Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 1637 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Could SophosMTR be starting Windows Update scans, installations and reboots?

Felipe Lisboa

Hello all,

I manage the Windows Update on our servers and we are facing a problem.

By our standards, every new Windows Update must be downloaded and applied manually, to avoid unwanted reboots. We have one WSUS server and a GPO configured as follows:

The Configure Updates option is marked number 2 - Notify for download and auto install. When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.

This prevents updates to be automatically downloaded or installed.

Even so, we are having a lot of incidents where servers are installing updates and rebooting by themselves.

I searched on WindowsUpdate logs to figure out what could possibly be forcing the servers to update the OS.

At C:\Windows\SoftwareDistribution (the folder that holds the WindowsUpdates downloaded) we have a log file called "ReportingEvents"

This file shows dates and times of the sync of the machine with the WSUS server, and records of actions like checking updates, downloading updates, etc.

Looking for events on the log I can find this:

147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 <<PROCESS>>: SophosMTR.exe Success Software Synchronization Windows Update Client successfully detected 3 updates.

156 [AGENT_STATUS_30] 101 {00000000-0000-0000-0000-000000000000} 0 0 <<PROCESS>>: SophosMTR.exe Success Pre-Deployment Check Reporting client status.

183 [AGENT_INSTALLING_SUCCEEDED] 101 {CDDE339C-EBDB-4A16-ADD4-FB196A5053A8} 203 0 AutomaticUpdatesWuApp Success Content Install Installation Successful: Windows successfully installed the following update: Atualização de segurança do Windows Server 2012 R2 (KB3172729)

It is a chain of actions: First we have the discover of 3 updates. The line above we have the pre-deployment... Both actions brings the process "SophosMTR.exe".

And in the line above, the Windows Update is installed.

As I said before, our GPO regarding this it is not configured to download WindowsUpdates automatically.

QUESTION: Could SophosMTR.exe triggered the WindowsUpdate discover and installation? 

This is critical. Servers cannot update randonlly without our knowledge, and without a maintenence window. And if Sophos has the power to overwrite what the WindowsUpdate GPO states, we have to change this setting right way.

Thanks for any help!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    if you have MTR - you should talk to your MTR operator - they will advise you on what they are doing in your environment. I will also bring this thread to their attention.

  • 0

    It would appear that the SophosMTR.exe process is interfacing with the WindowsUpdate APIs from that log.

    For example, if you use PowerShell to just search for updates, e.g.

    $($(New-Object -ComObject Microsoft.Update.Searcher).Search("Type='Software'").Updates).Count

    it might print 9 for example, in which case you would see in the \windows\softwaredistribuition\ReportingEvents.log:

    {DF773FAB-C47C-4CF6-BAD3-E46591964739} 2020-12-22 11:09:54:463-0000 1 147 [AGENT_DETECTION_FINISHED] 101 {7971F918-A847-4430-9279-4A52D1EFE18D} 0 0 <<PROCESS>>: powershell.exe Success Software Synchronization Windows Update Client successfully detected 7 updates. cibzsI3IakaTBBZM.2.0.0.4.0

    {0F628098-83E8-48CB-92DA-05F28B99B940} 2020-12-22 11:10:07:699-0000 1 147 [AGENT_DETECTION_FINISHED] 101 {8B24B027-1DEE-BABB-9A95-3517DFB9C552} 0 0 <<PROCESS>>: powershell.exe Success Software Synchronization Windows Update Client successfully detected 2 updates. cibzsI3IakaTBBZM.2.1.0.4.0

    So the only question then is if it's a capability the agent has, but it needs to be invoked by an operative or if it's routine.

    Do the times in the log look regular?  As if it's on a schedule?

  • 0

    Greg from Sophos MTR here. We do not initiate Windows Updates or trigger the installation of updates. We do however query what installed Windows Updates are on a host to help us identify and monitor vulnerabilities. This is what you are seeing in the ReportingEvents log.

    It would seem something else is initiating these updates. Perhaps check an RSOP on that server. You'd want to check with no specific user set to see what the machine policy calculates out as, and then do the same for the various users that log into that host etc in case there is a GPO assigned to a specific user that is causing the updates to occur.

    docs.microsoft.com/.../use-resultant-set-of-policy-logging

  • 0 in reply to SecBug

    Thanks for your reply. But I really think this is not the case.

    I made some tests to check how the log populates information regarding the WindowsUpdate check on Control Panel.

    First I went manually on my computer, Contro Panel, Windows Update and clicked on "Check Updates". 

    After I checked the same log on Software Distribution and I see the line:

    147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 UpdateOrchestrator Success Software Synchronization Windows Update Client successfully detected 0 updates.

    156 [AGENT_STATUS_30] 101 {00000000-0000-0000-0000-000000000000} 0 0 UpdateOrchestrator Success Pre-Deployment Check Reporting client status.

    Conclusions:

    The process of searching for new Updates definitely fills the line with: "Success Software Synchronization Windows Update Client successfully detected X updates."

    In my test, the WindowsUpdate check was triggered by clicking on it, manually. So it brings the process "UpdateOrchestrator" making this action.

    If we compare with the same example mentioned above by "Sophos User930", when we invoke PowerShell to check for WindowsUpdate, it populates the same information, but bringing "powershell.exe" making the action.

    In our servers we have the same line but with "SophosMTR.exe" instead of UpdateOrchestrator, or PowerShell.exe... just for examples.

    It is the same action in all three situations. Same line about Synchronization, triggered by 3 different process.

    I am sure that SophosMTR.exe is not just checking what updates are installed on local computer, but is is triggering an Online WindowsUpdate check. When the synchronization happens, and Windows verify that there are updates approved for install, it installs and causes the reboot.

    Maybe if there were not any updates approved for install on our WSUS server, the check would not result in any installation.

    We have a ticket open with support team. Maybe we need a deeper RCA by Sophos team in our environment to make sure what actions SophosMTR is taking.

     

  • FormerMember
    0 FormerMember in reply to Felipe Lisboa

    Hi ,

    Thank you for the update.

    I followed up with you via PM. Could you please reply to my PM with the support case number? 

    Thanks,

Unfiltered HTML