows Update Agent have been restored.</Data> </EventData> </Event> So I still don't know WHY it did it, but I have proof as to WHO (well, WHAT) did it ... it was Kaspersky AV ...
