The start type of the NimBUS Robot watcher service was changed from auto to disabled.
search cancel

The start type of the NimBUS Robot watcher service was changed from auto to disabled.

book

Article ID: 396141

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Hub went down due to this event but little to no evidence of the root cause was found. A number of robots went down as well.

Environment

  • DX UIM 23.4.3 
  • Hub 23.4.3
  • robot 23.4.3

Resolution

  • Please have the security team that is responsible for AV/scanning systems checks to make sure that ALL Nimsoft programs are still being excluded as per the current AV/scan configuration.

  • If and when the Anti-Virus Scan/Crowd Strike was updated/patched, its possible that the configuration was overwritten and the AV exclude rules are no longer in place - therefore please have the proper team check.

  • No instances of event id 7040 (The start type of the NimBUS Robot watcher service was changed from automatic to disabled), nor event 4688 (new process has been created) were found in a lab environment running the same versions.

  • Event ID 7040 in Windows, typically associated with Microsoft-Windows-Search, indicates a change in the search indexing service. It could involve a new index being created, or an existing index being rebuilt.

  • This event is also linked to MITRE ATT&CKĀ®'s Service Data Source DS0019, which can capture changes to service startup behavior. 

  • Try running a full AV scan on both the PROD and DEV servers.

Additional Information

This article on setting up the Windows scheduler to startup the Nimsoft Robot Watcher Service after 5 minutes may alleviate this issue:
Set the UIM Robot Watcher service startup delay to 5 mins after the OS is started

Powered by Wolken Software