Video Screencast Help

SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

Created: 29 Sep 2009 • Updated: 15 Sep 2010 | 10 comments

Hey, im using windows 7 and periodically SEP notifies me with its little bubble window saying SVCHOST.EXE is a network threat and its traffic will be blocked... is this necessary?  is anyone else getting these types of notifications?   Is this normal?

Comments 10 CommentsJump to latest comment

snekul's picture

SVCHOST.EXE is a generic host process name for services that run from dynamic-link libraries.  So some DLL is doing something that SEP doesn't like.  Check the services control pannel to see if there's anything fishy in there.  You could also have a misconfiguration causing necessary stuff to be blocked or it could be unecessary stuff or it could be malicous.  You'll have to post more details for us to be sure.

Try to run "tasklist /SVC" to get a list of what going on.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

DieselOne2NV's picture

no infection here... I right clicked on the file and apparently it checked out okay...    the file size is correct according to other websites and it still has its authenticitity.

DieselOne2NV's picture

hmm.. not sure what i could tell ya, its a clean install take a look..

C:\Users\Jeremy Michaels>tasklist /svc

Image Name                     PID Services
========================= ======== ===========================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       280 N/A
csrss.exe                      384 N/A
csrss.exe                      456 N/A
wininit.exe                    464 N/A
services.exe                   532 N/A
winlogon.exe                   540 N/A
lsass.exe                      568 SamSs
lsm.exe                        580 N/A
svchost.exe                    688 DcomLaunch, PlugPlay, Power
svchost.exe                    764 RpcEptMapper, RpcSs
atiesrxx.exe                   872 AMD External Events Utility
svchost.exe                    904 Audiosrv, Dhcp, eventlog,
                                   HomeGroupProvider, lmhosts, wscsvc
svchost.exe                    936 AudioEndpointBuilder, CscService, hidserv,
                                   Netman, PcaSvc, SysMain, TrkWks, UxSms,
                                   wudfsvc
svchost.exe                    968 AeLookupSvc, Appinfo, Browser, gpsvc,
                                   IKEEXT, iphlpsvc, LanmanServer, MMCSS,
                                   ProfSvc, Schedule, SENS, ShellHWDetection,
                                   Themes, Winmgmt, wuauserv
audiodg.exe                   1056 N/A
svchost.exe                   1132 EventSystem, fdPHost, netprofm, nsi,
                                   WdiServiceHost
Smc.exe                       1244 SmcService
atieclxx.exe                  1348 N/A
svchost.exe                   1420 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
ccSvcHst.exe                  1492 ccEvtMgr, ccSetMgr
spoolsv.exe                   1692 Spooler
svchost.exe                   1724 BFE, DPS, MpsSvc
mainserv.exe                  1904 APC UPS Service
AppleMobileDeviceService.     1956 Apple Mobile Device
mDNSResponder.exe             2020 Bonjour Service
Rtvscan.exe                    644 Symantec AntiVirus
svchost.exe                   2332 PolicyAgent
SearchIndexer.exe             3048 WSearch
taskhost.exe                  3372 N/A
dwm.exe                       3444 N/A
explorer.exe                  3528 N/A
SmcGui.exe                    3604 N/A
ipoint.exe                    3676 N/A
itype.exe                     3684 N/A
MOM.exe                       3712 N/A
dpupdchk.exe                  3760 N/A
ccApp.exe                     3776 N/A
CCC.exe                       3948 N/A
iTunesHelper.exe              4076 N/A
msnmsgr.exe                   4084 N/A
sidebar.exe                   2716 N/A
apcsystray.exe                2112 N/A
iPodService.exe               2828 iPod Service
svchost.exe                   2992 FDResPub, SSDPSRV
wmpnetwk.exe                  1104 WMPNetworkSvc
wlcomm.exe                     288 N/A
FlashUtil10c.exe              5016 N/A
iexplore.exe                  6000 N/A
iexplore.exe                  5368 N/A
iexplore.exe                  5424 N/A
WmiPrvSE.exe                  5556 N/A
cmd.exe                       4760 N/A
conhost.exe                   2404 N/A
tasklist.exe                  4296 N/A

C:\Users\Jeremy Michaels>

Does this help?

snekul's picture

Are you using (or did you setup) a Windows 7 homegroup?  I could see that being the traffic that's blocked.  You'll probably have to look at SEP's logs to see if you can figure out which PID it is to help you narrow it down.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

DieselOne2NV's picture

it keeps telling me that i have a homegroup on one of my pc's in my home but SEP keeps blocking homegroup,  i dont know why.. or how to allow it?  what ports does homegroup use?   --windows 7 bah! you're too new for me.

Mark_'s picture

Looks like the alerts are from SEPs NTP. Do you know the source IP address. It might be another computer from your network that is infected.

snekul's picture

I could see homegroup traffic being blocked by SEP, as most corperate customers are not going to be using it.  I'm fairly sure it goes over the standard windows RPC and SMB ports, but is probably in a format that SEP blocks by default.  It also might be trying to use IPv6, which is also blocked by default.  If I run accross more details, I'll post them.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

snekul's picture

Found this on a Microsoft forum:

"according to the homegroup troubleshooter most firewalls block the use of windows 7 homegroup, the only exception is what the troubleshooter calls "windows certified firewalls" i cannot find any information on how to determine whether any given security software is one of these windows certified firewalls or not and do not no where to begin, so i thought about onecare after all it is built by microsoft so one would assume that onecare would work well with homegroup and be one of these certified firewalls."

social.microsoft.com/Forums/en-US/onecarefirewall/thread/fc28f2ca-59d1-46d1-851a-03367656cd71

