Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

svchost.exe blocked by SEP

Created: 20 Mar 2012 | 7 comments

Hello,

I have been having issue with svchost.exe being blocked by SEP.  Every few mintues, I get a notification saying 'Traffic has been blocked from this application: svchost.exe'  I ran a full scan with both SEP and Malwarebytes, and they both came back clean.  I ran Norton Power Eraser and it also came up clean.  I tried disabling IPv6 on my network adapter, but I'm still getting notifications although they are less frequent.  I'm running Windows 7 64-bit.  Is it possible I have picked up a virus that is avoiding dectection or is there just a setting I need to change.  

Comments 7 CommentsJump to latest comment

P_K_'s picture

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

http://support.microsoft.com/kb/314056

Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.

If you do Tasklist /SVC on the command prompt, it would show all the services that run under it.

 This will also show the PID of each svchost.

Then what yo need to do from the alert get the PID and see which service is doing so.

Once you get the service find the name of service name and the path.

Create a new svchost for that service and see.

For example say the  workstation service  is the one that is causing the issue

The steps that we need to separate the workstation service from the Svchost.exe as follows:
 
 1. Take a Backup of the Registry
 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\
 3. Modify the vale for ImagePath from %SystemRoot%\system32\svchost.exe -k netsvcs to %SystemRoot%\system32\svchost1.exe -k netsvcs
 4. Go to C:\Windows\ system32\ copied svchost.exe and pasted it and rename it to svchost1.exe.
 5. Restart the work station
 

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

sommerjj's picture

I'm looking through my Network logs and I cant find a PID anywhere in the log.  

P_K_'s picture

Let me see if there is any other way of doing this.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

sommerjj's picture

Our of curiosity, where would I find the PID?  I want to make sure I'm not overlooking anything.

sommerjj's picture

I think I may have found the cause.  Whenever I power on LogMeIn Hamachi, the notifications increase a lot.   

cus000's picture

sommerjj,

1)you can use Process Explorer... this gonna be manual way.. seach by process name or PID

- you may try this command

c:\dir /a:h /s /d >>check.txt

go through the check.txt file for suspicious file

2) try SEP support tool, check the files rating... recommended way by Support

cus000's picture

Eh forgot to mention, that is IPS log...

check the traffic source, it might not come from your PC... but from remote PC haha!!