FWIW,
We have found that the most common service that trips SONAR's "System Change Events" policy feature (particulary the changing of 'Host file') are VPN setups. Our environment currently uses a Juniper solution and anytime a full vpn session is initiated (as opposed to a web-proxy session), SEP will complain about "svchost.exe".
Tying it to our VPN client took us a little while to figure out since "svchost" mitigates a lot of network connectivity actions on Windows boxes (its akin to initd keeping track of services on unix boxes). So we had to compare local event logs with the SEP event times; discovering that Juniper VPN does, in fact, modify the local host file.
See http://www.symantec.com/business/support/index?page=content&id=TECH162189
Mind you, this didn't affect the VPN connections at all; probably since we just log the action and don't prevent it. However, we did have to re-evaluate our client notification settings so as to not scare our users. But we did still want to know about these occurences, so permit w/ logging and disabled notifications was the most productive compromise we could come up with.
Valid or not, svchost does change the system hosts file and SONAR will flag it as designed. This feature seems geared to more locked-down clients/environments.
The other reason why we've seen "blocked svchost" is because we have a FW rule blocking certain network services, in particular RDP. Whenever an RDP request that falls outside our allowed criteria hits the client, SEP blocks 'svchost' from making that connection. Fortunately, the SEP client traffic logs will actually indicate the FW rule it triggered, which is descriptively named. Unfortunately, however, the systray notification still just says 'svchost blocked'.
It would be more useful if the notification/detection points to the actual process/service that asked svchost to do an unacceptable action; but I imagine that requires a much trickier hook that has to be sanctioned by MS.