Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12.1: False Positive? Microsoft Windows Operating System

Created: 28 Mar 2013 | 6 comments
MIXIT's picture

Been getting a lot of these on Windows 7 systems, and wondering what to do aboutthem.  I'm not super keen on just blindly excluding svchost.exe from scans and Insight is supposed to properly exclude the file anyway, yet it's still finding reasons to flag about a dozen occurances a day on one PC at least. 

Can anybody help?  Thank you. 

Here are the details:

Risk Information

Downloaded or created by:  
File or path: c:\windows\system32\svchost.exe  
Application: Microsoft® Windows® Operating System
Application type: System Change Host file
Category set:  
Category type: System Change
Version: 6.1.7600.16385
File size: 20992
Hash: N/A
Hash algorithm: SHA-256
Company: Microsoft Corporation

Risk Detection

Date found: 03/28/2013 01:28:46
Actual action: Left alone
Specified primary action: Leave alone (log only)
Specified secondary action: Leave alone (log only)
Detection source: SONAR
Risk detection method: Other
URL tracking: Off
Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Look at this thread as it is the same thing:

https://www-secure.symantec.com/connect/forums/son...

This is coming from the SONAR component.

You can create a HOSTS file exception per this KB article as long as your on 12.1 RU MP1 or higher

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MIXIT's picture

SEPM is 12.1.1000.xxx.  I'll read those two links Brian81, but I must be misunderstanding something.  HOSTS is a file that has nothing to do with svchost.exe, or not directly at least.  Yet I often have heard reference to this where each time there is a mention of this false positive with svchost.exe, people say it relats to DNS or HOSTS.  Are people confusing HOSTS file with a file with a similar name, svchost.exe or is ther esomething I'm missing altogether? 

Just the same I'm going to take your info and read it thoroughly.  Also am going to update to 12.1.2.x probably todya as well. 

Will post back again soon. 

.Brian's picture

svchost.exe is the Windows process that is changing the HOSTS file. This is normal behaviour which is monitored by SEP because it is configured to do so.

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Check these Articles - 

Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

http://www.symantec.com/docs/TECH161493

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

http://www.symantec.com/docs/TECH194108

Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

http://www.symantec.com/docs/TECH168849

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

vickg's picture

FWIW,

We have found that the most common service that trips SONAR's "System Change Events" policy feature (particulary the changing of 'Host file') are VPN setups.  Our environment currently uses a Juniper solution and anytime a full vpn session is initiated (as opposed to a web-proxy session), SEP will complain about "svchost.exe".

Tying it to our VPN client took us a little while to figure out since "svchost" mitigates a lot of network connectivity actions on Windows boxes (its akin to initd keeping track of services on unix boxes).  So we had to compare local event logs with the SEP event times; discovering that Juniper VPN does, in fact, modify the local host file.

See http://www.symantec.com/business/support/index?pag...  

Mind you, this didn't affect the VPN connections at all; probably since we just log the action and don't prevent it.  However, we did have to re-evaluate our client notification settings so as to not scare our users.  But we did still want to know about these occurences, so permit w/ logging and disabled notifications was the most productive compromise we could come up with.

Valid or not, svchost does change the system hosts file and SONAR will flag it as designed.  This feature seems geared to more locked-down clients/environments.

The other reason why we've seen "blocked svchost" is because we have a FW rule blocking certain network services, in particular RDP.  Whenever an RDP request that falls outside our allowed criteria hits the client, SEP blocks 'svchost' from making that connection.  Fortunately, the SEP client traffic logs will actually indicate the FW rule it triggered, which is descriptively named.  Unfortunately, however, the systray notification still just says 'svchost blocked'.  

It would be more useful if the notification/detection points to the actual process/service that asked svchost to do an unacceptable action; but I imagine that requires a much trickier hook that has to be sanctioned by MS.