1

As it shows in attached pictures, there is a "Difference between system uptime and last boot time" in my windows, it becomes an issue because AV, SIEM or every monitoring system shows a different time between system and boot.
Because of this problem, these workstations do not accept security policy from AV.

  1. what is the reason?

  2. How can I solve it?

Av Report CMD Result

Improve this question
3
  • And why would this cause a workstation not to accept security policies from AV?
    – Esa Jokinen
    Commented Sep 14, 2019 at 13:02
  • @EsaJokinen good question, i did contact the AV's support section and they told me, it is the reason.
    – R1W
    Commented Sep 14, 2019 at 13:06
  • 1
    The clock is up to date with correct date & time?
    – Paolo
    Commented Sep 14, 2019 at 21:27

1 Answer 1

Reset to default
7

The left window is not showing the system uptime but the network connection uptime.

The network may have only been up for a couple of hours for multiple reasons:

  • The network wire was -perhaps briefly- disconnected
  • The switch it is connected to was rebooted
  • The computer was previously connected to a different network, but then changed to this one
  • The network connection itself was disabled then enabled.
  • If it's just slightly different, it's normal that the boot time will have happened a bit before the computer booted, loaded the OS and actually connected to the network.

I can imagine a several scenarios where the reported system uptime is different than Now - Boot time for a machine, though:

  • The machine was hibernated and the time it was in that state is not taken into account for the uptime.
  • The system clock changed after boot, so the boot time might even be dated years ago (whatever the BIOS clock default is) but the System time itself was corrected shortly after boot-up through NTP.

I understand the discrepancy to show in SIEM / AV dashboards. However, I don't see that as a reason to not accept security policy from AV. If the AV refuses to apply a security policy because it considers that they don't match -as seems implied by their support reply-, perhaps it is buggy.

Improve this answer
6
  • Thank you for your answer, I have to mention that I did reboot those machines but after booting again, the result of "system uptime" was the same as before again.
    – R1W
    Commented Sep 14, 2019 at 13:54
  • 1
    The "system uptime" was larger than the time it had been up? If it's a remote tool that is periodically checking if the machine is up, it may not detect that it was disconnected for a short time, but I don't think it would make sense for the system itself to report that.
    – Ángel
    Commented Sep 14, 2019 at 14:02
  • @ Ángel The answer to the first question is "yes" and also it is a remote tool that showed us that the "system uptime and the network connection uptime" have different result, it is possible that it may not be detected that machine is rebooted but as you mentioned it does not make sense different times on itself.
    – R1W
    Commented Sep 14, 2019 at 15:49
  • 3
    @R1W Unless you use the reboot option in the shutdown options menu, windows defaults a "low level hibernation", in which the uptime does not reset. This makes windows 10 boot faster
    – Ferrybig
    Commented Sep 14, 2019 at 20:07
  • 1
    @R1W Chosing "Shut down" does - by default - not really shut down the machine on WIndows. You have to hold the SHIFT key while clicking "Shut down".
    – rexkogitans
    Commented Sep 14, 2019 at 20:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .