Video Screencast Help

Symantec Endpoint Protection 12.1RU2, scans and finds threat in svchost.exe

Created: 04 Jan 2013 • Updated: 04 Jan 2013 | 2 comments
This issue has been solved. See solution.

We are having problems with some of our computers and I am trying to track down the exact cause and in doing so I ran across some things in the event logs of several computers that should not be there.  We are running SEP server and clients 12.1.2, Server 2008 R2 and Windows 7 Enterprise 64Bit clients. 
Every since we upgraded to this version, one by one people have complained that Outlook keeps locking up on them and other strange thing have happened like the machines will not get past the log off screen when they shutdown.  One computer will not show the Username and password fields for about 10-20 minutes after CTRL-ALT-DLT.  PS..We also deployed SEE Device Control and Removable Storage at the same time. 

1st,  I found this:  Security Risk Found!Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan.  Action: Leave Alone succeeded.  Action Description: The file was left unchanged. (application logs)  
This is showing up on a lot of machines so I don't think it is a virus. 

2nd I found this(could be another application other than SEP):  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 

 and APPID 
 to the user domain/username SID (S-1-5-21-790525478-920026266-842925246-8650) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
I am not sure where this APPID is.  I went through all of them and could not find the one with this APPID or CLSID.  
Any info will be greatly appreciated. 

Comments 2 CommentsJump to latest comment

Mithun Sanghavi's picture


In reference to the Case 1, check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

In reference to the Case 2, I am not sure if that is related to SEP issue.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

David.H's picture

Thanks for the info.  After reading through this I found where the file was already added to the exceptions list as log only, but I don't remember ever seeing that when the 11.x clients were installed.  I just left it alone for now and set to log only.  

As far as the second error that I saw, it has nothing to do with the new clients.  I went back a little further in the event logs to sometime last summer and I saw the same error so that is something different all together.    

Thanks for the input.