On our SEPM, under SONAR settings

DNS change = log

HOST FILE change = log

result: we keep receiving single risk notification for microsoft svchost.exe and other applications.

Question: is the hostfile SONAR referring to is the one on C:\Windows\System32\drivers\etc??

or is there any other hostfile location?

- What SEP/SEPM versions are running?

- Correct, the hostfile is the one from C:\Windows\System32\drivers\etc

- Have a look at the following KB for the svchost.exe notifications:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

it should be from your application and device control?

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

http://www.symantec.com/business/support/index?page=content&id=TECH132337

Hello,

What version of SEP are you running?

Check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

Hope that helps!!

Hi All,

Thanks for the prompt reply.

We are running 12.1 RU3. If that's the location it's pertaining to.. Does it mean that my svchost.exe or chrome.exe change my hostfile that's why I received single risk notification. Even my backup application has been detected as single risk. Is there a way for me to check how this application change something on my hostfile

Hi Rafeeq,

It's under SONAR settings, because if I check my SONAR logs on monitor. Those detected application will be listed down from there.

This is likely harmless as the backup location may just be trying to open/read the HOSTS file. The only way would be to take a backup and than do a compare between the two files.

You could also use a tool like procmon to what read/writes the application is attempting.

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Question: is the hostfile SONAR referring to is the one on C:\Windows\System32\drivers\etc??

--> Yes, that's the correct location.

or is there any other hostfile location?

--> No, there is not any other hostfile location.

Check this article: Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

http://www.symantec.com/docs/TECH194108

Hi Brian,

the sonar will create risk log if the application did changes on the host/dns file only right? But if it open/read only, will it still create log?

It should only happen if a "change" of some sort is detected.

dllhost.exe is related to hostfile correct

svchost.exe is. check here:

http://www.symantec.com/docs/TECH164391

If svchost.exe is changing my hostfile..then why my hostfile modified date is still 2009 and never change.

exclude svchost.exe for nth time using dns and host file change but still thesame. I still received notifications.