Endpoint Protection

Hoping some folks with intense and deep SEP knowledge can give an idea or two. Possibly no real solution, but out of ideas on where to look for this one. It's like a ghost of the past - and I've spent hours searching for the source.
I'm hoping a real technical guru like sav2sep or whoever sees this and knows...... it's driving me bonkers trying to find the source of this.

Here's the scenario - Windows 7 32bit OS on a desktop computer (actually 3 or 4, but one will suffice). So we have what I believe to be the latest SEP installed, Windows 7 32 bit OS on desktop computer(s) so that's laid out right up front. This is not a server nor a SEPM issue, etc. but right on the workstation this is happening, and it's not just an isolated case, but has become annoying, bothersome, etc. lately.

Some helpful staff tried to help another staff member who wanted a countdown timer on their computer. This person will retire in a few months and it's a fun tradition to have such a countdown on the desktop (ok, not business related, not even helpful to productivity, but it makes them feel good)
In attempting to get such a thing installed, the install file was downloaded (I believe from CNET) and upon launch, it went into installing the countdown timer, but also installed Default Tab, Web Cake and one other nifty adware annoyance shoved down our throats by unscrupulous folks. I alerted the helpful staff to what had happened, what "they had done" (unknowingly) and they uninstalled the parts they were aware of. I manually deleted "Default Tab" and one other piece of !@#%$ from the computer. Good, that's gone. I purged the registry based on information gathered from other security sites, other malware killer companies and it seemed clean.

Ah, so what's the question? ccSvcHst.exe constantly is attempting to launch processes that were once related to those adware #$@% items (I can't say in a family public forum what I really feel about such scum but you probably get the idea - a nice stark dark cell for a few years would be just reward, I believe)

I'd like to find out why - what is telling ccSvcHst.exe to keep trying to launch those products or processes - they are gone, they exist no more. Like Monty Python's parrot - they are ex-software. They've gone to that great bit-bucket - yet SEP's ccSvcHst.exe is filling the logs in the application control where it's attempting to launch or run those processes.

Oh, the reason it's showing in the logs - after I found the mess the helpful folks unknowingly made, I created RULES in SEP's application control to BLOCK any attempt to read, create or launch any files associated with Default Tab and Web Cake in any related folders. So this cannot possibly happen in the future - at least for those junkware @#$%@#$ it can't happen. So, when ccSvcHst.exe tries to access and launch said files, it's logged.

But please read this - thise files don't exist. The folders are gone, the files are gone, all traces are gone - EXCEPT the trace telling ccSvcHst.exe to launch the processes!

So the question is - what is telling ccSvcHst.exe to find and launch those processes?

Isn't - very simply speaking -  ccSvcHst SEP's counterpart to Microsoft's service launcher? Windows reads the registry to know what to launch. What does SEP read?

Have you tried using ProcMon to filter on specifically on ccsvchst?

This all sounds pretty fishy to me.

No haven't tried that as I'm trying first to resolve remotely and not have to go to the computer and take it away from the user. It's working fine otherwise. Fishy, I'd agree, EXCEPT, this exact same thing is happening on 2 other computers.

In those cases, users clicked a link to install Adobe Acrobat Reader (DUH, the silly folks already HAVE it on their computers!) - but they see a link, therefore they must click it. Well, such installs do go to the Program Files folder where they do not have rights. So the installs failed.

I found what they were trying to do and thwarted by removing the install files and cleaning up and suggesting "please don't do that any more".

From that point in, ccSvcHst.exe has been going to the TEMP and other areas trying to launch files associated with that failed install. It would appear that if an install files, or is blocked or otherwise stopped and you remove the remnants of the attempt, ccSvcHst simply will not give up! It will not take no for an answer so the logs are quickly filling with ccSvcHst.exe attempting to continue installations or launch installations that have been blocked, that have failed for various reasons, or where there was clean-up that was not a clean uninstall (there's no clean uninstall for some adware, and a failed Adobe install is not complete so there's no uninstall string, you remove the files manaully)

So I need to find out what is telling ccSvcHst to try to run these install files. My big question - where does ccSvcHst get its marching orders - WHAT in Windoze tells SEP's ccSvcHst to go get the files from where they USED to be, and should still be, and run them. They aren't there, but SEP sees the ccSvcHst trying to access the files and logs the attempt. The files do not exist, the folders do not exist, yet something inside of Windows is telling it - "go get 'em and finish the job".

See I'd suspect fowl play (or foul play really - it's fishy, not birdy) if it was only the adware stuff it wanted to install or launch, but no, it's Acrobat Reader, a normally legit (if not unsafe and cumbersome bloated app, but that's another topic) so I can't say it's fishy, birdy, or anything other than normal - ccSvcHst is being told by something somewhere to get and run the files - files I deleted in the case of the Acrobat Reader install - I manaully removed the files from the TEMP folders on those two computers, but the svchst still over a week later is trying to run them!

~~How can I make it stop trying - what do I delete, flush, purge, edit or change to get it to stop the install efforts on files that have not existed for a week. ~~

Just a wild guess, but perhaps for whatever reasons the computers are still trying to download the adware or parts of it. Since the access to the files is forbidden by your application control rule, it is not possible to download the files because it is not allowed to create a temporary file.

So SEP (ccSvcHst) continues to prevent downloads and is producing log entries even without visible adware files in the file system.

However, to check if there are really no remnants you should use Symantec PowerEraser or specialized third party tools such as AdwCleaner or Malwarebytes.

