Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Endpoint Protection 12.1RU2, scans and finds threat in svchost.exe

Created: 04 Jan 2013 • Updated: 04 Jan 2013 | 2 comments
This issue has been solved. See solution.

We are having problems with some of our computers and I am trying to track down the exact cause and in doing so I ran across some things in the event logs of several computers that should not be there.  We are running SEP server and clients 12.1.2, Server 2008 R2 and Windows 7 Enterprise 64Bit clients. 
Every since we upgraded to this version, one by one people have complained that Outlook keeps locking up on them and other strange thing have happened like the machines will not get past the log off screen when they shutdown.  One computer will not show the Username and password fields for about 10-20 minutes after CTRL-ALT-DLT.  PS..We also deployed SEE Device Control and Removable Storage at the same time. 

1st,  I found this:  Security Risk Found!Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan.  Action: Leave Alone succeeded.  Action Description: The file was left unchanged. (application logs)  
This is showing up on a lot of machines so I don't think it is a virus. 

2nd I found this(could be another application other than SEP):  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{69B37063-2BB6-43B5-A109-60E69A77840F}
 and APPID 
{CD11FAB6-1C0E-45E1-BA31-5C6008EF2607}
 to the user domain/username SID (S-1-5-21-790525478-920026266-842925246-8650) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
I am not sure where this APPID is.  I went through all of them and could not find the one with this APPID or CLSID.  
 
Any info will be greatly appreciated. 
 

Comments 2 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

In reference to the Case 1, check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

In reference to the Case 2, I am not sure if that is related to SEP issue.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
David.H's picture

Thanks for the info.  After reading through this I found where the file was already added to the exceptions list as log only, but I don't remember ever seeing that when the 11.x clients were installed.  I just left it alone for now and set to log only.  

As far as the second error that I saw, it has nothing to do with the new clients.  I went back a little further in the event logs to sometime last summer and I saw the same error so that is something different all together.    

Thanks for the input.