Application Modification Detected - SVCHOST

keep getting this today. nothing has really changed since the last time I used my PC although last time I used it I updated to Vista SP1. A full in-depth scan shows nothing. Should I be concerned?

R.

 

If you use the default options of ESS about application modification detection , ESET will see that if svchost.exe has been updated from Microsoft and not bother you about it. Have you modified that option ?

When ESS displays that message again , see where svchost.exe is located on your computer and then upload a copy of it to www.virustotal.com
If some vendors find it possibly infected (the genuie Microsoft one must be 100% clean) , send a copy of it to samples@eset.sk

 

Thanks

Never modified that option.

told it to allow because firefox couldn't access sites. can't remember the location it gave for svchost but think in /system32. presume that is where it legitimately resides?

R.

 

The legitimate place of the legitimate genuie svchost.exe is %windir%\system32\ but since the warning is for that file it means that the the first svchost you have had has been modified . ESS detected this during attemp for communication by the new svchost.exe
It might be a malware that has modified it . That is why it is important for you to double check this file . I think you must eliminate the possibility of infection or respectively false positive alarm from ESS.

 

I have again had a warning for svchost.exe residing in:
C:\Windows\System32

EC edit: Removed virus total results. Please read our TOS.
Presumably this means I have nothing to worry about and can allow svchost from that location?

thanks

R.

 

I had the same warning from ESS shortly after installing vista sp1.

 

Looks like ESS has a design flaw in this feature, somehow its not able to detect certain kinds of legit modifications to these files.

 

It seems a compatibility issue between Vista sp1 and ESS

 

As far as I'm aware, the behavior described in this thread is expected. The software is designed to warn in such a situation.

 

It is also designed not to warn about signed applications and I am to believe Microsoft have signed their svchost.exe and related applications

 

Hello,

It depends on how the Allow modification of signed (trusted) applications option is set in ESET Smart Security and its associated list of entries.

Regards,

Aryeh Goretsky