1

As it shows in attached pictures, there is a "Difference between system uptime and last boot time" in my windows, it becomes an issue because AV, SIEM or every monitoring system shows a different time between system and boot.
Because of this problem, these workstations do not accept security policy from AV.

  1. what is the reason?

  2. How can I solve it?

Av Report CMD Result

R1W
  • 1,617
  • 3
  • 15
  • 30

1 Answers1

7

The left window is not showing the system uptime but the network connection uptime.

The network may have only been up for a couple of hours for multiple reasons:

  • The network wire was -perhaps briefly- disconnected
  • The switch it is connected to was rebooted
  • The computer was previously connected to a different network, but then changed to this one
  • The network connection itself was disabled then enabled.
  • If it's just slightly different, it's normal that the boot time will have happened a bit before the computer booted, loaded the OS and actually connected to the network.

I can imagine a several scenarios where the reported system uptime is different than Now - Boot time for a machine, though:

  • The machine was hibernated and the time it was in that state is not taken into account for the uptime.
  • The system clock changed after boot, so the boot time might even be dated years ago (whatever the BIOS clock default is) but the System time itself was corrected shortly after boot-up through NTP.

I understand the discrepancy to show in SIEM / AV dashboards. However, I don't see that as a reason to not accept security policy from AV. If the AV refuses to apply a security policy because it considers that they don't match -as seems implied by their support reply-, perhaps it is buggy.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Thank you for your answer, I have to mention that I did reboot those machines but after booting again, the result of "system uptime" was the same as before again. – R1W Sep 14 '19 at 13:54
  • 1
    The "system uptime" was larger than the time it had been up? If it's a remote tool that is periodically checking if the machine is up, it may not detect that it was disconnected for a short time, but I don't think it would make sense for the system itself to report that. – Ángel Sep 14 '19 at 14:02
  • @ Ángel The answer to the first question is "yes" and also it is a remote tool that showed us that the "system uptime and the network connection uptime" have different result, it is possible that it may not be detected that machine is rebooted but as you mentioned it does not make sense different times on itself. – R1W Sep 14 '19 at 15:49
  • 3
    @R1W Unless you use the reboot option in the shutdown options menu, windows defaults a "low level hibernation", in which the uptime does not reset. This makes windows 10 boot faster – Ferrybig Sep 14 '19 at 20:07
  • @Ferrybig actually i did reboot those machine many time, nothing changed. – R1W Sep 14 '19 at 20:18
  • 1
    @R1W Chosing "Shut down" does - by default - not really shut down the machine on WIndows. You have to hold the SHIFT key while clicking "Shut down". – rexkogitans Sep 14 '19 at 20:26