Endpoint Protection

 View Only
Expand all | Collapse all

SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

  • 1.  SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 10:13 PM
    Hey, im using windows 7 and periodically SEP notifies me with its little bubble window saying SVCHOST.EXE is a network threat and its traffic will be blocked... is this necessary?  is anyone else getting these types of notifications?   Is this normal?


  • 2.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 10:22 PM
    your svchost.exe may be infected so try scanning in safe mode and check.


  • 3.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 10:52 PM
    no infection here... I right clicked on the file and apparently it checked out okay...    the file size is correct according to other websites and it still has its authenticitity.


  • 4.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 10:58 PM

    hmm.. not sure what i could tell ya, its a clean install take a look..

    C:\Users\Jeremy Michaels>tasklist /svc

    Image Name                     PID Services
    ========================= ======== ===========================================
    System Idle Process              0 N/A
    System                           4 N/A
    smss.exe                       280 N/A
    csrss.exe                      384 N/A
    csrss.exe                      456 N/A
    wininit.exe                    464 N/A
    services.exe                   532 N/A
    winlogon.exe                   540 N/A
    lsass.exe                      568 SamSs
    lsm.exe                        580 N/A
    svchost.exe                    688 DcomLaunch, PlugPlay, Power
    svchost.exe                    764 RpcEptMapper, RpcSs
    atiesrxx.exe                   872 AMD External Events Utility
    svchost.exe                    904 Audiosrv, Dhcp, eventlog,
                                       HomeGroupProvider, lmhosts, wscsvc
    svchost.exe                    936 AudioEndpointBuilder, CscService, hidserv,
                                       Netman, PcaSvc, SysMain, TrkWks, UxSms,
                                       wudfsvc
    svchost.exe                    968 AeLookupSvc, Appinfo, Browser, gpsvc,
                                       IKEEXT, iphlpsvc, LanmanServer, MMCSS,
                                       ProfSvc, Schedule, SENS, ShellHWDetection,
                                       Themes, Winmgmt, wuauserv
    audiodg.exe                   1056 N/A
    svchost.exe                   1132 EventSystem, fdPHost, netprofm, nsi,
                                       WdiServiceHost
    Smc.exe                       1244 SmcService
    atieclxx.exe                  1348 N/A
    svchost.exe                   1420 CryptSvc, Dnscache, LanmanWorkstation,
                                       NlaSvc
    ccSvcHst.exe                  1492 ccEvtMgr, ccSetMgr
    spoolsv.exe                   1692 Spooler
    svchost.exe                   1724 BFE, DPS, MpsSvc
    mainserv.exe                  1904 APC UPS Service
    AppleMobileDeviceService.     1956 Apple Mobile Device
    mDNSResponder.exe             2020 Bonjour Service
    Rtvscan.exe                    644 Symantec AntiVirus
    svchost.exe                   2332 PolicyAgent
    SearchIndexer.exe             3048 WSearch
    taskhost.exe                  3372 N/A
    dwm.exe                       3444 N/A
    explorer.exe                  3528 N/A
    SmcGui.exe                    3604 N/A
    ipoint.exe                    3676 N/A
    itype.exe                     3684 N/A
    MOM.exe                       3712 N/A
    dpupdchk.exe                  3760 N/A
    ccApp.exe                     3776 N/A
    CCC.exe                       3948 N/A
    iTunesHelper.exe              4076 N/A
    msnmsgr.exe                   4084 N/A
    sidebar.exe                   2716 N/A
    apcsystray.exe                2112 N/A
    iPodService.exe               2828 iPod Service
    svchost.exe                   2992 FDResPub, SSDPSRV
    wmpnetwk.exe                  1104 WMPNetworkSvc
    wlcomm.exe                     288 N/A
    FlashUtil10c.exe              5016 N/A
    iexplore.exe                  6000 N/A
    iexplore.exe                  5368 N/A
    iexplore.exe                  5424 N/A
    WmiPrvSE.exe                  5556 N/A
    cmd.exe                       4760 N/A
    conhost.exe                   2404 N/A
    tasklist.exe                  4296 N/A

    C:\Users\Jeremy Michaels>


    Does this help?



