I'm trying to understand what happened recently where this command ran on a desktop "sc.exe start ElasticEndpoint restarted"
We also use SentinelOne, and SentinelOne detected that activity as malicious, so I'm trying to figure how to exclude this and prevent others from experiencing a random reboot.
The command "sc.exe start ElasticEndpoint restarted" would have been executed by the service control manager as a configured service recovery action, almost certainly as the result of the ElasticEndpoint service having crashed. This action restarts the Elastic Endpoint service to attempt to restore it to a functioning state. The action is not malicious.
However, it's concerning that the Endpoint crashed and needed to be restarted. We attempt to ensure that a crash dump file is produced if we crash, and it's likely you'd find a .dmp file either in c:\Program Files\Elastic\Endpoint\cache\CrashDumps\ or c:\Program Files\Elastic\Endpoint\cache\. If you'd be willing to share that crash dump with us, it's possible we could determine why our Endpoint service crashed. If you'd be willing to do that, please message me directly and I can provide you with a mechanism to securely share the file.
Ben,
I reviewed the dump file which was about 500MB.
It looks like SentinelOne was probably the cause of the problem and I just needed to add the executable hash to the list of exclusions.
Thanks for pointing me in the right direction.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.