Please read the deailts included in my post - I explain how there are multiple examples and you should totally ignore the though that it's malware - it was adware, and further, it's on multiple computers - and it's the ADOBE ACROBAT READER INSTALLER in some of those cases.  You should know that Actually the SEP service provider is ccScsHst - it's SEP doing the attempted launch of the exe files or processes. ccSvcHst is not SEPs detection engine. It's not detecting, it's launching.

Alas, I'm afraid that Only advanced SEP users and administrators will be able to be of much help..........

SEP service host appears to take the place of, or runs in conjunction with Windows service host. SEP is actually the entity that is trying to run the install files.

As I stated, in the one computer it's Web Cake and such, but on TWO others, it's not malware at all, but Adobe Acrobat Reader. Users can't install it because 1 - it's already installed, and 2 - it installs to the Programn Files folder and they are not computer administrators. They have no install rights to programs that FOLLOW THE RULES.  So even with NO SEP at all, the Adobe install would fail. However, I blocked any and all attempts to even GET the file with a rule. So SEP is actually attempting to do the install. There's no malware involved here. ANYONE can duplicate this without much troulbe if you wish to see some weird SEP stuff in action.

What I need to know is how SEP's ccSvcHst.exe gets its orders or commands to run or launch a process?

Where is there a registry entry or file telling SEP's svchst to go run the Adobe installer?

Pick any installer or EXE file you wish - create a rule in the app control rules to prevent that file, exe or installer from being launched. Watch the logs - you may be quite surprised! It's SEP.

Why? What is telling SEP to run the install.
The log details state as show below - PLEASE READ VERY CAREFULLY - and know that -
the TARGET FILE NO LONGER EXISTS!
IT HAS BEEN GONE, deleted, for OVER A WEEK.
But SEP's service host is trying to get and run it.
Please - be sure to look at the DETAILS here -

Yes, the SEP ccSvcHst is the one doing the launching -

In fact with all other log events, the actual process doing the launching is listed - explorer, Outlook.exe, Word.exe and so on, and in this case, SEP's own service host process is the process doing the deed. The other file is the target file.

There is no other process doing the launching, otherwise SEP would correctly report, for example, explorer.exe or windows svchst.exe and so on.

ccSvcHst if you check the purpose, launches services and processes. Why it is still trying on this I do not know.

When you create an Application Control rule to block a process launch. SEP will block it only when the process is launched (by a user or by another process). SEP is not going to block it until the process is launched (by a user or by another process).

Application control does not search for a process (before the process is launched) and launch it and then block it.

Something in the affected machine is still trying to launch those XYZ process and SEP is blocking it as you have set it to.

thats it.

Please go back to the first post and read the details then below and see if you still feel that you have the answer. SEP reports when a process attempts to read, delete, create or launch another file or process depending on the settings chosen. The process in this case is ccSvsHst, it is trying to access those files - the target are files that are long gone. They do not exist. SEP is not trying to access OTHER files that have been deleted, removed or uninstalled over the years, so why is it trying to get to these files - for any purpose at all, when Windows says they are gone. It's being blocked so can't even read them, but if it wasn't blocked, it could not read them as they don't exist. And again, sorry if it looks blunt, but it seems that for some reason people don't see the clues or details I post - the files do not exist, and in the case of two computers they are legit Adobe files, not adware or malware, etc. The files AND the folders are GONE in some cases. How can it try to go read or do anything with that which does not exist?

First the files are GONE - DELETED, they do not even exist.
In the case of the one with ADWARE, it was not an infection, it was an unwanted app, the whole folder structure is GONE - ALL of it. I probably should have never mentioned that they were adware as now everyone will be stuck in that thought and totally ignore that the same thing is happening with Adobe Acrobat install files. When someone tries to install something they should not, we delete the install files, clean up what they did, and then block so it can't happen again. SEP doesn't know the files are gone - so why is it trying to get to files that are gone, in folders that are gone?

Second, the other 2 computers were attempting installs of a VALID ADOBE READER InSTALL FILE. There is no infection. There never was an infection. The files came from an Adobe link.  I checked the web history.  This has been going on for over a week. the computers have been fully scanned multiple times, checked with other products, are clean, have been REBOOTED, there is no infection, there is no file to launch.

ccSvcHst is listed as the process attempting to access the files - files that do not exist. That's the part that bothers me. The entire structure is gone, the files are gone, there's nothng to access, nothing to read. ccSvcHst is apparently the "SEP master service", that's pretty inclusive really, what's it trying to do, and why is it trying to get to something that has been gone for days, computers rebooted and other users logged in to them?

I was able to duplicate your issue, however in my testing environment (12.1.1, XP SP3, Adobe Reader installing from internet) ccSvcHst (caller) tried to read (not "run"!) the non-existent target (Adobe Reader installer) only once.

I used an ADC rule such as [AC8], without the SEP exceptions but with logging of read attempts. 

The phenomenon may have something to do with scans (scheduled or on demand). Every time a scan is running and reading a file that is covered by an ADC rule such as yours, ccSvcHst.exe will be written as caller process into the control log. With Auto-Protect, however, the "real" launcher (such as Windows Explorer) is logged into the control log. I would check the logs if there is a connection with scans.

Of course, that does not explain why ccSvcHst.exe gets the order to access non-existent (GONE, DELETED) files. So I cannot help you -- but perhaps you have something to think about.

BTW, would be interesting to see your ADC rule.