  • 5.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 11:02 PM
    SVCHOST.EXE is a generic host process name for services that run from dynamic-link libraries.  So some DLL is doing something that SEP doesn't like.  Check the services control pannel to see if there's anything fishy in there.  You could also have a misconfiguration causing necessary stuff to be blocked or it could be unecessary stuff or it could be malicous.  You'll have to post more details for us to be sure.

    Try to run "tasklist /SVC" to get a list of what going on.



  • 6.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 11:10 PM
    Are you using (or did you setup) a Windows 7 homegroup?  I could see that being the traffic that's blocked.  You'll probably have to look at SEP's logs to see if you can figure out which PID it is to help you narrow it down.


  • 7.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 29, 2009 11:20 PM
    it keeps telling me that i have a homegroup on one of my pc's in my home but SEP keeps blocking homegroup,  i dont know why.. or how to allow it?  what ports does homegroup use?   --windows 7 bah! you're too new for me.


  • 8.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 30, 2009 02:55 AM

    Looks like the alerts are from SEPs NTP. Do you know the source IP address. It might be another computer from your network that is infected.



  • 9.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 30, 2009 10:40 AM
    I could see homegroup traffic being blocked by SEP, as most corperate customers are not going to be using it.  I'm fairly sure it goes over the standard windows RPC and SMB ports, but is probably in a format that SEP blocks by default.  It also might be trying to use IPv6, which is also blocked by default.  If I run accross more details, I'll post them.


  • 10.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Sep 30, 2009 10:42 AM
    Found this on a Microsoft forum:

    "according to the homegroup troubleshooter most firewalls block the use of windows 7 homegroup, the only exception is what the troubleshooter calls "windows certified firewalls" i cannot find any information on how to determine whether any given security software is one of these windows certified firewalls or not and do not no where to begin, so i thought about onecare after all it is built by microsoft so one would assume that onecare would work well with homegroup and be one of these certified firewalls."

    social.microsoft.com/Forums/en-US/onecarefirewall/thread/fc28f2ca-59d1-46d1-851a-03367656cd71


  • 11.  RE: SVCHOST.EXE & Windows 7 - Clashing With Network Threat Protection (SEP 11 MR5)

    Posted Mar 14, 2010 04:00 PM

    Hi all,
    I think I have the same problem. My SEP keeps telling me that svchost.exe has been blocked.
    So, I did check PID in SEP. Seems it is a Windows 7 Homegroup issue, as IPv6 [type=0x86DD] has been blocked.
    The MAC source is 00-25-D3-F0-AF-33
    MAC Destination is 33-33-00-00-00-0C
    Can you please let me know how to solve this problem? How should I do now?
    Thank you very much for your help!!
    RC

    Ps. I attach the tasklist as below:

