Excellent. Good catch. On Sep 23, 2015 11:16 AM, "Michael Leone" <[email protected]> wrote:
> On Wed, Sep 23, 2015 at 10:21 AM, Michael Leone <[email protected]> > wrote: > > >> Can you throw some security auditing on the key and scour the event > logs for what is changing it? > > Meet the smoking gun ... In the Kaspersky specific event log: > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 10:03:27 AM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Switching Windows Update Agent to Kaspersky Security Center mode! > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> > <EventRecordID>9792</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Switching Windows Update Agent to Kaspersky Security Center > mode!</Data> > </EventData> > </Event> > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 10:03:27 AM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Web address for Windows Update Agent: http://127.0.0.1:1550 > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> > <EventRecordID>9793</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Web address for Windows Update Agent: http://127.0.0.1:1550 > </Data> > </EventData> > </Event> > > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 4:29:51 PM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Windows Update Agent has been switched out of Security Center mode. > Default settings of Windows Update Agent have been restored. > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T20:29:51.000000000Z" /> > <EventRecordID>9807</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Windows Update Agent has been switched out of Security > Center mode. Default settings of Windows Update Agent have been > restored.</Data> > </EventData> > </Event> > > So I still don't know WHY it did it, but I have proof as to WHO (well, > WHAT) did it ... it was Kaspersky AV ... > > >
