There's a number of questions that can come up with this.
1.) Do you have any custom definitions? (we're had some custom defs that we made that we didn't code the reboot supression properly and the patch itself rebooted the machines)
2.) Are you 100% sure that the security scan is using the agentbehavior settings that you believe it to be using? (its possible that the security scan is using a different agentbehavior than expected)
3.) Are you 100% sure its landesk causing the reboots? (Its always possible that something else could be doing this. AV sotware is usually a suspect in cases such as this.)
The best thing to answer most of the above questions is going to be to get a vulscan log that actually shows the reboot in question. Any time a security scan causes a reboot it will be indicated in the corresponding vulscan log files. (match the time of the event to the modified date of the vulscan log) This can be tricky to capture if too much time passes after it happens, since these log files do eventually get written over. There about 10 of them, so depending on the frequency of security scans will determine how much time one has to get back to a machine to take a look at what exactly happened at the time.
There is also a setting that if no one is logged into the machine then go ahead and reboot. We use this setting in our environment, since it improves patch compliance, and if no user is logged in there's no real reason (in our environment) not to go ahead with the reboot. Make sure this is not checked if you don't want reboots happening at all. Beyond this, if you have it set to wait for user response, just be careful with the timer bit. There should be a time out value that might be expiring and so its rebooting anyway wih lack of user repsonse.
You might want to post the vulscan log if you are having issues interpreting any of it.
Hope this is helpful.
Hi - thanks for the reply
Yes - we do have some custom definitions, the majority of which do not require a reboot after install normally anyway. Additionally, the ones that do (in fact all custom definitions) have been in place in our live production scan group for some time now, & have all been installed on most of the pc's in question.
We haven't made any recent updates to the Antivirus that would require a restart as far as I am aware... not 100% sure it is Landesk, but I can say that we didn't see this happen prior to having landesk in our environment, since we weren't pushing out updates from behind the scenes to pc's before this.
We also haven't set the opption for a timer / countdown to reboot, so that shouldn't be the cause.
I am waiting for the next time I see this happen so I can try to grab some log files to examine.