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

rungchi's picture

Hi all,
I think I have the same problem. My SEP keeps telling me that svchost.exe has been blocked.
So, I did check PID in SEP. Seems it is a Windows 7 Homegroup issue, as IPv6 [type=0x86DD] has been blocked.
The MAC source is 00-25-D3-F0-AF-33
MAC Destination is 33-33-00-00-00-0C
Can you please let me know how to solve this problem? How should I do now?
Thank you very much for your help!!
RC

Ps. I attach the tasklist as below:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\RC>tasklist/svc

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       328 N/A
csrss.exe                      408 N/A
csrss.exe                      464 N/A
wininit.exe                    472 N/A
services.exe                   524 N/A
winlogon.exe                   548 N/A
lsass.exe                      560 KeyIso, SamSs
lsm.exe                        568 N/A
svchost.exe                    692 DcomLaunch, PlugPlay, Power
svchost.exe                    768 RpcEptMapper, RpcSs
svchost.exe                    880 AudioSrv, Dhcp, eventlog,
                                   HomeGroupProvider, lmhosts, wscsvc
svchost.exe                    916 AudioEndpointBuilder, Netman, PcaSvc,
                                   SysMain, TrkWks, UxSms, WdiSystemHost,
                                   Wlansvc, wudfsvc
svchost.exe                    956 AeLookupSvc, Appinfo, BITS, Browser,
                                   EapHost, gpsvc, IKEEXT, iphlpsvc,
                                   LanmanServer, MMCSS, ProfSvc, Schedule,
                                   SENS, ShellHWDetection, Themes, Winmgmt,
                                   wuauserv
svchost.exe                    412 EventSystem, fdPHost, netprofm, nsi,
                                   WdiServiceHost
Smc.exe                        784 SmcService
svchost.exe                   1128 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
ccSvcHst.exe                  1228 ccEvtMgr, ccSetMgr
FBAgent.exe                   1300 AFBAgent
AsLdrSrv.exe                  1420 ASLDRService
GFNEXSrv.exe                  1448 ATKGFNEXSrv
spoolsv.exe                   1516 Spooler
svchost.exe                   1548 BFE, DPS, MpsSvc
dsNcService.exe               1764 dsNcService
mdm.exe                       1840 MDM
SeaPort.exe                   1920 SeaPort
SfCtlCom.exe                  2000 SfCtlCom
Rtvscan.exe                   1956 Symantec AntiVirus
WLIDSVC.EXE                   1076 wlidsvc
WLIDSVCM.EXE                  2056 N/A
SearchIndexer.exe             2240 WSearch
svchost.exe                   2504 PolicyAgent
TmProxy.exe                   2644 TmProxy
TMBMSRV.exe                   2944 TMBMServer
svchost.exe                   3628 FDResPub, SSDPSRV, upnphost
wmpnetwk.exe                  3660 WMPNetworkSvc
WmiPrvSE.exe                  3824 N/A
taskhost.exe                  3404 N/A
taskeng.exe                   1256 N/A
ALU.exe                       3120 N/A
sensorsrv.exe                 3944 N/A
ControlDeckStartUp.exe         152 N/A
BatteryLife.exe               3964 N/A
ASPG.exe                      3296 N/A
ACMON.exe                     3412 N/A
wcourier.exe                  2236 N/A
ACEngSvr.exe                  3160 N/A
HControl.exe                  1068 N/A
Atouch64.exe                  4024 N/A
igfxsrvc.exe                  1900 N/A
ATKOSD.exe                    3972 N/A
KBFiltr.exe                    704 N/A
WDC.exe                       3840 N/A
dwm.exe                        764 N/A
explorer.exe                  3352 N/A
SmcGui.exe                    2252 N/A
ProtectionUtilSurrogate.e      352 N/A
UfSeAgnt.exe                  2512 N/A
igfxpers.exe                  1980 N/A
igfxtray.exe                  2008 N/A
hkcmd.exe                     3540 N/A
GUCI_AVS.exe                  4044 N/A
ETDCtrl.exe                   2404 N/A
AmIcoSinglun64.exe            3216 N/A
msnmsgr.exe                   2616 N/A
audiodg.exe                    468 N/A
VDeck.exe                     3924 N/A
HControlUser.exe              4104 N/A
RoxioBurnLauncher.exe         4112 N/A
ccApp.exe                     4120 N/A
ATKOSD2.exe                   4144 N/A
DMedia.exe                    4164 N/A
Roxio Burn.exe                4832 N/A
svchost.exe                   4932 p2pimsvc, p2psvc, PNRPsvc
PresentationFontCache.exe     4800 FontCache3.0.0.0
dllhost.exe                   5168 N/A
ADSMSrv.exe                   5180 ADSMService
ADSMTray.exe                  5344 N/A
AsScrPro.exe                  5360 N/A
POWERPNT.EXE                  5688 N/A
splwow64.exe                  5748 N/A
OfficeLiveSignIn.exe          5800 N/A
iexplore.exe                  5380 N/A
iexplore.exe                  5424 N/A
wltuser.exe                   3816 N/A
svchost.exe                   5284 SDRSVC
FlashUtil10e.exe              4760 N/A
iexplore.exe                  6132 N/A
SymCorpUI.exe                 2100 N/A
iexplore.exe                  4464 N/A
iexplore.exe                  2024 N/A
wltuser.exe                   4092 N/A
cmd.exe                       4032 N/A
conhost.exe                   3144 N/A
tasklist.exe                  1584 N/A
WmiPrvSE.exe                   716 N/A