Now, it's time to check if someone changed some settings on your Kaspersky server, and if not, then to call Kaspersky support and raise some hell.
Kurt On Wed, Sep 23, 2015 at 8:14 AM, Michael Leone <[email protected]> wrote: > On Wed, Sep 23, 2015 at 10:21 AM, Michael Leone <[email protected]> wrote: > >>> Can you throw some security auditing on the key and scour the event logs >>> for what is changing it? > > Meet the smoking gun ... In the Kaspersky specific event log: > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 10:03:27 AM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Switching Windows Update Agent to Kaspersky Security Center mode! > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> > <EventRecordID>9792</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Switching Windows Update Agent to Kaspersky Security Center > mode!</Data> > </EventData> > </Event> > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 10:03:27 AM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Web address for Windows Update Agent: http://127.0.0.1:1550 > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T14:03:27.000000000Z" /> > <EventRecordID>9793</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Web address for Windows Update Agent: http://127.0.0.1:1550</Data> > </EventData> > </Event> > > > Log Name: Kaspersky Event Log > Source: klnagent > Date: 9/22/2015 4:29:51 PM > Event ID: 1 > Task Category: None > Level: Information > Keywords: Classic > User: N/A > Computer: DCTRAPP009.wrk.ads.pha.phila.gov > Description: > Windows Update Agent has been switched out of Security Center mode. > Default settings of Windows Update Agent have been restored. > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> > <Provider Name="klnagent" /> > <EventID Qualifiers="0">1</EventID> > <Level>4</Level> > <Task>0</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2015-09-22T20:29:51.000000000Z" /> > <EventRecordID>9807</EventRecordID> > <Channel>Kaspersky Event Log</Channel> > <Computer>DCTRAPP009.wrk.ads.pha.phila.gov</Computer> > <Security /> > </System> > <EventData> > <Data>Windows Update Agent has been switched out of Security > Center mode. Default settings of Windows Update Agent have been > restored.</Data> > </EventData> > </Event> > > So I still don't know WHY it did it, but I have proof as to WHO (well, > WHAT) did it ... it was Kaspersky AV ... > >
