Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"
|Article:TECH164391|||||Created: 2011-07-12|||||Updated: 2012-04-24|||||Article URL http://www.symantec.com/docs/TECH164391|
SONAR detects svchost.exe as the process causing Hosts File Change Security Risk. Users may see screen prompts or the event may be logged in the Proactive Threat Protection Logs.
The following error is written to the Windows System Event Log:
"Security Risk Found!
Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"
This behavior happens when the SEP client Virus and Spyware Protection policy has been modified to log hosts file changes detected by SONAR. hosts file change detections are logged as an error in the System Event Log. It is not possible to change the severity of the log entry created by SONAR for this event type. The default Virus and Spyware Protection policy is configured to ignore Hosts file changes.
Note: The High Security Virus and Spyware policy that ships with the product is configured to block both DNS and Host File Changes.
SEP 12.1 Release Update 1 (RU1) Maintenance Patch 1 (MP1) added a new exclusion category: DNS or Host File Change Exception. This exclusion will prevent SONAR from taking any action on applications that have been excluded from these detections.
Use one of the following methods to prevent these messages:
- For 12.1 RU1 MP1 and above clients, Create a DNS or Host File Change Exception for svchost.exe or other applications that are expected to make changes to the Windows host file or DNS.
- Use the default System Change Detection settings in the Virus and Spyware Protection Policy.
- Ignore errors for applications that are expected to make changes to the Windows hosts file or DNS.
Article URL http://www.symantec.com/docs/TECH164391