Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SONAR Configuration for Host File change

Created: 05 Sep 2013 | 12 comments
Rinoa21's picture

On our SEPM, under SONAR settings

DNS change = log

HOST FILE change = log

 

result: we keep receiving single risk notification for microsoft svchost.exe and other applications.

Question: is the hostfile SONAR referring to is the one on C:\Windows\System32\drivers\etc??

or is there any other hostfile location?

 

Comments 12 CommentsJump to latest comment

SebastianZ's picture

- What SEP/SEPM versions are running?

- Correct, the hostfile is the one from C:\Windows\System32\drivers\etc

- Have a look at the following KB for the svchost.exe notifications:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

Article:TECH164391  |  Created: 2011-07-12  |  Updated: 2012-04-24  |  Article URL http://www.symantec.com/docs/TECH164391

 

Rafeeq's picture

it should be from your application and device control?

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

 

http://www.symantec.com/business/support/index?page=content&id=TECH132337

 

Mithun Sanghavi's picture

Hello,

What version of SEP are you running?

Check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rinoa21's picture

Hi All,

 

Thanks for the prompt reply.

We are running 12.1 RU3. If that's the location it's pertaining to.. Does it mean that my svchost.exe or chrome.exe change my hostfile that's why I received single risk notification. Even my backup application has been detected as single risk. Is there a way for me to check how this application change something on my hostfile

 

Hi Rafeeq,

It's under SONAR settings, because if I check my SONAR logs on monitor. Those detected application will be listed down from there.

.Brian's picture

This is likely harmless as the backup location may just be trying to open/read the HOSTS file. The only way would be to take a backup and than do a compare between the two files.

You could also use a tool like procmon to what read/writes the application is attempting.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Question: is the hostfile SONAR referring to is the one on C:\Windows\System32\drivers\etc??

--> Yes, that's the correct location.

or is there any other hostfile location?

--> No, there is not any other hostfile location.

Check this article: Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

http://www.symantec.com/docs/TECH194108

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rinoa21's picture

Hi Brian,

 

the sonar will create risk log if the application did changes on the host/dns file only right? But if it open/read only, will it still create log?

.Brian's picture

It should only happen if a "change" of some sort is detected.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rinoa21's picture

dllhost.exe is related to hostfile correct

svchost.jpg
.Brian's picture

svchost.exe is. check here:

http://www.symantec.com/docs/TECH164391

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rinoa21's picture

If svchost.exe is changing my hostfile..then why my hostfile modified date is still 2009 and never change.

hostfile2.jpg
Rinoa21's picture

exclude svchost.exe for nth time using dns and host file change but still thesame. I still received notifications.