To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Software Updater logs

alecw
alecw Posts: 4 Security Scout

Hi,

 

[Client Security Premium 11.6 on Win7 and 8.1]

 

We have the Software Updater set to "ask user" to reboot, and to force a reboot only after five days. However, some machines are still restarting without asking and without the five day window elapsing - it happens shortly after the Software Updater's scheduled installation time, which is why we think it's the culprit.

 

Are there any Software Updater logs on the endpoint to say what was installed at a given time and why the decision to forcibly reboot was made?

 

Many thanks,

alec

Comments

  • Ben
    Ben Posts: 664 Cybercrime Crusader

    You can find the most of the software updater related logs on the end-point under C:\ProgramData\F-secure\Logs\FSOFUPD

     

    Let us know the results of your investigation or if you need further assistance.

  • alecw
    alecw Posts: 4 Security Scout

    Hi Ben,

     

    Thanks for the tip :)

     

    I'm looking for the line that says "I forcibly rebooted this computer in direct contradiction of policy because...." Any idea what I should be looking for?

     

    There are a few lines that look like this in fssua.log:

     

    1 90C 14/11/19 00:00:36 Installation status explanation: Type: return code (1), Id: 55, Status: pending reboot (3), Return code: 3010, Timestamp: 0

     

    ...but I've not found a smoking gun just yet!

     

    alec

  • alecw
    alecw Posts: 4 Security Scout

    Here's the Smoking Gun, from the Windows eventlog:

     

    The process C:\ProgramData\F-Secure\FSOFTUPD\deploy\SafeReboot.exe (COMPUTER) has initiated the restart of computer COMPUTER on behalf of user NT AUTHORITY\SYSTEM for the following reason: Application: Installation (Planned)
    Reason Code: 0x80040002
    Shutdown Type: restart

    Now, the question is, why'd it do that when the policy is set to Ask User?

     

    Many thanks,

    alec

  • Ben
    Ben Posts: 664 Cybercrime Crusader

    Hello Alecw,

     

    In order to fully understand what happened there, could you open a support ticket, providing and fsdiag of the impacted machine?

This discussion has been closed.

Categories