Endpoint Protection

 View Only

  • 1.  SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Mar 28, 2013 04:47 PM

    Been getting a lot of these on Windows 7 systems, and wondering what to do aboutthem.  I'm not super keen on just blindly excluding svchost.exe from scans and Insight is supposed to properly exclude the file anyway, yet it's still finding reasons to flag about a dozen occurances a day on one PC at least. 

    Can anybody help?  Thank you. 

    Here are the details:

     

    Risk Information
    Downloaded or created by:  
    File or path: c:\windows\system32\svchost.exe  
    Application: Microsoft® Windows® Operating System
    Application type: System Change Host file
    Category set:  
    Category type: System Change
    Version: 6.1.7600.16385
    File size: 20992
    Hash: N/A
    Hash algorithm: SHA-256
    Company: Microsoft Corporation


     

    Risk Detection
    Date found: 03/28/2013 01:28:46
    Actual action: Left alone
    Specified primary action: Leave alone (log only)
    Specified secondary action: Leave alone (log only)
    Detection source: SONAR
    Risk detection method: Other
    URL tracking: Off


     



  • 2.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Mar 28, 2013 04:55 PM

    Look at this thread as it is the same thing:

    https://www-secure.symantec.com/connect/forums/sonar-false-positives-windows-os-components

    This is coming from the SONAR component.

    You can create a HOSTS file exception per this KB article as long as your on 12.1 RU MP1 or higher

    https://www.symantec.com/business/support/index?page=content&id=TECH194108



  • 3.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Mar 29, 2013 03:29 AM

    Hi

    What is the SEPM Version ?

    Regards

     



  • 4.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Mar 29, 2013 10:40 AM

    SEPM is 12.1.1000.xxx.  I'll read those two links Brian81, but I must be misunderstanding something.  HOSTS is a file that has nothing to do with svchost.exe, or not directly at least.  Yet I often have heard reference to this where each time there is a mention of this false positive with svchost.exe, people say it relats to DNS or HOSTS.  Are people confusing HOSTS file with a file with a similar name, svchost.exe or is ther esomething I'm missing altogether? 

    Just the same I'm going to take your info and read it thoroughly.  Also am going to update to 12.1.2.x probably todya as well. 

    Will post back again soon. 



  • 5.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Mar 29, 2013 10:49 AM

    svchost.exe is the Windows process that is changing the HOSTS file. This is normal behaviour which is monitored by SEP because it is configured to do so.

    http://www.symantec.com/business/support/index?page=content&id=TECH164391



  • 6.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Trusted Advisor
    Posted Mar 29, 2013 02:34 PM

     

    Hello,

    Check these Articles - 

    Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

    http://www.symantec.com/docs/TECH161493

    Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

    http://www.symantec.com/docs/TECH164391

    Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

    http://www.symantec.com/docs/TECH194108

    Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

    http://www.symantec.com/docs/TECH168849

    Hope that helps!!



  • 7.  RE: SEP 12.1: False Positive? Microsoft Windows Operating System

    Posted Apr 19, 2013 06:51 PM

    FWIW,

    We have found that the most common service that trips SONAR's "System Change Events" policy feature (particulary the changing of 'Host file') are VPN setups.  Our environment currently uses a Juniper solution and anytime a full vpn session is initiated (as opposed to a web-proxy session), SEP will complain about "svchost.exe".


    Tying it to our VPN client took us a little while to figure out since "svchost" mitigates a lot of network connectivity actions on Windows boxes (its akin to initd keeping track of services on unix boxes).  So we had to compare local event logs with the SEP event times; discovering that Juniper VPN does, in fact, modify the local host file.

    See http://www.symantec.com/business/support/index?page=content&id=TECH162189  

    Mind you, this didn't affect the VPN connections at all; probably since we just log the action and don't prevent it.  However, we did have to re-evaluate our client notification settings so as to not scare our users.  But we did still want to know about these occurences, so permit w/ logging and disabled notifications was the most productive compromise we could come up with.

    Valid or not, svchost does change the system hosts file and SONAR will flag it as designed.  This feature seems geared to more locked-down clients/environments.



    The other reason why we've seen "blocked svchost" is because we have a FW rule blocking certain network services, in particular RDP.  Whenever an RDP request that falls outside our allowed criteria hits the client, SEP blocks 'svchost' from making that connection.  Fortunately, the SEP client traffic logs will actually indicate the FW rule it triggered, which is descriptively named.  Unfortunately, however, the systray notification still just says 'svchost blocked'.  


    It would be more useful if the notification/detection points to the actual process/service that asked svchost to do an unacceptable action; but I imagine that requires a much trickier hook that has to be sanctioned by MS.