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\RC>tasklist/svc

    Image Name                     PID Services
    ========================= ======== ============================================
    System Idle Process              0 N/A
    System                           4 N/A
    smss.exe                       328 N/A
    csrss.exe                      408 N/A
    csrss.exe                      464 N/A
    wininit.exe                    472 N/A
    services.exe                   524 N/A
    winlogon.exe                   548 N/A
    lsass.exe                      560 KeyIso, SamSs
    lsm.exe                        568 N/A
    svchost.exe                    692 DcomLaunch, PlugPlay, Power
    svchost.exe                    768 RpcEptMapper, RpcSs
    svchost.exe                    880 AudioSrv, Dhcp, eventlog,
                                       HomeGroupProvider, lmhosts, wscsvc
    svchost.exe                    916 AudioEndpointBuilder, Netman, PcaSvc,
                                       SysMain, TrkWks, UxSms, WdiSystemHost,
                                       Wlansvc, wudfsvc
    svchost.exe                    956 AeLookupSvc, Appinfo, BITS, Browser,
                                       EapHost, gpsvc, IKEEXT, iphlpsvc,
                                       LanmanServer, MMCSS, ProfSvc, Schedule,
                                       SENS, ShellHWDetection, Themes, Winmgmt,
                                       wuauserv
    svchost.exe                    412 EventSystem, fdPHost, netprofm, nsi,
                                       WdiServiceHost
    Smc.exe                        784 SmcService
    svchost.exe                   1128 CryptSvc, Dnscache, LanmanWorkstation,
                                       NlaSvc
    ccSvcHst.exe                  1228 ccEvtMgr, ccSetMgr
    FBAgent.exe                   1300 AFBAgent
    AsLdrSrv.exe                  1420 ASLDRService
    GFNEXSrv.exe                  1448 ATKGFNEXSrv
    spoolsv.exe                   1516 Spooler
    svchost.exe                   1548 BFE, DPS, MpsSvc
    dsNcService.exe               1764 dsNcService
    mdm.exe                       1840 MDM
    SeaPort.exe                   1920 SeaPort
    SfCtlCom.exe                  2000 SfCtlCom
    Rtvscan.exe                   1956 Symantec AntiVirus
    WLIDSVC.EXE                   1076 wlidsvc
    WLIDSVCM.EXE                  2056 N/A
    SearchIndexer.exe             2240 WSearch
    svchost.exe                   2504 PolicyAgent
    TmProxy.exe                   2644 TmProxy
    TMBMSRV.exe                   2944 TMBMServer
    svchost.exe                   3628 FDResPub, SSDPSRV, upnphost
    wmpnetwk.exe                  3660 WMPNetworkSvc
    WmiPrvSE.exe                  3824 N/A
    taskhost.exe                  3404 N/A
    taskeng.exe                   1256 N/A
    ALU.exe                       3120 N/A
    sensorsrv.exe                 3944 N/A
    ControlDeckStartUp.exe         152 N/A
    BatteryLife.exe               3964 N/A
    ASPG.exe                      3296 N/A
    ACMON.exe                     3412 N/A
    wcourier.exe                  2236 N/A
    ACEngSvr.exe                  3160 N/A
    HControl.exe                  1068 N/A
    Atouch64.exe                  4024 N/A
    igfxsrvc.exe                  1900 N/A
    ATKOSD.exe                    3972 N/A
    KBFiltr.exe                    704 N/A
    WDC.exe                       3840 N/A
    dwm.exe                        764 N/A
    explorer.exe                  3352 N/A
    SmcGui.exe                    2252 N/A
    ProtectionUtilSurrogate.e      352 N/A
    UfSeAgnt.exe                  2512 N/A
    igfxpers.exe                  1980 N/A
    igfxtray.exe                  2008 N/A
    hkcmd.exe                     3540 N/A
    GUCI_AVS.exe                  4044 N/A
    ETDCtrl.exe                   2404 N/A
    AmIcoSinglun64.exe            3216 N/A
    msnmsgr.exe                   2616 N/A
    audiodg.exe                    468 N/A
    VDeck.exe                     3924 N/A
    HControlUser.exe              4104 N/A
    RoxioBurnLauncher.exe         4112 N/A
    ccApp.exe                     4120 N/A
    ATKOSD2.exe                   4144 N/A
    DMedia.exe                    4164 N/A
    Roxio Burn.exe                4832 N/A
    svchost.exe                   4932 p2pimsvc, p2psvc, PNRPsvc
    PresentationFontCache.exe     4800 FontCache3.0.0.0
    dllhost.exe                   5168 N/A
    ADSMSrv.exe                   5180 ADSMService
    ADSMTray.exe                  5344 N/A
    AsScrPro.exe                  5360 N/A
    POWERPNT.EXE                  5688 N/A
    splwow64.exe                  5748 N/A
    OfficeLiveSignIn.exe          5800 N/A
    iexplore.exe                  5380 N/A
    iexplore.exe                  5424 N/A
    wltuser.exe                   3816 N/A
    svchost.exe                   5284 SDRSVC
    FlashUtil10e.exe              4760 N/A
    iexplore.exe                  6132 N/A
    SymCorpUI.exe                 2100 N/A
    iexplore.exe                  4464 N/A
    iexplore.exe                  2024 N/A
    wltuser.exe                   4092 N/A
    cmd.exe                       4032 N/A
    conhost.exe                   3144 N/A
    tasklist.exe                  1584 N/A
    WmiPrvSE.exe                   716 N/A