Endpoint Protection

The forum thread at:

https://www-secure.symantec.com/connect/forums/sep-hardening-policy-protect-symantec-files-and-registry

the person responding to the original question or query gives incorrect information. The responder indicates that the file in question is a SEP file, it is not.
 It is my opinion that if others, lurkers or people seeking answer to the same question could end up whitelisting something for the wrong reasons or drop their guard.

svchost is not the process used by Symantec/SEP as the answer or post in that thread states. That file is the Windows service "host" and if it is the proper file and not compromised in any way - it is the process by which services are launched. Check your "task manager" and you will see svchost is responsible for multiple services and processes, local and network, and it's not SEP doing it.

SEP has its own version (the use of I'm not certain, but it's a different host) SEP's file is ccSvcHst.exe - not svchost.exe

I person should whitelist only the svchost.exe that runs from %windir%\system32 and no other location.

They can whitelist ccSvcHst.exe as long as it's running from the proper SEP folder structure.

Note that svchost can launch not only good Windows services or processes, it could well launch malware disguised as good files or services, so be ware.

Just wanted to indicate that lurkers or viewers should be wary of the info given as fact in that linked thread above is not factual and needs to be taken very carefully as it could lead to complications otherwise if used "as a matter of fact" to "trust" svchost.exe as a Symantec file - it's not.

Good catch. You may want to send this person a PM about it. You can also send a message to Swathi (https://www-secure.symantec.com/connect/user/turlas) She oversees the Security forums.

Hello,

There are actually different versions of this 'svchost.exe' for each different Windows OS available.

This may vary from say, Windows 7 version: 6.1.7600.16385 to 64bit W2K3 server with version 5.2.3790.3957 etc.

And for each different version, on each individual Windows OS, there will be many instances of this executable running in the background.

This can be easily seen within the Task Manager under Processes tab, Image Names column.

Microsoft does state that: "svchost.exe is a generic host process name for services that run from dynamic-link libraries”.

Therefore I would certainly agree to what you've mentioned, in checking back, some of the new instances that may appear, & to add them to the exceptions list, if they are valid & genuine.

It's possible that any updates from Microsoft, the 'svchost.exe' has been updated, or replaced, which would likely generate new instances, in relation to the currently used version of the 'svchost.exe'.

To each updated file or replaced 'svchost.exe', the fingerprint or say, the unique hash of this file would have changed also, you see.

Hope that helps!!

It's such a generic process it rarely if ever changes. Using a hash for control should be very simple - and not generate excess management overhead.

For example - which of these Windows 7 files has changed in, say, the last 3 1/2 years?
(make no mistake - this is an original Windows 7 install that has been kept current with all necessary security patches and updates through time)

Yes-  people need to know it is a Microsoft product, part of Windows, resides in and runs from a very specific folder, and needs to match a certain size and hash - because look here at what it can do - and the fact its a local, system and network service host!